SAP Fiori Client Guide

SAML2 Configuration Examples

SAP HANA Cloud Platform Mobile Services Registration with SAML2 Web POST Profile


Using Certificates for SAML Authentication on Android

If you must use certificates for SAML authentication, the Android SAP Fiori client requires some additional configuration.

Open the file ~plugins/kapsel-plugin-fioriclient/www/fioriclient.js. At the onDeviceReady function, add the following coding:

var onDeviceReady = function() {
          var successCallback = function() {console.log("Callback Success") };
          var errorCallback = function() {console.log("Callback Failure") };
          sap.AuthProxy.startIntercepting(successCallback, errorCallback);
          sap.AuthProxy.addHTTPSConversionHost(successCallback, errorCallback, " ");'Cordova container initialized', 'FIORI_CLIENT');


The AuthProxy plugin can be configured to intercept all network traffic and to handle sending the requests itself, which enables WebView requests to handle certificates. However, AuthProxy cannot intercept HTTPS requests. The workaround for that is to tell the WebView to load HTTP URLs and have AuthProxy convert those URLs to HTTPS before they are sent over the network. AuthProxy interception is enabled by default for SAP Fiori Client. But even when AuthProxy interception is enabled, AuthProxy normally won’t start intercepting until after Logon registration has finished, because the HTTP -> HTTPS switch can’t be made to always work with logon.

If you want certificate authentication with SAML, you need the WebView requests to use a certificate, which means AuthProxy must be intercepting. But SAML authentication happens before Logon registration when AuthProxy normally hasn’t started intercepting yet. The call startIntercepting makes AuthProxy start intercepting even if Logon registration hasn’t completed yet. The call to addHTTPSConversionHost is for the HTTP -> HTTPS workaround, so that AuthProxy knows to switch requests for that host to HTTPS before sending the requests. Note that both of those calls should only be made on Android.