Example Configuration: SSO with SAML 2.0

Use

Example application configuration for SAML2 authentication, with SSO achieved through principal propagation to the front-end server.

Prerequisites

You have installed a SAML2 identity provider and configured it Management Cockpit, under Settings SAML.You have to create a SAML2 local service provider and configure settings for the SAML2 trusted identity provider you are using.

For detailed information, see the SAP Mobile Platform Server documentation at http://help.sap.com/mobile-platform.
You have performed the necessary steps to enable principal propagation to the Fiori front-end server. For more information, see Setting Up Communication Channels.

Procedure

Start Management Cockpit

On any computer on the network, in a supported browser, enter the URL for the Management Cockpit and log in. The URL has the format: https://<host_name>:<https_admin_port>/Admin/

Create a New Application

On the Applications page, choose New.

In the New Application dialog box, enter the following values:

Field	Value
ID	com.sap.fiori.client Unique application identifier in reverse domain notation. This is the application identifier that the application developer assigns or generates during application development. The administrator uses the application ID to register the application with the server, and the client application uses the application ID to send requests to the server.
Name	Descriptive name for the application, for example, SAP Fiori Client
Vendor	(Optional) Vendor who developed the application, for example, SAP SE
Type	Hybrid
Description	(Optional) Short description of the application

Save your entries.

Define the Back-End Connection

On the Back End page, configure the following:

Field	Value
Endpoint	The URL the application uses to access business data on the Fiori front end server. It has the following format: https://`<frontendserverhost>`:`<port>`/sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html?sap-client=`<client>`&sap-language=EN
Certificate alias	tech_user
Rewrite Mode	Rewrite in backend
SSO Mechanisms	Add X.509

Save your entries.

Define Authentication Mechanisms

On the Authentication page, enter a name for the new security profile.
Under Authentication Providers, choose Add.

Add the SAML authentication provider and configure the following:

Field	Value
Authentication Providers	SAML
Control Flag	optional
Identity Provider Name	Name of the SAML identity provider you configured

Add the Principle Propagation authentication provider and configure the following:

Field	Value
Authentication Providers	Principle Propagation
CA Signing Alias	Alias in the system keystore that contains the CA signing certificate and private key to sign the dynamically generated certificate for the authenticated user (see Prerequisites, above). Example: pp_ca
Subject Pattern	Pattern that is used to define the SubjectDN in the generated certificate. The subjectDN must match the configuration in Gateway. Note The variable ${name} can be used to indicate that the authenticated principle name should be used in its place. Example: CN=${name}, OU=Org, O=Company, C=US

Field

Value

Authentication Providers

Principle Propagation

CA Signing Alias

Alias in the system keystore that contains the CA signing certificate and private key to sign the dynamically generated certificate for the authenticated user (see Prerequisites, above).

Example: pp_ca

Subject Pattern

Pattern that is used to define the SubjectDN in the generated certificate. The subjectDN must match the configuration in Gateway.

Example: CN=${name}, OU=Org, O=Company, C=US

Save your entries.