Developer

Using a Third-Party Certificate Provider

SAP Mobile Platform SDK includes a Provider API, which enables apps to download certificates from third-party infrastructures.

Implementing Content from Third-Party Certificate Providers

The CertificateProvider API implements a Logon extension for integrating non-Afaria certificate provider options, for example, MobileIron or AirWatch, or file-system installation.

Prerequisites

Install a Client Hub application on the client device and enable an SSO pincode.

Creating an Xcode Library Project

To implement the certificate from the your third-party provider, create a new static linked library project in Xcode.

You can obtain the required SAP Mobile Platform SDK dependencies from Service Marketplace. The libraries come bundled with the SAP Mobile Platform SDK installer. Unzip the installer on your system, then add the following dependency to your project:
maflogonuing.a min version: 1.203.0

Creating the Certificate Provider Implementation

Context

The Provider class implements the CertificateProvider protocol:
@interface CertificateProviderSample : NSObject <CertificateProvider>

Procedure

  1. Implement the getCertificate method:
    -(void) getCertificate:(id<CertificateProviderDelegate>)aProviderDelegate
    In this method, if the provider implementation requires a UI, the current view controller can be retrieved from the provider delegate instance:
    [aPluginDelegate currentViewController];
  2. When the SecIdentityRef is created, call the provider delegate instance:
    [pluginDelegate onGetCertificateSuccess:clientIdentity];
    If any error prevents the return of a valid SecIdentityRef, call this method with an NSError instance:
    [pluginDelegate onGetCertificateFailure: anError];
    After a successful registration, when the application has stopped and restarted, the LogonManager needs the SecIdentityRef again because it is stored only in the provider. Use the getStoredCertificate method:
    -(BOOL)getStoredCertificate:(SecIdentityRef *)secIdentityRef error:(NSError **)anError
    When you call this method, return the SecIdentityRef that was selected during registration. This is a sync method; therefore, do not show any UI here.
    If users inadvertently delete the registration or forget the passcode, LogonManager invalidates the registration and calls this method:
    -(BOOL) deleteStoredCertificateWithError:(NSError **)anError
    If the provider can successfully remove the stored certificate, deleteStoredCertificateWithError returns yes. In case of an error, it returns no and the error description.

Setting the CertificateProvider

Procedure

  • You can set the CertificateProvider on the MAFLogonUIViewManager instance:
    CertificateProviderSample *certificateProviderSample = [[[CertificateProviderSample alloc] init] autorelease];
    [logonUIViewManager setCertificateProvider:certificateProviderSample];
    
  • If your application does not require a CertificateProvider, you can remove it by setting a nil:
    [logonUIViewManager setCertificateProvider:nil];

Refreshing a Certificate

The certificate used for registration and communicating with the server might become invalid at some point, for example, if the validity period ends.

When a used certificate becomes invalid and you want to use a different, valid one, call:
-(void) refreshCertificate;
refreshCertificate:
  1. Calls the deleteStoredCertificate method, so CertificateProvider can delete the invalid certificate.
  2. Calls the getCertificate method to set a new, valid certificate. This method is called only if the deleteStoredCertificate returns yes.