Certificate-Based Authentication for Mobile
Learn how to enable Single Sign-On with certificate-based authentication for the mobile app.
Prerequisite for the Android app: Check if the root certificates are installed on the device under Work Profile.
Typically these certificates would be installed by an MDM in the- Your corporate environment uses an Identity provider (IdP) that supports X.509 certificates.
- The IdP is set up for SAML SSO to SAP Analytics Cloud and any live data sources (for details, see Enabling a Custom SAML Identity Provider and Live Data Connection).
- Mobile device users have a way to receive or get their own X.509 personal identity certificate (bundled with a private key as a PKCS #12 file).
- SSO logon: A .p12 (Android or iOS) or .pfx (iOS only) version of the certificate is installed on the mobile device. For corporate devices, this is generally managed by an administrator.
- SSO live data source (iOS): A .mcert version of the certificate is installed on the SAP Analytics Cloud app on the mobile device.
- SSO live data source (Android): uses the SSO logon .p12 certificate for SSO live data sources and should be selected when prompted for the certificate.
Assume you have a computer set up for SSO with your corporate IdP, and a Google Chrome browser with the certificate installed.
- Select the Chrome menu button just to the right of the website address bar and choose Settings.
- Near the bottom of the page, select Advanced.
Under the Privacy and security section, select Manage certificates.
- Select your personal identity certificate from the Personal tab of the dialog that is displayed. Choose Export to launch the Certificate Export Wizard.
- In the Certificate Export Wizard:
- Choose Next.
- Select Yes, export the private key and choose Next.
- Select Personal Information Exchange - PKCS #12 (.PFX). Also select Include all certificates in the certification path if possible. Choose Next.
- Enter and confirm a password for the certificate. Choose Next.
- Choose a file name and location to save the certificate to. Choose Next.
- Check your settings and choose Finish to export the certificate.
-
For iOS: Make a copy and rename the extension to .mcert. You need to get the certificates to your mobile device. For example, if you have corporate email access on your mobile device, email the .pfx and .mcert certificates to yourself as an attachment. You are now ready to install the certificates on your device and the SAP Analytics Cloud mobile app.
-
For Android: find the certificate with the .pfx extension on your computer. Make a copy and rename the extension to .p12. You need to get the certificates to your mobile device. For example, if you have corporate email access on your mobile device, email the .p12 certificate to yourself as an attachment. You are now ready to install the certificates on your device.
Installing .pfx for SAP Analytics Cloud SSO (only for iOS users)
- From your email on your mobile device, tap the attached .pfx file.
Tap Install.
- Enter your passcode for the personal identity certificate.
- Log on to the SAP Analytics Cloud app with your application password (or Touch ID, if enabled).
After successful installation, the device now leverages your corporate SSO for authentication to the mobile app.
Installing .mcert for live data source SSO
- From your email on your mobile device, tap the attached .mcert file.
Tap Import with Analytics. You are switched automatically back to the SAP Analytics Cloud app.
- Log on to the app with your application password (or Touch ID, if enabled).
When prompted, enter the password of your personal identity certificate and tap Install.
After successful installation, the mobile app now leverages your corporate SSO to log on to live data sources.
Installing .12 for SAP Analytics Cloud SSO
- From your email on your mobile device, tap the attached .p12 file.
- Enter your passcode for the personal identity certificate.
After successful installation, the device now leverages your corporate SSO for authentication to the mobile app. The certificate will be installed under Personal Profiles User Certificates.
Using the .p12 certificate with the Android App
- Log on to the app with your application password.
- Connect to the SAC URL. In the Authentication step, when prompted in the Choose certificate screen, Select certificate as shown below: The app will use the certificate to logon to SAP Analytics Cloud.
- The Choose certificate screen will also display when connecting to live data sources. Select the same certificate to continue.
If you receive an SSL error for the remote connection please try to install the root and intermediate certificates for live data source servers in the Android trust certificate store under the profile where the app is installed (Personal or Work).