This article explains why login rejections occur during the Native to Web Single Sign-On (SSO) flow when a device switches between IPv4 and IPv6 addresses. This scenario typically involves a native Android or iOS application that transfers a session transfer token to an integrated web view while device verification using IP checks is enabled.

• Native to Web SSO
• Android applications
• iOS applications
• Device verification

The login rejection occurs because the native application requests the session transfer token using an IPv4 address, but the integrated web view attempts to redeem the token using an IPv6 address. When device verification is configured to use the IP address, the system identifies the change in protocol as a mismatch and rejects the session transfer to maintain security.

To resolve the login rejection while maintaining the security of the transfer token, the device binding configuration must be updated to use the Autonomous System Number (ASN). Because a mobile carrier network provides both IPv4 and IPv6 addresses, it shares the same ASN. Changing this setting allows the system to recognize that token generation and redemption originate from the same trusted carrier.

1. Navigate to the application settings.

2. Locate the device binding or session transfer settings.

3. Change the configuration from IP to ASN.

4. Save the changes.

Additional details on implementation can be found in the documentation for configuring web applications for native to web SSO.