Orchestration guide: Android SDK
This guide describes how to quickly integrate Identity Orchestration journeys into your Android application.
Introduction
The Orchestration SDK enables client-side developers to build user experiences that interact with journeys.
Each journey contains a business workflow, such as login or secure user onboarding. It consists of backend steps, such as data processing or invoking external systems, and client-facing steps, such as a login form or document verification. The SDK allows the client application to present screens and prompt for user input, and then send this information back to the journey for further processing.
Whenever the client-side interaction requires additional Mosaic platform capabilities, such as passkeys or risk detection, the developer needs to activate the appropriate SDK module to perform the step and collect the required input. This allows separation of concerns between the journey workflow handling, and the specific capability used.
SDK lifecycle
Regardless of journey logic, the SDK lifecycle consists of the following:
initialize()
or initializeSDK()
(using strings.xml file).𝟸. Activate
startJourney()
and wait for the server response.𝟹. Check
TSIdoServiceResponse
and present the appropriate UX. If needed, operate additional Mosaic SDKs.𝟺. Return client input via
submitClientResponse()
(allows selecting a journey branch if supported by journey step).𝟻. Repeat 3 and 4 until receiving
Success
or Rejection
.
The above is reflected in the following workflow diagram:
Requirements
- Android 5+ (API level 21+)
Before you start
Before the SDK can start running journeys, make sure to:
☐ Coordinate with the journey developer (regarding journey ID, steps, expected data, etc).
☐ Obtain the Client ID that identifies the app, from the app settings in the Admin Portal
☐ Allow Mosaic IPs and domains on your network
Step 1: Installation
Add the following lines in the shared build.gradle file ("allprojects" scope):
dependencyResolutionManagement {
repositories {
maven {
url('https://transmit.jfrog.io/artifactory/transmit-security-gradle-release-local/')
}
mavenCentral()
google()
}
}
Add the following in the module build.gradle file (project scope):
dependencies {
implementation("com.ts.sdk:identityorchestration:1.0.+")
}
Step 2: Initialize SDK
Initializing the SDK configures it to work with your client ID, which is the context under which the entire journey is executed. It also allows setting the base URL for the SDK to use, whether a Mosaic-provided path or your own proxy.
Initialize using strings.xml configuration (recommended)
To do this, update the strings.xml file in your Application with the following content.
<resources>
<!-- Mosaic Credentials -->
<string name="transmit_security_client_id" translatable="false">[YOUR_CLIENT_ID]</string >
<string name="transmit_security_base_url">[YOUR_BASE_URL]</string> <!-- Default is https://api.transmitsecurity.io-->
</resources>
Add this code to initialize the SDK:
// Initializes SDK where application_context is an object inheriting from Application class
try {
TSIdo.initializeSDK(application_context)
} catch (exception: TSIdoInitializeException) {
// log error…
}
Initialize using SDK parameters
Configure the SDK using the snippet below:
// Initializes SDK where application_context is an object inheriting from Application class
TSIdo.initializeSDK(application_context,
clientId,
TSIdoInitOptions(baseUrl)) // Default is https://api.transmitsecurity.io
Step 3: Start journey
Starting a journey is usually a response to some user interaction, such as clicking a login or sign-up button. The start parameters indicate which journey to start, and optionally pass additional parameters if the journey expects them.
For example, if the client app uses email as the user identifier and caches it locally after sign-up, it can pass it to the journey as userEmail
. The journey can reference it using this expression @policy.request().params.userEmail
// Starts a journey identified by journeyId
TSIdo.startJourney(journeyId, // Journey ID
TSIdoStartJourneyOptions(additionalParams, // Optional additional params
flowId), idoCallback)
Note
The idoCallback
object should implement the TSIdoCallback interface.
Step 4: Handle service response
After starting the journey, the client app waits for the TSIdoServiceResponse
. It will contains all the information the client needs in order to determine what to do next.
To handle the service response, the client app needs to:
- Select a handler based on the step
- Use the data provided by the journey
- Respond to the journey with requested input
1. Select handler
Upon receiving the TSIdoServiceResponse
, launch a handler that executes the relevant step by switching/selecting on the TSIdoServiceResponse.journeyStepId
parameter. It will either contain one of these enums or the Step ID configured in the Login Form or Get Information from Client step. Each handler should process the data, display whatever UI is needed, and call submitClientResponse()
when the interaction is concluded.
This is how the app code would dispatch handlers based on this property:
when(idoResponse.journeyStepId) {
TSIdoJourneyActionType.Information.type -> handleInformationAction(idoResponse)
TSIdoJourneyActionType.EmailOTPAuthentication.type -> handleOtpInput(idoResponse)
"main_login_form" -> handleMainLoginForm(idoResponse)
"user_info_form"e -> handleUserInfoForm(idoResponse)
...
}
2. Use data sent from journey
Inside the handler function, the app code should render a UI that fits the specific step, and use information from the data
property if it was provided in the TSIdoServiceResponse
object. This data is described in each step guide.
Let's see an example for a Register Passkeys step. TSIdoServiceResponse
will include journeyStepId
set to WebAuthnRegistration
and a data
object containing the user identifier and other WebAuthn configuration. This data can be used for calling the webauthn (passkey) registration module, as shown below:
val userName = (result.data as JSONObject).optString("username")
val displayName = (result.data as JSONObject).optString("display_name")
if (!userName.isNullOrEmpty()) {
activity?.let {
TSAuthentication.registerWebAuthn(it, userName, if (displayName.isNullOrEmpty()) null else displayName, object:
TSAuthCallback<RegistrationResult, TSWebAuthnRegistrationError> {
override fun error(error: TSWebAuthnRegistrationError) {
//handle error
}
override fun success(registrationResult: RegistrationResult) {
//submit registration result
val encodedResult = registrationResult.result()
TSIdo.submitClientResponse(TSIdoClientResponseOptionType.ClientInput.type, WebAuthnRegisterResult(encodedResult))
}
})
}
}
3. Respond with collected data
Once the user interaction is concluded, the handler should collect the response data and submit it using submitClientResponse()
. This call yields control back to the journey, and returns with a new TSIdoServiceResponse
once the journey reaches the next client-facing step.
The call parameters are the collected data, and a response option identifier. We’ll talk more about these below. For now, let's follow the Register Passkeys example of making this call.
data class WebAuthnRegisterResult(val webauthn_encoded_result: String)
...
val encodedResult = registrationResult.result()
TSIdo.submitClientResponse(TSIdoClientResponseOptionType.ClientInput.type, WebAuthnRegisterResult(encodedResult))
About response data schema
Each journey step expects specific fields to be sent back in the data object. The details of the expected fields are described in the relevant step guide. As seen above, when we use the example of the Register Passkeys step, the expected data is a field called webauthn_encoded_result
which is the output of the Passkey registration SDK.
For most journey steps, the client response schema is fixed. However, there are two steps that expect a dynamic schema. The Login Form step allows presenting multiple authentication options and collects input for one of them. The Get Information from Client step allows presenting an arbitrary data collection form to the end user. For both steps, the expected data schema is configured in the step. The client developer must coordinate with the journey author for the expected schema for each Step ID.
About alternate branches and response options
Certain steps support multiple response options. These options are passed in the TSIdoServiceResponse
object in the clientResponseOptions
property. These represents possible replies that the client can provide as a response to a journey step, and affect the branch that is taken when the step is completed.
Three of these replies have a standard type (per SDK):
-
ClientInput
represents a typical reply to a step that has a main or single output path. See above the example for Register Passkeys is using this reply option. This would be the common reply option to most steps. -
Cancel
chooses the cancel branch in actions that support it -
Fail
chooses the failure branch in actions that support it
Apart from those, some journey steps support alternate (custom) branches. The Branch ID is configured by the journey author, and should be used to identify the branch when calling submitClientResponse()
. The example below submits a response to the Login Form step, where one of the alternate branches proceeds to passkey authentication. This branch also expects a specific schema (that can be customized by the journey author) - the default is getting the encoded result after activating the authentication SDK.
data class WebAuthnAuthenticationResult(val webauthn_encoded_result: String)
...
val encodedResult = registrationResult.result()
TSIdo.submitClientResponse("passkey", WebAuthnAuthenticationResult(encodedResult))
Step 5: Complete journey
The orchestration service signals journey completion by setting the journeyStepId
property to Rejection
or Success
. The specific enum for each SDK is described in the Step 3.1 above. If successful, the token
property contains a token as a proof of journey completion.
Next steps
The SDK also supports the features below. For more info, talk to your Transmit Security representative.
- Generating a debug pin for the journey debugger
- Local console logs
- Resources URIs as part of SDK initialization