Token-based Single Sign On to Live Data Sources
Learn how to enable a direct and seamless single sign-on (SSO) experience for the iOS mobile app based on an SSO token.
Before you can enable a token-based SSO for your mobile users, you need to establish the following endpoints:
- Initial SAML Safari EndpointThis endpoint is accessed by a Safari web view within the SAP Analytics Cloud mobile app. This endpoint allows the user to login to the Identity Provider by using any of the following:
- The existing Safari session
- An X.509 Personal Identity Certificate installed on the mobile device
- Manually entering login credentials.
After the user is logged in, this endpoint must redirect to a deep link with the following format:
sap-analytics-cloud://remotetoken/?<<DEEP_LINK_PARAMETER_NAME>>=<<DEEP_LINK_PARAMETER_VALUE>>NoteYou can include as many parameters as you need. These deep link parameters are managed through the SAML IdP Token Parameter Format setting used to enable the token-based SSO. - SAML IdP Token Login Endpoint
The mobile app will send a GET request to this endpoint and include the parameter values ( header values) provided from the deep link returned from the Initial SAML Safari Endpoint. The SAML IdP Token Login Endpoint reads the header values, and use them to authenticate the user to the Identity Provider.
Once you have established the two end points described above, go to System Configuration section to enable the token-based SSO. You will need to provide the header names and mappings to the parameters in the Initial SAML Safari Endpoint.
under the- Enable the Mobile remote connection SSO setting.NoteThis is a mandatory setting for the token-based SSO to work.
- Provide a value for the Initial SAML Safari Endpoint
setting.
This is the endpoint accessed by the Safari web view within the mobile app.
- Specify your SAML IdP Token Login Endpoint.
This is the endpoint where the mobile app sends the token value required to log the user into the identity provider.
- Specify the header names sent to the SAML IdP Token Login Endpoint in the
SAML IdP Token Parameter Format setting.
This setting also describes how to map the values of the parameters returned in the deep link by the Initial SAML Safari Endpoint to the values of the headers. Format this setting as follows:
HEADER_NAME=DEEP_LINK_PARAMETER_NAMENoteHEADER_NAME: name of the header sent to the SAML IdP Token Login Endpoint. DEEP_LINK_PARAMETER_NAME: name of the parameter from the deep link returned by the Initial SAML Safari Endpoint whose value will be used as the value for the HEADER_NAME header.If you wish to use multiple name value pairs, separate them using "&".
Example
Using the following SAML IdP Token Parameter Format entry: X-Mobile-Logon-Token=loginToken&X-Mobile-Logon-Checksum=checksum The deep link returned from the Initial SAML Safari Endpoint would be: sap-analytics-cloud://remotetoken/?loginToken=abcde&checksum=12345, where parameter loginToken has a value of abcde, and parameter checksum has a value of 12345.
The following headers would be sent to the SAML IdP Token Login Endpoint:
X-Mobile-Logon-Token: abcde
and
X-Mobile-Logon-Checksum: 12345