Using a Third-Party Certificate Provider

SAP Mobile Platform SDK includes a Provider API, which enables apps to download certificates from third-party infrastructures.


  • Install a Client Hub application on the client device, and enable <SSO pincode>.
  • Create a new Android project in Android Studio by clicking Start of the navigation path File Next navigation step New Next navigation step Project End of the navigation path. Enter the project's name and click Finish.
  • Add maflogonui.aar to the libs folder and import it in to the build.gradle file.


  1. Set <UserCreationPolicy>=certificate in the file.
    See Registering a New Application Using Client Hub in the Client Hub documentation.
  2. Set the CertificateProvider interface for the MAF Logon component. Each certificate provider must implement this interface.
  3. Implement the getCertificate method. During registration, the Logon component invokes the getCertificate method, described in CertificateProvider interface, and sends a callback to retrieve the user certificate. Save the callback reference and logoncomponentactivity context. Then start a new UI to request parameters from the user.
    public void getCertificate(CertificateProviderListener callback) {
       this.listener = callback;
       this.ctx = (Activity) LogonUIFacade.getInstance().getActivityContext();
       ctx.startActivity(new Intent(ctx, ProviderActivity.class));
  4. Implement a custom method to pass parameters from the Activity XML file to the code written for developing certificate provider functionality. For example, you can implement a setParameters method to retrieve the UI parameters and create X509KeyManager interface to send the certificate back to the MAF Logon component.
    public void setParameters(Map<String, String> parameters) {
       // download certificate from your PKI/CA server or load it from the  System Keychain
       getCertificate(ctx, parameters);
       X509KeyManager keyMan = new MyX509KeyManager();
       // calling callback onGetCertificateSuccess
  5. Make your test .P12 files available to the provider. Depending on your implementation, these files might be:
    • Installed in the System Keychain of your device.
    • Placed in a resource folder of your Android project.
    • Uploaded to your MDM server and accessed via HTTPS request.
  6. Test your implementation by installing the Root CA certificate into the SAP Mobile Platform server keystore. See Managing Keystore and Truststore Certificates in Administrator.