Certificate-Based Authentication for Mobile

Learn how to enable Single Sign-On with certificate-based authentication for the mobile app.

Prerequisite for the Android app: Check if the root certificates are installed on the device under Start of the navigation pathSettings Next navigation step Biometrics and Security Next navigation step Other Security Settings Next navigation step View security certificatesEnd of the navigation path Typically these certificates would be installed by an MDM in the Work Profile.

The mobile app supports Single Sign-On (SSO) using an X.509 certificate for both logging on to SAP Analytics Cloud, and for accessing live data sources in your stories. The requirements for enabling SSO on a mobile device include:
  • Your corporate environment uses an Identity provider (IdP) that supports X.509 certificates.
  • The IdP is set up for SAML SSO to SAP Analytics Cloud and any live data sources (for details, see Enabling a Custom SAML Identity Provider and Live Data Connection).
  • Mobile device users have a way to receive or get their own X.509 personal identity certificate (bundled with a private key as a PKCS #12 file).
  • SSO logon: A .p12 (Android or iOS) or .pfx (iOS only) version of the certificate is installed on the mobile device. For corporate devices, this is generally managed by an administrator.
  • SSO live data source (iOS): A .mcert version of the certificate is installed on the SAP Analytics Cloud app on the mobile device.
  • SSO live data source (Android): uses the SSO logon .p12 certificate for SSO live data sources and should be selected when prompted for the certificate.

Assume you have a computer set up for SSO with your corporate IdP, and a Google Chrome browser with the certificate installed.

To export the certificate:
  1. Select the Chrome menu button just to the right of the website address bar and choose Settings.
  2. Near the bottom of the page, select Advanced.

  3. Under the Privacy and security section, select Manage certificates.

  4. Select your personal identity certificate from the Personal tab of the dialog that is displayed. Choose Export to launch the Certificate Export Wizard.
  5. In the Certificate Export Wizard:
    1. Choose Next.
    2. Select Yes, export the private key and choose Next.
    3. Select Personal Information Exchange - PKCS #12 (.PFX). Also select Include all certificates in the certification path if possible. Choose Next.
    4. Enter and confirm a password for the certificate. Choose Next.
    5. Choose a file name and location to save the certificate to. Choose Next.
    6. Check your settings and choose Finish to export the certificate.
Once the export has completed successfully, find the certificate with the .pfx extension on your computer. Depending on your app perform the following:

  • For iOS: Make a copy and rename the extension to .mcert. You need to get the certificates to your mobile device. For example, if you have corporate email access on your mobile device, email the .pfx and .mcert certificates to yourself as an attachment. You are now ready to install the certificates on your device and the SAP Analytics Cloud mobile app.

  • For Android: find the certificate with the .pfx extension on your computer. Make a copy and rename the extension to .p12. You need to get the certificates to your mobile device. For example, if you have corporate email access on your mobile device, email the .p12 certificate to yourself as an attachment. You are now ready to install the certificates on your device.

Installing required certificates on iOS devices

Installing .pfx for SAP Analytics Cloud SSO (only for iOS users)

Note
If you are using a Mobile Device Management (MDM) tool to enroll your devices and add corporate SSO certificates, you do not need to follow these steps.
  1. From your email on your mobile device, tap the attached .pfx file.

  2. Tap Install.

  3. Enter your passcode for the personal identity certificate.
  4. Log on to the SAP Analytics Cloud app with your application password (or Touch ID, if enabled).

After successful installation, the device now leverages your corporate SSO for authentication to the mobile app.

Installing .mcert for live data source SSO

  1. From your email on your mobile device, tap the attached .mcert file.

  2. Tap Import with Analytics. You are switched automatically back to the SAP Analytics Cloud app.

  3. Log on to the app with your application password (or Touch ID, if enabled).

  4. When prompted, enter the password of your personal identity certificate and tap Install.

After successful installation, the mobile app now leverages your corporate SSO to log on to live data sources.

Installing required certificates on Android devices

Installing .12 for SAP Analytics Cloud SSO

Note
If you are using a Mobile Device Management (MDM) tool to enroll your devices and add corporate SSO certificates, you do not need to follow these steps.
  1. From your email on your mobile device, tap the attached .p12 file.
  2. Enter your passcode for the personal identity certificate.

After successful installation, the device now leverages your corporate SSO for authentication to the mobile app. The certificate will be installed under Personal Profiles User Certificates.

Using the .p12 certificate with the Android App

  1. Log on to the app with your application password.
  2. Connect to the SAC URL. In the Authentication step, when prompted in the Choose certificate screen, Select certificate as shown below:

    The app will use the certificate to logon to SAP Analytics Cloud.
  3. The Choose certificate screen will also display when connecting to live data sources. Select the same certificate to continue.
Note

If you receive an SSL error for the remote connection please try to install the root and intermediate certificates for live data source servers in the Android trust certificate store under the profile where the app is installed (Personal or Work).