Authenticate Applications Using SAML 2.0¶
Initiate a REST service call to create SAML 2.0 assertion for authenticating the application security configuration.
Usage¶
When an application initially connects to the server, a session is established. If the application is set up to be secured by SAML 2.0 authentication, the server responds with the header com.sap.cloud.security.login:login-request and SAML 2.0 authentication for the security configuration needs to take place in the application.
Note
This mechanism is also followed for any session that has not been authenticated, or has expired.
For mobile services on Cloud Foundry, SAML 2.0 provides an authentication flow that uses headers and cookies, which is compatible with the Neo SAML/FORM authentication flow.
Request¶
Issue an HTTP request to the server. If the server responds, the header indicates that SAML 2.0 authentication is required.
URL: http[s]://<mobile services host>/SAMLAuthLauncher
HTTP Method: GET
Request Parameters None
Request Body Example:
-
When an application is initially launched, it sends a request that establishes a connection with the server. If the application is secured by SAML 2.0 authentication, the server sends a response containing these elements:
- Response Header:
- Name: com.sap.cloud.security.login
- Value: login-request
- Cookie
JSESSIONID
(no session cookie is returned for the first request) - Status Code: HTTP-OK – 200 Ensure that the response header contains the name and value com.sap.cloud.security.login: login-request, which indicates that SAML 2.0 authentication is required. If the response header is not returned, authentication does not take place.
HTTP request: there is no requirement for the initial request that is sent to the server. The request can be directed to any server resources.
HTTP response header for the initial request:
com.sap.cloud.security.login: login-request Date: Mon, 25 Mar 2019 03:10:12 GMT X-Smp-Log-Correlation-Id: 56f007db-446c-4d82-7b3b-57eafd108715 X-Vcap-Request-Id: 56f007db-446c-4d82-7b3b-57eafd108715 Content-Length: 1062 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;
- Response Header:
-
When the response is received, the application starts the authentication process, using the web view.
/* Now that you have received com.sap.cloud.security.login: login-request response header and SAML2 JavaScript redirect * in the response body. */ Issue a `GET` method on the request URL: GET https://mobiletest-smoketest-testsaml.cfapps.eu10.hana.ondemand.com/SAMLAuthLauncher
Request headers: the request to
<https://mobiletest-smoketest-testsaml.cfapps.eu10.hana.ondemand.com/SAMLAuthLauncher>
requires no special request header requirements or restrictions.Response headers: since the request is processed by web view, the client application does not need to process this response by itself.
Response body: includes a JavaScript code to which to redirect, in this example to:
https://mobiletest.authentication.eu10.hana.ondemand.com/oauth/authorize?response_type=code&client_id=sb-testsaml-smoketest-kxx0ni6n!t632&redirect_uri=https%3A%2F%2Fmobiletest-smoketest-testsaml.cfapps.eu10.hana.ondemand.com%2Flogin%2Fcallback
Response Code: 200
Response: N/A
-
To complete SAML 2.0 authentication, the following operation takes place automatically:
- The web view is redirected to the UAA login URL. The UAA may also redirect web view to a SAML 2.0 identity provider sign-on login URL, depending on the configuration of trusted identity providers for the customer subaccount.
-
After successful login, the web view is redirected back to the mobile application to check the response from UAA at:
<host:port>/login/callback
-
The mobile application checks the response and creates an authenticated session for the application. The web view is redirected to:
<host:port>/SAMLAuthLauncher?finishEndpointParam=someUnusedValue
/* After successful authentication on the UAA, you are redirected to the /login/callback endpoint of the mobile application * with an authorization code. */ A `GET` method is issued on the request URL: `GET` https://mobiletest-smoketest-testsaml.cfapps.eu10.hana.ondemand.com/login/callback?code=dV3hXO2AsO
Request header:
Accept: text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en Connection: keep-alive Cookie: locationAfterLogin=%2FSAMLAuth…sedValue; fragmentAfterLogin= Host: mobiletest-smoketest-testsaml.cfapps.eu10.hana.ondemand.com Referer: https://mobiletest.authenticat…n.eu10.hana.ondemand.com/login Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; …) Gecko/20100101 Firefox/66.0
Response headers:
Cache-Control: no-cache, no-store, must-revalidate Content-Length: 0 Date: Mon, 25 Mar 2019 03:34:29 GMT Location: /SAMLAuthLauncher?finishEndpointParam=someUnusedValue Set-Cookie: locationAfterLogin=; Max-Age=0; Path=/ Set-Cookie: fragmentAfterLogin=; Max-Age=0; Path=/ Set-Cookie: JSESSIONID=s%3AIR1g…ItA; Path=/; HttpOnly; Secure Set-Cookie: __VCAP_ID__=4cd4a91c-2690-424c…54d; Path=/; HttpOnly; Secure Strict-Transport-Security: max-age=31536000; includeSubDomains; preload; X-Frame-Options: SAMEORIGIN X-Smp-Log-Correlation-Id: 3dae91a6-6b72-4091-6dc7-b962fd8971ce X-Vcap-Request-Id: 3dae91a6-6b72-4091-6dc7-b962fd8971ce
Response code: 302
-
After the web view is redirected, close the view, then invoke the original REST service call by using the authenticated session (cookie) from the web view.
Resend the registration request.
Request:
POST https://mobiletest-smoketest-testsaml.cfapps.eu10.hana.ondemand.com/odata/applications/latest/testsaml/Connections
Request Payload:
<?xml version='1.0' encoding='utf-8'?>
<entry xmlns="http://www.w3.org/2005/Atom"
xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices"
xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">
<title type="text"/>
<updated>2012-06-15T02:23:29Z</updated>
<author>
<name/>
</author>
<category term="applications.Connection" scheme="http://schemas.microsoft.com/ado/
2007/08/dataservices/scheme"/>
<content type="application/xml">
<m:properties>
<d:DeviceType>iPad</d:DeviceType>
<d:DeviceModel m:null="true" />
</m:properties>
</content>
</entry>
Status 201 Created
Request headers:
Content-Type: application/atom+xml
Cookie: JSESSIONID=s%3AIR1g1MdJDRkbutFiE2Sbrxc4YTS1b_Pb.y6ptKBimMH%2FokntVEAu%2FF1DfGM2uiEzczq0yTejRItA; __VCAP_ID__=4cd4a91c-2690-424c-6fc9-754d
Response headers:
Set-Cookie: X-SMP-APPCID=b46df728-c5d8-4c03-a175-71f7a496280e;
Content-Type: application/atom+xml;charset=utf-8
Response:
<?xml version="1.0" encoding="utf-8"?><entry xmlns="http://www.w3.org/2005/Atom"
xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata"
xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices"
xml:base="https://mobileciathanamobile-x054703e3.neo.ondemand.com/odata/applications/latest/com.sap.maf.test_SAML2/">
<id>https://mobileciathanamobile-x054703e3.neo.ondemand.com/odata/applications/latest/com.sap.maf.test_SAML2/Connections('b46df728-c5d8-4c03-a175-71f7a496280e')</id>
<title type="text"></title><updated>2015-01-19T08:44:20Z</updated><author><name></name></author>
<link rel="edit" title="Connection" href="Connections('b46df728-c5d8-4c03-a175-71f7a496280e')"></link>
<category term="applications.Connection" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme"></category>
<content type="application/xml"><m:properties><d:ETag>2015-01-19 08:44:20.0</d:ETag>
<d:ApplicationConnectionId>b46df728-c5d8-4c03-a175-71f7a496280e</d:ApplicationConnectionId>
<d:AndroidGcmPushEnabled m:type="Edm.Boolean">false</d:AndroidGcmPushEnabled>
<d:AndroidGcmRegistrationId m:null="true"></d:AndroidGcmRegistrationId><d:AndroidGcmSenderId></d:AndroidGcmSenderId>
<d:ApnsPushEnable m:type="Edm.Boolean">false</d:ApnsPushEnable><d:ApnsDeviceToken m:null="true"></d:ApnsDeviceToken><d:ApplicationVersion>1.0</d:ApplicationVersion>
<d:BlackberryPushEnabled m:type="Edm.Boolean">false</d:BlackberryPushEnabled><d:BlackberryDevicePin m:null="true"></d:BlackberryDevicePin>
<d:BlackberryBESListenerPort m:type="Edm.Int32">0</d:BlackberryBESListenerPort><d:BlackberryPushAppID m:null="true"></d:BlackberryPushAppID>
<d:BlackberryPushBaseURL m:null="true"></d:BlackberryPushBaseURL><d:BlackberryPushListenerPort m:type="Edm.Int32">0</d:BlackberryPushListenerPort>
<d:BlackberryListenerType m:type="Edm.Int32">0</d:BlackberryListenerType><d:CollectClientUsageReports m:type="Edm.Boolean">true</d:CollectClientUsageReports>
<d:ConnectionLogLevel>NONE</d:ConnectionLogLevel><d:CustomizationBundleId m:null="true"></d:CustomizationBundleId>
<d:CustomCustom1></d:CustomCustom1><d:CustomCustom2></d:CustomCustom2><d:CustomCustom3></d:CustomCustom3><d:CustomCustom4></d:CustomCustom4>
<d:DeviceModel m:null="true"></d:DeviceModel><d:DeviceType>iPad</d:DeviceType><d:DeviceSubType m:null="true"></d:DeviceSubType>
<d:DevicePhoneNumber m:null="true"></d:DevicePhoneNumber><d:DeviceIMSI m:null="true"></d:DeviceIMSI><d:E2ETraceLevel>Low</d:E2ETraceLevel>
<d:EnableAppSpecificClientUsageKeys m:type="Edm.Boolean">false</d:EnableAppSpecificClientUsageKeys>
<d:FeatureVectorPolicyAllEnabled m:type="Edm.Boolean">true</d:FeatureVectorPolicyAllEnabled>
<d:LogEntryExpiry m:type="Edm.Int32">7</d:LogEntryExpiry><d:MaxConnectionWaitTimeForClientUsage m:type="Edm.Boolean">false</d:MaxConnectionWaitTimeForClientUsage>
<d:MpnsChannelURI m:null="true"></d:MpnsChannelURI><d:MpnsPushEnable m:type="Edm.Boolean">false</d:MpnsPushEnable>
<d:PasswordPolicyEnabled m:type="Edm.Boolean">false</d:PasswordPolicyEnabled><d:PasswordPolicyDefaultPasswordAllowed m:type="Edm.Boolean">false</d:PasswordPolicyDefaultPasswordAllowed>
<d:PasswordPolicyMinLength m:type="Edm.Int32">8</d:PasswordPolicyMinLength><d:PasswordPolicyDigitRequired m:type="Edm.Boolean">false</d:PasswordPolicyDigitRequired>
<d:PasswordPolicyUpperRequired m:type="Edm.Boolean">false</d:PasswordPolicyUpperRequired><d:PasswordPolicyLowerRequired m:type="Edm.Boolean">false</d:PasswordPolicyLowerRequired>
<d:PasswordPolicySpecialRequired m:type="Edm.Boolean">false</d:PasswordPolicySpecialRequired><d:PasswordPolicyExpiresInNDays
m:type="Edm.Int32">0</d:PasswordPolicyExpiresInNDays>
<d:PasswordPolicyMinUniqueChars m:type="Edm.Int32">0</d:PasswordPolicyMinUniqueChars><d:PasswordPolicyLockTimeout m:type="Edm.Int32">0</d:PasswordPolicyLockTimeout>
<d:PasswordPolicyRetryLimit m:type="Edm.Int32">20</d:PasswordPolicyRetryLimit><d:ProxyApplicationEndpoint>https://vmw3815.wdf.sap.corp:44309/sap/opu/odata/GBHCM/LEAVEREQUEST/</d:ProxyApplicationEndpoint>
<d:ProxyPushEndpoint m:null="true"></d:ProxyPushEndpoint><d:PublishedToMobilePlace m:type="Edm.Boolean">false</d:PublishedToMobilePlace>
<d:UploadLogs m:type="Edm.Boolean">true</d:UploadLogs><d:WnsChannelURI m:null="true"></d:WnsChannelURI>
<d:WnsPushEnable m:type="Edm.Boolean">false</d:WnsPushEnable><d:FeatureVectorPolicy m:type="Bag(applications.FeatureVectorPolicy)"></d:FeatureVectorPolicy>
</m:properties></content></entry>
Note
At any point when the SAML session is invalid, or the binding cookies on the client side expire, you must encounter SAML form response.