Enabling Secure Onboarding Using SAML
Security Assertion Markup Language (SAML) is an XML-based open standard data format for exchanging authentication and authorization data. Both SAP HCP, mobile service for development and operations and SAP Mobile Platform support SAML authentication. The Logon plugin can use SAML authentication with or without Mobile Place.
Only SAP HCP, mobile service for development and operations can directly publish the registration configuration (which may or may not include SAML configuration) to the Mobile Place server by selecting an option in the management cockpit for SAP Hana Cloud Platform mobile services. Whereas for SAP Mobile Platform Server, in order to use Mobile Place to provision the configuration to the device, you must manually upload the registration configuration to the Mobile Place server.
Enabling SAML Authentication
Configure registration context for the Logon plugin to perform SAML authentication. You can use the context parameter refreshSAMLSessionOnResume to skip/allow SAML authentication during application restart and datavault unlock. By default, the refreshSAMLSessionOnResume is set as always.
For example, offline applications use offline data and synchronize periodically with server data. In this case, set the context parameter refreshSAMLSessionOnResume to skip the SAML authentication.
Sample registration context:
var context = {
"serverHost": "hcpms-i826633trial.hanatrial.ondemand.com", //Place your SAP Mobile Platform 3.0 server name here
"serverPort": "0",
"https": "true",
"passcode": "Password1",
"passcode_CONFIRM": "Password1",
"unlockPasscode": "Password1",
"refreshSAMLSessionOnResume":"skip",
"auth": [
{
"type": "saml2.web.post",
"config": {
"saml2.web.post.authchallengeheader.name": "com.sap.cloud.security.login",
"saml2.web.post.finish.endpoint.uri": "/SAMLAuthLauncher",
"saml2.web.post.finish.endpoint.redirectparam": "finishEndpointParam"
}
}
]
Enabling Your Application to Use Mobile Place
To enable your application to use Mobile Place, set mobilePlace to true in the Logon context in index.html in the www folder.
When Mobile Place is enabled, these SAML configuration items are automatically included in the registration context to enable SAML authentication during logon:
- saml2.web.redirect.identifyingHeader.name: The value of this key is used by server response to indicate a SAML challenge is required. When a client sends a request to the server and the server's response includes this header value, this indicates that the server has requested SAML authentication. The client should initialize a SAML authentication process.
- saml2.web.redirect.finish.endpoint The value of this key indicates the initial URL for the client to start the SAML authentication. The client should send the request to this URL in a UIWebView control, as the server will return an HTML page for the request.
- saml2.web.redirect.finish.endpoint.param The value of this key indicates when the SAML authentication has finished. When the server sends a response with the value in its URL, this indicates SAML authentication is done, and the client can continue the logon process.
When you use SAML authentication with Mobile Place, the application ID is automatically configured on the Mobile Place server.
Enabling SAML and One Time Password Authentication (Two-factor Authentication)
You can configure and enable two-factor authentication for Mobile Application clients from SAP HCP, mobile service for development and operations and SAP Mobile Platform. You can handle all required configuration on server side and therefore, you do not need any additional configuration on client side. This allows you to configure unique settings for a mobile application.