Developer

Support for Common Authentication and Authorization Flows

The HttpConversation library with its filter mechanism makes a conversation flow possible by allowing controlled implementation of scenarios that involve authentication and authorization. The HttpConvAuthFlows library used with HttpConversation lets you manage common authentication/authorization flows, for example, Basic authentication and SAML flow. A manager configurator called CommonAuthenticationConfigurator lets you configure your HttpConversationManager to manage the authentication/authorization flow of its conversations.

To utilize the CommonAuthenticationConfigurator, obtain an instance by using its designated initializer:
CommonAuthenticationConfigurator* commonConfig = [[CommonAuthenticationConfigurator alloc] init];

Basic Authentication

You can add support for Basic authentication by setting a specified UsernamePasswordProviderProtocol delegate to CommonAuthenticationConfigurator using the addUsernamePasswordProvider method. This method can be invoked multiple times with different providers, each placed in a list. During a conversation flow, the first provider that returns a non-null value will be used.

The code below provides credentials for an authentication challenge with the help of the CommonAuthenticationConfigurator:
…// initialization
_conversationManager = [[HttpConversationManager alloc] init];
CommonAuthenticationConfigurator* commonConfig = [[CommonAuthenticationConfigurator alloc] init];
[commonConfig addUsernamePasswordProvider:self]; 
[commonConfig configureManager:_conversationManager]; 

... // implementation of UsernamePasswordProvider
-(void) provideUsernamePasswordForAuthChallenge:(NSURLAuthenticationChallenge*)authChallenge completionBlock:(void (^)(NSURLCredential*, NSError*))completionBlock {
    NSURLCredential* credential = [NSURLCredential credentialWithUser:@"username" password:@"password" persistence:NSURLCredentialPersistenceForSession];
    completionBlock(credential, nil);
}

SAML2 Flow

Add support for SAML2 authentication by setting the SAML2ConfigProviderProtocol implementation to CommonAuthenticationConfigurator with the method addSAML2ConfigProvider. You can invoke this method multiple times with different providers, using a list. During a conversation flow, the first provider that returns a non-null value is invoked. You must implemnet the SAML2ConfigProviderProtocol to supply SAML configuration parameters when they are required. The parameters to call the completion block from provideSAML2ConfigurationForURL are:
  • responseHeader The server HTTP response header name that indicates the SAML challenge, and facilitates SAML challenge detection if the server supports the sending of this header.
  • finishEndPoint The URL the client must send the request to start the SAML authentication.
  • finishParameters The URL parameter that detects flow completion.

A WebView will be presented whenever browser-based authentication is required.

This code illustrates how to use the CommonAuthenticationConfigurator to configure the manager to process the SAML2 flow:
…// initialization
_conversationManager = [[HttpConversationManager alloc] init];
CommonAuthenticationConfigurator* commonConfig = [[CommonAuthenticationConfigurator alloc] init];
[commonConfig addSAML2ConfigProvider:self]; 
[commonConfig configureManager:_conversationManager];

... // implementation of SAML2ConfigProviderProtocol
-(void)provideSAML2ConfigurationForURL:(NSURL *)url completionBlock:(void (^)(NSString *, NSString *, NSString *))completionBlock {
    
 NSString* samlUrlString = [NSString stringWithFormat:@"https://%@SAMLAuthLauncher", baseHost];
    completionBlock(@"com.sap.cloud.security.login", samlUrlString, @"finishEndpointParam");
}

One-Time Password (OTP) Flow

Add support for OTP authentication by setting the OTPConfigProviderProtocol implementation to the CommonAuthenticationConfigurator with the method addOTPConfigProvider.You can invoke this method multiple times with different providers. During a conversation flow, the first provider that returns a non-null value is invoked. You must implement OTPConfigProviderProtocol to supply OTP configuration parameters when they are required. The implementation is expected to call the completion block with these parameteres:
  • responseHeaderKey The server HTTP response header name that indicates the OTP challenge, and facilitates OTP challenge detetection if the server supports the sending of this header.
  • responseHeaderValue The server HTTP response header value that indicates the OTP challenge.
  • otp Url The URL client must send the request to start the OTP authentication.
A WebView will be presented to start the OTP flow. The content of the webview is downloaded from the the otp Url. This code illustrates how to use the CommonAuthenticationConfigurator to configure the manager to process the OTP flow:
…// initialization
_conversationManager = [[HttpConversationManager alloc] init];
CommonAuthenticationConfigurator* commonConfig = [[CommonAuthenticationConfigurator alloc] init];
[commonConfig addSAML2ConfigProvider:self]; 
[commonConfig configureManager:_conversationManager];

... // implementation of OTPConfigProviderProtocol
- (void) OTPConfigForURL:(NSURL*)anUrl completion:(void(^)(NSString* responseHeaderKey, NSString* responseHeaderValue, NSString* otpUrl))completion {
    
    NSString* otpUrlString = [NSString stringWithFormat:@"https://%@mobileservices/OTPForm", baseHost];
    completion(@"x-smp-authentication", @"otp-challenge", otpUrlString);
}

Supporting SAP Authenticator automatic flow

Supporting SAP Authenticator Automatic Flow

On the OTP Web form there is a link which can automatically open the SAP Authenticator application. The SAP Authenticator can reopen the caller by a unique URL scheme, provided that the application is set up correctly:
  1. Set up an URL scheme in the application with the URL: ‘<appid>.xcallbackurl’
  2. Implement the application:openURL:sourceApplication:annotation: method in the applications AppDelegate class and post a notification which will be handled by OTP flow engine and will finish the OTP authentication automatically. For example:
    -(BOOL)application:(UIApplication *)application openURL:(NSURL *)url sourceApplication:(NSString *)sourceApplication annotation:(id)annotation{
            if ([sourceApplication isEqualToString:@"com.sap.csi.authenticator.release"]) {
            // OTP pin by SAPAuthenticator 
            [[NSNotificationCenter defaultCenter] postNotificationName:@"CDVPluginHandleOpenURLNotification" object:url];
        }
    
       return YES;
    }