Connecting SAP Inventory Manager Agentry Cloud Edition to the Back End using SAML Identity Provider

Mobile applications developed using Agentry, such as SAP Inventory Manager, use SAML 2.0 for identity authentication.

Prerequisites

  • Agentry is deployed on SAP Business Technology Platform Mobile Services

  • SAP BTP services Agentry Cloud Edition is 2016 or above. Note that SAML authentication is not supported on on-premise systems when using SAP Mobile Platform.

  • Agentry SDK is 7.3 or above.

  • SAML authentication requires SAP Secure Network Communication (SNC)

  • The RFC SNC protocol must be used when configuring Agentry Cloud Edition to on-premise mapping in the Cloud Connector

Before starting this procedure, create and deploy the mobile application in SAP Business Technology Platform Mobile Services using the default authentication method. See the Connecting SAP Inventory Manager to the Agentry Component for detailed instructions. Once the app is deployed, ensure that you can successfully connect from the Agentry client using your SAP user ID and password.

Context

Procedure

  1. Configuration changes to the Agentry application:
    1. Open the JavaBE.ini configuration file in a standard text editor.
    2. Locate the [JCO] section and ensure the configuration is as follows: 
      [JCO]
	CLASS=JCO3
	CONNECTION_TYPE=CLOUD
    3. Ensure the LOGON_METHOD in the [LOGON_METHOD] section is set to USER_AUTH.
    4. Locate the [JCO3] section and ensure the configuration is as follows: 
      [JCO3]
	;Please map the destination names configured in BTP Cockpit
	DESTINATION_SERVICE_NAME=<DESTINATION_SERVICE>
	DESTINATION_PUSH_NAME=<DESTINATION_PUSH>
	DESTINATION_SESSION_NAME=<DESTINATION_SESSION>
    5. Locate the [USER_AUTH] section and ensure the configuration is as follows: 
      [USER_AUTH]
	;USER_AUTH section configuration for SNC/SAML
	BYPASS_USERID_CHECK=true
	ALLOW_USERNAME_REMAPPING=true
    6. Save your changes. Create the export and publish the definitions to the mobile app in SAP BTP services.
  2. Security configuration so the application can use SAML:
    1. Log on to the SAP BTP cockpit. Navigate to the subaccount for the Neo environment.
    2. Navigate to Start of the navigation pathServices Next navigation step Mobile Services Next navigation step Go to ServiceEnd of the navigation path.

      SAP BTP services is launched.

    3. Navigate to the mobile application you created by going to Start of the navigation pathMobile Applications Next navigation step Agentry Next navigation step Your Mobile ApplicationEnd of the navigation path.
    4. Navigate to Start of the navigation pathAssigned Features Next navigation step Agentry ApplicationsEnd of the navigation path and configure the Security as follows:

      • Authentication Method: SAML

      • HTTP Session Timeout: 1200 (default is 20 minutes, which is 1200 seconds)

      BTP Cockpit - Configure Security for Agentry App for SAML

    5. Configure the destinations you added previously using the Connecting SAP Inventory Manager to the Agentry Component procedure. The following example uses DESTINATION_SESSION_NAME. Configure DESTINATION_SERVICE_NAME and DESTINATION_PUSH_NAME in the same way.
      • Example configuration:

        • Name: <DESTINATION_SESSION_NAME>

        • Type: RFC

        • Description: <description>

      • Additional parameters:

        • jco.client.client: <SAP client>

        • jco.client.lang: EN

        • jco.destination.auth_type: PrincipalPropagation

        • jco.destination.peak_limit: 100

        • jco.destination.pool_capacity: 10

      For load balanced systems, use Message Server:

      • jco.client.mshost: <message server host from Cloud Connector>

      • jco.client.msserv: <message server>

      • jco.client.group: <group name>

      • jco.client.r3name: <SID>

      For non-load balanced systems, use Application Server:

      • jco.client.ashost: <server host name from Cloud Connector>

      • jco.client.sysnr: <system number>

  3. Configure the cloud to on-premise mapping using RFC SNC:
    Once you've configured the cloud to on-premise action control, you must configure the function modules. Configure the following prefixes as part of the Resources to the cloud to on-premise host map:

    • /SMERP/

    • /SMFND/

    • /SYCLO/

    • /SMISU/

    • Z (allows custom RFC specific to your implementation)

    Note that if you use a service user to start and run the Cloud Connector, that user account must be granted admin privileges.

    For additional information, see the Configuring Principal Propagation topic in the SAP BTP Connectivity for the Neo Environment guide.

  4. Configure the SAP back end:

    For additional information, see the Configure Principal Propagation for RFC topic in the SAP BTP Connectivity for the Neo Environment guide.

    1. STRUST configuration: Use transaction STRUST to import the certificates from the Cloud Connector
    2. Configure rule-based certificate mapping: Use transaction CERTRULE to import the Cloud Connector principal progagation certificate and to configure the assertion rule and exceptions.