Developer

FederationProvider Plugin

(Android and iOS) The FederationProvider plugin is a CertificateProvider implementation that enables sharing of X509 client certificates for authentication across multiple applications.

Requirements

Federation requires every application to:
  • Be signed by the same developer identity
  • Share the same entitlements/metadata
  • Be used by the same consumer
  • Be configured to use the same FederatedProvider implementation
  • Use the same federated identity (the same consumer with the same login credentials as the identity provider used to provision the certificate.)
  • Preferably have every application target the same back-end system (or have back-end systems that are mapped to the same identity, with all users mapped consistently)

Supported Usage Scenarios

The FederationProvider plugin supports federation for:
  • Third-party certificates in Hybrid apps
  • SAP certificates in Hybrid apps

The certificate provider provides a certificate when called, and provides all the information required to either provision the certificate or to read a stored certificate from internal secure storage. The developer can think of the federation provider as a native component that calls the certificate provider implementation. The certificate provider implementation, when used by federation provider, works the same way as if the Logon plugin called the component.

The other role of the FederationProvider is to implement platform-specific logic that shares the certificate acquired from the certificate provider implementation. This logic is implemented by the federation native library. To plug the FederationProvider into the Logon plugin, it implements the certificate provider interface. In this role, FederationProvider acts as a proxy component that decides when to call the configured certificate provider implementation and when to fetch the certificate from the Federation Library.

Supported Certificate Providers

There are no special requirements for a certificate provider implementation that is used by the FederationProvider. Every correctly configured certificate provider should work through the FederationProvider.

These SAP certificate providers are currently supported:
  • Afaria provider
  • Certificate Delivery Services (CDS) provider

Any third party certificate providers can be supported; consult with the third party who created the specific certificate provider.

Supported Scenarios

  • Federation with any Third-Party Certificate Provider in Hybrid Applications
    • The Logon Context – AppConfig JSON dictionary configures the certificate provider to be the SAP federation provider (“certificate” : “com.sap.federationprovider”)
    • The Logon Context – AppConfig JSON dictionary passes the new configuration value to select the certificate provider that is used by the SAP federation provider (“federated_certificate” : “com.ex.anyprovider”)
    • The application can trigger the registration through the Logon plugin API, which results in the FederationProvider plugin acquiring the certificate either from the Federation library or via the configured third party certificate provider implementation
    • Add every configuration that the certificate provider needs to the Logon Context – App Config JSON dictionary. The provider receives the content of this file and parses the configuration it needs.
  • Federation with any SAP Certificate Provider in Hybrid Applications
    • The Logon Context – AppConfig JSON dictionary configures the certificate provider to be the SAP federation provider (“certificate” : “com.sap.federationprovider”)
    • The Logon Context – AppConfig JSON dictionary passes the new configuration value to select the certificate provider used by the SAP federation provider:
      • “federated_certificate” : “com.sap.afaria”
      • “federated_certificate” : “com.sap.mobilesecure.certificateService”
    • The application can trigger the registration through Logon plugin API, which results in the federation provider acquiring the certificate either from the federation library or from the configured third party certificate provider implementation
    • Add every configuration that the certificate provider needs to the Logon Context – App Config JSON dictionary. The provider receives the content of this file and parses the configuration it needs.