Administrator

Creating a SAML2 Local Service Provider

Create a SAML2 local service provider that can communicate with a trusted identity provider to determine whether a requesting user is authorized to access a secured resource.

Prerequisites

Configure the SAP Mobile Platform SAML service provider certificate generator in Management Cockpit.

Context

Configure the provider using a certificate that is either:
  • Generated by SAP Mobile Platform, or

  • Signed by your own PKI/CA system.

Procedure

  1. In Management Cockpit, select Start of the navigation path Settings Next navigation step SAML Next navigation step Local Service Provider End of the navigation path.
  2. Complete the required information.
    Table 59: SAML2 Local Service Provider Properties
    Field Description
    Local Provider Name A unique name that identifies the local service provider among all the trusted identity providers you plan to use. To ensure uniqueness, enter a name that no one else has registered, such as DN::mysmp1. Maximum length is 256 characters. The name appears as a trusted identity provider and represents this SAP Mobile Platform installation.
    Base URL The base URL for the local service provider.

    For a single SAP Mobile Platform installation in which clients connect directly to the server, you can use the fixed IP address or host name of your SAP Mobile Platform Server, for example, https://198.164.10.18:8081.

    For an SAP Mobile Platform cluster, or when clients connect from the Internet and a load-balancer/reverse-proxy sits between clients and SAP Mobile Platform, enter the URL of either the load balancer or the reverse-proxy.

    To test SAP Mobile Platform SDK clients, you must use HTTPS. If you are testing locally with something like a REST client, HTTP works.

    Signing Key The Base64-encoded signing key for your SAP Mobile Platform installation.
    • For certificates that are generated by SAP Mobile Platform, click Generate Key Pair. This field and Signing Certificate are filled in automatically.

    • For certificates that are signed by your own PKI/CA system, copy and paste the signing key and signing certificate that you receive from your PKI system. The key must be unencrypted, and in DER-encoded PKCS #8 format. For example, if you start with the key.p12 certificate file:
      1. On a command line, run:
        openssl pkcs12 -in key.p12 -nocerts -nodes | openssl pkcs8 -topk8 -inform pem -outform der -nocrypt | base64 -w 0 > key
        openssl pkcs12 -in key.p12 -nokeys -clcerts | openssl x509 -outform der | base64 -w 0 > cert
      2. Paste the contents of key into Signing Key.

      3. Paste the contents of cert into Signing Certificate.

    Signing Certificate The full text of the certificate that identifies your SAP Mobile Platform installation.
    • For certificates that are generated by SAP Mobile Platform, see Signing Key, above.

    • For certificates that are signed by your own PKI/CA system, see Signing Key.

  3. (Optional) If you left the Signing Key and Signing Certificate fields blank, click Generate Key Pair.
  4. Click Save.

    After you save, you cannot change the signing key or signing certificate.

  5. Click Get Metadata to download the SAML 2.0 XML metadata that describes SAP Mobile Platform as a service provider.

Next Steps

  • Before you use SAML2 in a security profile, configure a trusted identity provider.

  • Send the metadata file you generated to the trusted identity provider you plan to use.