Token-based Single Sign On to Live Data Sources

Learn how to enable a direct and seamless single sign-on (SSO) experience for the iOS mobile app based on an SSO token.

Note
The token-based SSO method described below will soon be deprecated. It is recommended that you use either theCertificate-Based Authentication for Mobile or SAP Cloud Connector-based Mobile Single Sign-On.

Before you can enable a token-based SSO for your mobile users, you need to establish the following endpoints:

  1. Initial SAML Safari Endpoint
    This endpoint is accessed by a Safari web view within the SAP Analytics Cloud mobile app. This endpoint allows the user to login to the Identity Provider by using any of the following:
    • The existing Safari session
    • An X.509 Personal Identity Certificate installed on the mobile device
    • Manually entering login credentials.

    After the user is logged in, this endpoint must redirect to a deep link with the following format:

    sap-analytics-cloud://remotetoken/?<<DEEP_LINK_PARAMETER_NAME>>=<<DEEP_LINK_PARAMETER_VALUE>>
    Note
    You can include as many parameters as you need. These deep link parameters are managed through the SAML IdP Token Parameter Format setting used to enable the token-based SSO.
  2. SAML IdP Token Login Endpoint

    The mobile app will send a GET request to this endpoint and include the parameter values ( header values) provided from the deep link returned from the Initial SAML Safari Endpoint. The SAML IdP Token Login Endpoint reads the header values, and use them to authenticate the user to the Identity Provider.

Once you have established the two end points described above, go to Start of the navigation pathSystem Next navigation step Administration End of the navigation path under the System Configuration section to enable the token-based SSO. You will need to provide the header names and mappings to the parameters in the Initial SAML Safari Endpoint.

  1. Enable the Mobile remote connection SSO setting.
    Note
    This is a mandatory setting for the token-based SSO to work.
  2. Provide a value for the Initial SAML Safari Endpoint setting.

    This is the endpoint accessed by the Safari web view within the mobile app.

  3. Specify your SAML IdP Token Login Endpoint.

    This is the endpoint where the mobile app sends the token value required to log the user into the identity provider.

  4. Specify the header names sent to the SAML IdP Token Login Endpoint in the SAML IdP Token Parameter Format setting.

    This setting also describes how to map the values of the parameters returned in the deep link by the Initial SAML Safari Endpoint to the values of the headers. Format this setting as follows:

    HEADER_NAME=DEEP_LINK_PARAMETER_NAME
    Note
    HEADER_NAME: name of the header sent to the SAML IdP Token Login Endpoint. DEEP_LINK_PARAMETER_NAME: name of the parameter from the deep link returned by the Initial SAML Safari Endpoint whose value will be used as the value for the HEADER_NAME header.

    If you wish to use multiple name value pairs, separate them using "&".

Example

Using the following SAML IdP Token Parameter Format entry: X-Mobile-Logon-Token=loginToken&X-Mobile-Logon-Checksum=checksum The deep link returned from the Initial SAML Safari Endpoint would be: sap-analytics-cloud://remotetoken/?loginToken=abcde&checksum=12345, where parameter loginToken has a value of abcde, and parameter checksum has a value of 12345.

The following headers would be sent to the SAML IdP Token Login Endpoint:

X-Mobile-Logon-Token: abcde

and

X-Mobile-Logon-Checksum: 12345