SAP Fiori Client Guide

Certificate Delivery Services Provider Plugin

(Android and iOS) The Certificate Delivery Services (CDS) provider is a Hybrid SDK (Kapsel) plugin that contacts the SAP Mobile Secure server to provide a clientside certificate. You can use this certificate to authenticate with SAP back-end systems.

To use the CDS provider plugin, you must install the Logon plugin, as it is not a standalone component.

CDS Provider Plugin Responsibilities

Use application configuration details in the logon context.

The logon context may contain configuration details that demand an application to authenticate with an application server using an identity certificate. For example, the configuration details of authorization endpoint, token endpoint, or certificate endpoint. To configure such details in the logon context, the CDS Provider allows you to:
  • Edit appconfig.js (for Fiori Client)
  • Modify the logon context during runtime
  • Create a valid SAP Mobile Place configuration, so that the Logon plugin can parse and copy to the logon content
Sample Configuration
    "certificate": "",
    "": [],
    "": {
        "type": "oauth",
        "tokenEndpoint": "",
        "client_id": "",
        "redirect_uri": ""
    "fioriURL": "https://<host>.<domain>:<port>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html?sap-client=<client>&sap-language=EN",
    "fioriURLIsSMP": false,
    "passcodePolicy": []

Obtain access token for the certificate request

The CDS Provider plugin uses OAuth 2.0 (three-legged: on behave of a user) to retrieve an access token. This process requires the CDS provider to contact the:
  • Authorization endpoint for authentication code
  • Token endpoint to fetch a valid access and refresh tokens

Build certificate-signing request

To generate a public/private key pair and to create a valid certificate-signing request, the CDS provider plugin requests attributes to the certificate attributes endpoint.

Retrieve identity certificate

To fetch an identity certificate, the CDS provider sends a certificate-signing request to the certificate request endpoint.

Store and delete client certificates in a secure store

If the client certificate is available, the CDS provider plugin stores it in a local datavault. For a delete request, CDS provider deletes the certificate from the secure store.