Mobile login

When the Onegini IdP is configured to work with the Onegini Token Server, it is possible to utilise its Mobile Authentication functionality to enable end-users to login using their mobile devices. Mobile authentication is one of the features that is offered by the Onegini Token Server component. It is an out-of-band authentication mechanism. The end-users use their mobile device in combination with possibly an additional authentication mechanism such as a PIN or Fingerprint in order to proof their identity.

Below you can see the flow diagram for mobile login: Mobile login


To successfully complete this topic guide you need to ensure following prerequisites:

  • Onegini IdP instance must to be running, for the sake of this guide we assume it's available under the http://localhost address
  • Access to the Onegini IdP admin console
  • You have previously configured Mobile Login


Mobile Login requires access to the Onegini Token Server API. This can be configured via the Onegini IdP admin panel. Please refer to the Onegini Token Server configuration for more details about setting up the configuration with the Token server.

Mobile login is using Authorization Token that is saved in a cookie inside user’s browser. The maximum time in which mobile login functionality can be performed after ensuring it is available for a person can be set via authorization token expiration time property which is described in the properties.


In order to use the mobile login functionality it needs to be enabled and configured within the Onegini IdP admin panel (Configuration -> Identity Providers). Configuration. This page contains the following fields:

Field name Description
Mobile Login enabled Enables/disables mobile login.
Show Allow Mobile login for this device login option If enabled, the end-user will see a checkbox on the login page where he can decide whether or not they want to use the mobile login feature from their current device.
Authentication level You can give the mobile login feature a specific authentication level or use the authentication level of the previous authenticator that the end-user used before logging in with mobile login.
Authentication type Mobile login authentication type (the mobile authentication type as defined in the Onegini Token Server admin console)
Allowed login attempts Allowed number of failing / invalid login attempts occurring one after another with Mobile login functionality.

You can configure message that the end-user will see on his mobile device when a mobile authentication request is sent. It can be set directly in field Configuration -> Identity Providers, Login Message in Mobile Login section. or if translations are needed firstly clear that field, as it has priority, then add a custom message for key


The user will be able to login with the mobile device when they:

  • have coupled the account with the mobile app (that is using the Onegini Mobile SDK)
  • have enabled Mobile Authentication with Push within the mobile app
  • have successfully logged in to Onegini IdP at least once having all other prerequisites met