Skip to content

Defining Connectivity

Define destinations for the selected application. You can also edit Mobile and On-Premise destinations.

A destination is a connection to a data source.

SAP Mobile Services supports one primary endpoint per application ID. However, an administrator can create multiple secondary endpoints for services that an application uses; these secondary endpoints are treated as proxy connections. For applications that access Web services containing relative URLs, add the relative paths to enable the product to handle requests correctly.

In SAP mobile service cockpit, you can view the properties of SAP Fiori applications and connections that were developed using SAP Business Technology Platform mobile service for app and device management and imported into SAP Mobile Services, but you cannot edit their properties; input fields and buttons are disabled or hidden.

Creating Destinations

  1. In SAP mobile service cockpit, select Mobile Applications > Native/Hybrid or SAP Mobile Cards.

  2. Select an application, then select Mobile Connectivity under Assigned Features (or add it first).

    View current mobile and SAP Business Technology Platform destinations for the selected application.

    • Under Cloud Destinations, you can enable cloud destinations, which allows applications to access cloud destinations that are defined in /destination_{<destination name>}/{<path>}. See Enabling Cloud Destinations for details.

    • Under Mobile Destinations, you can view current mobile and SAP Business Technology Platform destinations for the selected application.

    Destinations

    Field Value
    Name The destination name.
    URL The destination URL.
    Rewrite Mode For application back-end connections, the rewrite mode defines how the mobile services handles request and response messages. To enable applications that use external back ends to run offline, select one of the supported rewrite modes.
    SSO Mechanism/Authentication The single sign-on or authentication security methods employed for the destination.
    Actions The actions available, such as edit or delete a connection, ping a back-end connection, and test an OData application destination. If an action is not supported, the icon is grayed out or absent. For example, pinging and testing OData destinations are not supported for some SSO methods. Use the popup-window icon to test connectivity using the mobile application URL in a separate web browser.
  3. (Optional) Select create , and use the Create Destination dialog to create a new destination.

  4. Alternatively, select a row to view its settings in the Destination Overview.

    The overview varies by configuration, but common sections include:

    • Info ‒ basic configuration settings.

    • Rewrite Method ‒ rewrite URL settings.

    • Security ‒ important security settings.

    • Custom Headers ‒ key:value pairs defined for static headers.

Creating a Destination

Define a new destination to a data source or service. Options for creating destinations in the Cloud Foundry environment:

  • Create a mobile destination, configuring all aspects of its connection, including security. This gives you full control of all available configuration settings.

  • Create a mobile destination using an existing Cloud Foundry service instance in the same space. This enables you to quickly configure a connection by reusing an existing instance.

  • Create a mobile destination that references an existing cloud destination. The mobile destination uses the security configuration of the cloud destination. This enables you to use existing cloud destinations that are already available on the SAP Business Technology Platform sub-account for a mobile application in mobile services.

Create the destination:

  1. In SAP mobile service cockpit, select Mobile Applications > Native/Hybrid or SAP Mobile Cards.

  2. Select an application, then select Mobile Connectivity under Assigned Features (or add it first).

  3. Select the Create icon create . Alternatively you can create a destination using an existing Cloud Foundry service instance in the same space, as described in Creating a Destination with Service Instances.

  4. In Create Destination, enter the following as required:

    Field Value
    Destination Name Provide a name for the destination.
    Cloud Platform Destination Select to create a mobile destination that uses the settings of an existing SAP Business Technology Platform destination.
    Cloud Destination Name (appears only if Cloud Platform Destination is enabled) Select the value help icon, and then select an existing cloud destination. If the icon does not appear, you must select "Enable Access to Cloud Destination". When enabled, the icon appears.
    Standard Path to Add (appears only if Cloud Platform Destination is enabled) Enter the path information to be added by default to the URL configured in the cloud destination.
    URL URL that the application uses to access business data on the back-end system or service. If the URL points to a service, it must include the document destination that you assign to the service. You can enter an http:// URL or an https:// URL (for the latter, you are prompted for keystore, certificate, and trustore values later in the process). If you are implementing Custom Push, enter the URL of the push notification server that will distribute push notifications. The mobile services server sends a general notification message to the push destination server. The destination server handles further forwarding of the notifications. See Custom Push for additional information.
    Allowed Paths Use Allowed Paths to restrict access to a few sub-paths of the Destination URL. For example, if the Destination URL is configured as https://www.test.com/sap, and you only want to allow access to https://www.test.com/sap/customer.svc and https://www.test.com/sap/product.svc, then configure Allowed Paths to contain /customer.svc and /product.svc. HTTP requests starting with these URLs will be allowed, and others will be rejected with a 403 status code. The entered paths are case-sensitive. Please notice that wildcard characters are not supported but are implicit at the end of the string.
    Use Cloud Connector (does not appear if Cloud Platform Destination is enabled) (Optional) Indicates if SAP Cloud Connector must be used. If you choose to use the SAP Cloud Connector and you have multipe SAP Cloud Connector instances running, provide the location id in the Cloud Connector Location ID field. You can leave it blank if you just use a single instance.
    Maximum Connections (Optional) The maximum number of connections that this application can use for connection pooling. Valid values are 0‒9999. Factors to consider are:
    • Expected number of concurrent application users
    • Acceptable load for the back-end system
    To disable connection pooling, set the value to 0. This creates a new connection for each new request, which may increase processing times. SAP recommends that you disable connection pooling only if the back-end system does not support pooled connections
    Maximum Request Size (bytes) (Optional) The maximum size of the HTTP request payload. Set a value from 1 ‒ 1000000. Please note that mobile services applies an internal limit on requests that require URL rewriting, because of in-memory processing. This limit is currently set at 128 MB.
    Timeout (ms) (Optional) The number of milliseconds before the connection times out. If set to 0, a system-wide default value of 60 seconds is used.
    Online Request Threshold (Optional) The threshold value to throttle incoming online requests per second for a connection. Set to 0 to remove threshold or set a value from 1 ‒ 2147483647.
    Rewrite Mode Note: To enable applications that use external back ends to run offline, you must select either Rewrite URL or Rewrite URL on Back End.

    Select one of:
    • Rewrite URL – in request and response messages, the mobile services replaces all back-end URLs with the mobile service URL. The Rewrite URL format for Web-type applications is https://<mobileServiceHost>/<back-end_connection_ID>?X-SMP-APPID=<applicationID>.
    • Rewrite URL on Back End – the back end rewrites the URLs. The mobile services forwards the host name and port to the back end in an HTTP header, and the back end creates the URL to retrieve back-end resources. To expose the full URL to clients, the mobile service passes the endpoint in the X-SMP-ENDPOINTNAME header. The URL format for Web applications is https://<host>/<back-end path>?X-SMP-APPID=<applicationID>.
    • No Rewriting – request and response messages are not modified. The mobile services passes messages directly between clients and the back end. The URL format for Web applications is https://<mobileServiceHost>/<back-end_connection_ID>?X-SMP-APPID=<applicationID>.
      Note: The mobile services does not provide the functionality to use No Rewriting mode to support external back ends for offline usage. For SAP Mobile Cards, the server performs a virus check scan for the incoming data.
    • Rewrite URL: The server performs a virus check scan for the incoming data. Rewrite URL applications should use only No Rewriting mode.
    • Custom Rewrite URL – for request and response messages, you can define a search string and a replacement string, which need not be URLs.
    For more details about the different rewrite mode options, see Rewrite Modes.
    Keep X-Forwarded-* Header This option appears when you edit a destination. Select the check box to enable or disable the SetXForwardedHeaders property (disabled by default). The property is used by proxy to establish endpoint connection.
    Select the check box to enable or disable the option to pass along the X-Forwarded-* headers, which contain information about the sender of the HTTP request and the original URL being called (disabled by default) to the Destination.
  5. Click Next.

    (Optional) If you set the Rewrite Mode as Custom Rewrite URL, define the Inbound Rewrite Rules and Outbound Rewrite Rules in subsequent screens.

    For more information, see Rewrite Modes.

  6. Click Next.

    (Optional) Select add to configure static HTTP headers for the destination.

    For example, set up a static HTTP header for an API key when consuming SAP API Business Hub APIs.

    The headers must comply with IF RFC Standards, 7230, section 3.2: https://tools.ietf.org/html/rfc7230section-3.2.

    The key/value pairs are sent to the back end with each request.

    Field Value
    Header Name
    • Must not be empty.
    • Must start with an alphabetic character.
    • Must include only alphanumeric characters, numbers, and minus signs (no special characters).
    Header Value
    • Can be empty
    • The first and last character cannot be a space, per HTTP standards.
    Override Client
    • Indicates if the header should override the header sent from client.
  7. Click Next.

    (Optional) Configure annotations for the destination, so that all apps using this destination can access the annotations and generate the UI.

    Choose Add Annotation URL if you know the URL for the annotation file. Choose Add Annotation File to browse and upload the file.

    When configuring the annotation, keep in mind that the current framework is based on the Endpoint configuration. This means that the back-end URL is the base, and any path must be a relative path to the base URL, otherwise security issues may be the result.

    For example, if the back-end URL is:

    http://host:port/odata.svc/

    and the annotation path is:

    /a1/annotations(...)

    the actual URL requested is:

    http://host:port/odata.svc/a1/annotations(...)

    Note

    Relative paths are not supported when an ABAP Gateway back end, and the OData Service and annotation file are in different paths.

  8. Click Next and enter the following as required:

    Field Value
    Relative Rewrite Paths Enter a comma-delimited list of relative URLs, for example, /sap/bc, /sap/public/bc. If an application requires data from a back end that uses relative URLs, define them here. The mobile services rewrites the relative URLs to include the connection name, enabling access to the back-end data. For example, a Web service application requests an HTML page named abc.html, which contains the relative URLs /sap/bc and /sap/public/bc in its src or href tags. When a request is made, the relative URLs contained in the response are rewritten, so that subsequent requests (to these relative URLs) can be processed correctly. For example, if "webApp" is the connection name, and the response contains the relative URLs /sap/bc,/sap/public/bc, these are changed to /webApp/sap/bc,/webApp/sap/public/bc
    Propagate User Name Not applicable when application Security Configuration is set to None) When enabled, the back end uses information in the X-SMP-ENDUSERNAME <user name> header to identify the user who sent the request. See HTTP Headers Used to Propagate User IDs. By default, this option is disabled.
    Virus Scans
    • Inbound Traffic: The server performs a virus check scan for the incoming data.
    • Outbound Traffic: The server performs a virus check scan for the outgoing data.
    SSO Mechanism Select a single sign-on option from the list of available options.
    SSO Mechanism Description
    Application-to-Application SSO Enables mobile services to propagate user identities to other applications, which are consumed (deployed or subscribed) in the same SAP Business Technology Platform account. A user identity is propagated to the application that is specified in the URL.
    • Issuer – the trusted application source, such as "mobile services."
    • Audience – the recipient audience, such as "hana.ondemand.com.".
    • Signing Key – the generated key used to propagate the user identity. Select Generate Key to generate the signing key. A SAML Download field appears in the destination overview page once you complete the configuration.
    Keep in mind these requirements:
    • The proxy type for the destination must be Internet.
    • To configure ApptoAppSSO for an application not hosted on the same SAP Business Technology Platform account; see the saml2_audience section in Application-to-Application SSO Authentication.
    OAuth2 SAML Bearer Assertion Enables applications to use SAML assertions to access OAuth-protected resources. Enter:
    • Forward User Token to AppRouter – enable capability to forward user tokens to the AppRouter for SSO authentication.
    • Audience (required) – intended assertion audience, which is verified by the target OAuth authorization server.
    • Token Service URL (required) – URL of the OAuth server.
    • Token Service URL Type (required) – the URL type, either Dedicated or Common.
    • Client Key (required) – key that identifies the consumer to the authorization server.
    • Client Secret – password for the token service user (no longer mandatory).
    • SAML Assertion Issuer (required) – issuer of the SAML assertion.
    • Signing Key (required) – key used for signing the SAML Assertion, which is used for exchanging the token from OAuth Server. Select Generate Key to generate the signing key. A SAML Download field appears in the destination overview page once you complete the configuration.
    • Name ID Format – value of the NameIdFormat tag, which is part of the generated OAuth2 SAML Bearer Assertion authentication. Select a value from the drop-down list: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified [default value]. Other format values include: emailAddress, persistent, and transient.
    • Authentication Context – value of the AuthnContextClassRef tag, which is part of the generated OAuth2 SAML Bearer Assertion authentication. See the SAML 2.0 specification.
    • Scope (optional) – limits an application's access to a users account. You can make one or more entries; this information is presented to the user in the consent screen, and the access token issued to the application will be limited to those granted.
    • SAML System User – SAML user who requests an access token from the OAuth authorization server. If this property is not specified, the currently logged-in user is used.
    • SAML Name Qualifier – security domain of the user for which the access token is requested.
    • Company ID – the company identifier associated with the security domain.
    • User ID Source – the issuer of the user identifier, typically the currently logged-in user.
    • API Key – the API-key that is sent in the request header and used as the password to authenticate a request.
    Basic Authentication Enables basic authentication to the back-end system. Enter:
    • User Name and Password – the user name and password to access the back-end system.
      If you do not provide a user name and password, and mobile services authenticates the end-user credentials using Basic, the user name and password credentials are propagated to the back end.
    • Credential Charset Name – the default is UTF-8. Use the default, or enter another value. If the destination is an SAP NetWeaver ABAP application server, you must enter ISO-8859-1. (This is because SAP Mobile Services uses UTF-8 encoding and SAP NetWeaver ABAP application server requires ISO-8859-1 encoding).
    No Authentication Back ends require no credentials for authentication. Your destination is granted direct access to the relevant on-premise service.
    Forward Authentication Forwards the incoming JWT token in the authorization header to the back end. The token could be used to log in as a certain user type, such as an Admin. Typical uses for Forward Authentication include accessing the WeChat sample back end, and accessing the Fiori Launchpad as a user type.
    When the Forward Authentication SSO mechanism is configured for an end point, the checkbox Forward User Token To AppRouter appears. Select the checkbox to enable. When enabled, the user token is forwarded to the app-router application as an x-approuter-authorization header. Keep in mind that the app-router version installed on the back-end server must be equal to or later than version 5.15.0. Earlier versions do not support SSO access.
    SAP Cloud Connector SSO Enables principal propagation through SAP Cloud Connector.
    OAuth2 Client Credentials The Client Credentials grant is used when applications request an access token to access their own resources, not on behalf of a user. Enter:
    • Token Service URL – URL of the OAuth server.
    • Client ID– the client username.
    • Client Secret– the client password.
    • Scope (optional) – limits an application's access to a users account. You can make one or more entries; this information is presented to the user in the consent screen, and the access token issued to the application is limited to those granted.
    OAuth2 User Token Exchange Supports JSON Web Token (JWT) authentication. Token exchange enables easier integration of Cloud Foundry service instances from the same space. You can find the required information in the Service Key details of the target service. If required, you must create a Service Key beforehand. Enter:
    • Forward User Token to AppRouter – enables the capability to forward user tokens to the AppRouter for SSO authentication.
    • Token Service URL – URL of the OAuth token exchange server.
    • Token Service URL Type – select Dedicated (default) or Common. Common is used for multi-tenant services, whereas Dedicated is used for single tenant services.
    • Client ID – the client username.
    • Client Secret – the client password.
    • Scope (optional) – limits an application's access to a users account. You can make one or more entries; this information is presented to the user in the consent screen, and the access token issued to the application will be limited to those granted.
  9. Click Next. If you entered an https:// URL in step 4, you are prompted to enter keystore, certificate, and TrustStore values. If you entered an http:// URL, or enabled Cloud Platform Destination, proceed to the next step.

    Keystore, Certificate and Truststore

    Field Value
    Keystore The Keystore file in .keystore or .jks format. You can Browse to locate a keystore.
    Encoded Keystore The name for the encrypted version of your private key.
    Keystore Password The password associated with the Keystore.
    Certificate Alias The alias name associated with the Keystore.
    Trustore The Trustore file. You can Browse to locate a trustore.
    Encoded Trustore The name for the encrypted version of your private key.
    Trustore Password The password associated with the Trustore.
  10. Click Finish to complete the configuration. A summary of configuration settings appears. You can click Edit to make any corrections.

Creating a Destination with Service Instances

Define a new destination to a back-end system using existing Cloud Foundry service instances.

Prerequisites for Document service:

  • In SAP Business Technology Platform, Entitlements, add an entitlement for the Document Management Repository option to the subscriber subaccount.

    The Document Management Repository option entitlement must include a quota. The free plan includes a quota of two units. If that is not enough, you can update it by removing the current entitlement and creating a new entitlement with a larger quota.

  • In SAP Business Technology Platform, Services > Service Instances, create a Document Management, integration option instance for the service instance.

  • Only Document service instances that have been allow-listed are available.

You can create destinations from existing service instances that are available in the same Cloud Foundry space. All aspects of the destination are configured, including URL and security (usually OAuth Token Exchange). You can select only one service instance at a time, so if you want to create multiple service instances you must create separate destinations.

Note

Currently these service instances can be integrated:

  • Workflow service instances
  • Document service instances
  1. In SAP mobile service cockpit, select Mobile Applications > Native/Hybrid.

  2. Select an application, then select Mobile Connectivity under Assigned Features (or add it first).

  3. Select Use a Cloud Foundry Service.

  4. On Select Cloud Foundry Service, select a service from the list of available service instances, and select OK. When the document service destination is created successfully, you can Ping it.

    You can only add one service at a time. Depending on the service, one or several destinations are created.

  5. You can take action, such as edit or delete; or you can add another destination using another existing service. For some SSO methods, you can test the destination.

Editing a Destination

Modify settings for an existing destination.

Note

To prevent momentary inconsistencies, SAP recommends that you modify destination configurations when few users are active. Users should be able to use destinations without inconsistencies after you save the changes.

In SAP mobile service cockpit, you can view the properties of SAP Fiori applications and connections that were developed using SAP Business Technology Platform mobile service for app and device management and imported into SAP Mobile Services, but you cannot edit their properties; input fields and buttons are disabled or hidden.

  1. In SAP mobile service cockpit, select Mobile Applications > Native/Hybrid or SAP Mobile Cards.

  2. Select an application, then select Mobile Connectivity under Assigned Features (or add it first)

  3. Select a destination and click edit .

  4. In the Edit Destination window, edit the details as required.

    Note

    If the application is configured with an origin policy, some fields may not be available.

  5. Click Finish.

Deleting a Destination

You can delete a destination only if it is not mapped to an application.

  1. In SAP mobile service cockpit, select Mobile Applications > Native/Hybrid or SAP Mobile Cards.

  2. Select an application, then select Mobile Connectivity under Assigned Features (or add it first)

  3. Select a destination and click delete .

  4. Click OK to confirm. You are prompted if the destination is in use and cannot be deleted.

Testing a Destination Rewrite Modes


Last update: February 4, 2021