Skip to content

Authenticate Applications Using SAML 2.0

Initiate a REST service call to create SAML 2.0 assertion for authenticating the application security configuration.

Usage

When an application initially connects to the server, a session is established. If the application is set up to be secured by SAML 2.0 authentication, the server responds with the header com.sap.cloud.security.login:login-request and SAML 2.0 authentication for the security configuration needs to take place in the application.

Note

This mechanism is also followed for any session that has not been authenticated, or has expired.

For Mobile Services on Cloud Foundry, SAML 2.0 provides an authentication flow that uses headers and cookies, which is compatible with the Neo SAML/FORM authentication flow.

SAML Flow Diagram

Request

Issue an HTTP request to the server. If the server responds, the header indicates that SAML 2.0 authentication is required.

URL: http[s]://<mobile services host>/SAMLAuthLauncher

HTTP Method: GET

Request Parameters None

Request Body Example:

  1. When an application is initially launched, it sends a request that establishes a connection with the server. If the application is secured by SAML 2.0 authentication, the server sends a response containing these elements:

    • Response Header:
      • Name: com.sap.cloud.security.login
      • Value: login-request
    • Cookie JSESSIONID (no session cookie is returned for the first request)
    • Status Code: HTTP-OK – 200 Ensure that the response header contains the name and value com.sap.cloud.security.login: login-request, which indicates that SAML 2.0 authentication is required. If the response header is not returned, authentication does not take place.

    HTTP request: there is no requirement for the initial request that is sent to the server. The request can be directed to any server resources.

    HTTP response header for the initial request:

    com.sap.cloud.security.login: login-request
    Date: Mon, 25 Mar 2019 03:10:12 GMT X-Smp-Log-Correlation-Id: 56f007db-446c-4d82-7b3b-57eafd108715
    X-Vcap-Request-Id: 56f007db-446c-4d82-7b3b-57eafd108715
    Content-Length: 1062
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;
    
  2. When the response is received, the application starts the authentication process, using the web view.

    /* Now that you have received com.sap.cloud.security.login: login-request response header and SAML2 JavaScript redirect
     * in the response body.
     */
    
    Issue a `GET` method on the request URL:
    GET https://mobiletest-smoketest-testsaml.cfapps.eu10.hana.ondemand.com/SAMLAuthLauncher
    

    Request headers: the request to <https://mobiletest-smoketest-testsaml.cfapps.eu10.hana.ondemand.com/SAMLAuthLauncher> requires no special request header requirements or restrictions.

    Response headers: since the request is processed by web view, the client application does not need to process this response by itself.

    Response body: includes a JavaScript code to which to redirect, in this example to:

    https://mobiletest.authentication.eu10.hana.ondemand.com/oauth/authorize?response_type=code&client_id=sb-testsaml-smoketest-kxx0ni6n!t632&redirect_uri=https%3A%2F%2Fmobiletest-smoketest-testsaml.cfapps.eu10.hana.ondemand.com%2Flogin%2Fcallback
    

    Response Code: 200

    Response: N/A

  3. To complete SAML 2.0 authentication, the following operation takes place automatically:

    1. The web view is redirected to the UAA login URL. The UAA may also redirect web view to a SAML 2.0 identity provider sign-on login URL, depending on the configuration of trusted identity providers for the customer subaccount.
    2. After successful login, the web view is redirected back to the mobile application to check the response from UAA at:

      <host:port>/login/callback
      
    3. The mobile application checks the response and creates an authenticated session for the application. The web view is redirected to:

      <host:port>/SAMLAuthLauncher?finishEndpointParam=someUnusedValue
      
    /* After successful authentication on the UAA, you are redirected to the /login/callback endpoint of the mobile application
     * with an authorization code.
     */
    
     A `GET` method is issued on the request URL: `GET` https://mobiletest-smoketest-testsaml.cfapps.eu10.hana.ondemand.com/login/callback?code=dV3hXO2AsO
    

    Request header:

    Accept: text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en
    Connection: keep-alive
    Cookie: locationAfterLogin=%2FSAMLAuth…sedValue; fragmentAfterLogin=
    Host: mobiletest-smoketest-testsaml.cfapps.eu10.hana.ondemand.com
    Referer: https://mobiletest.authenticat…n.eu10.hana.ondemand.com/login Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; …) Gecko/20100101 Firefox/66.0
    

    Response headers:

    Cache-Control: no-cache, no-store, must-revalidate
    Content-Length: 0
    Date: Mon, 25 Mar 2019 03:34:29 GMT
    Location: /SAMLAuthLauncher?finishEndpointParam=someUnusedValue
    Set-Cookie: locationAfterLogin=; Max-Age=0; Path=/
    Set-Cookie: fragmentAfterLogin=; Max-Age=0; Path=/ Set-Cookie: JSESSIONID=s%3AIR1g…ItA; Path=/; HttpOnly; Secure
    Set-Cookie: __VCAP_ID__=4cd4a91c-2690-424c…54d; Path=/; HttpOnly; Secure
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;
    X-Frame-Options: SAMEORIGIN
    X-Smp-Log-Correlation-Id: 3dae91a6-6b72-4091-6dc7-b962fd8971ce
    X-Vcap-Request-Id: 3dae91a6-6b72-4091-6dc7-b962fd8971ce
    

    Response code: 302

  4. After the web view is redirected, close the view, then invoke the original REST service call by using the authenticated session (cookie) from the web view.

Resend the registration request.

Request:

POST https://mobiletest-smoketest-testsaml.cfapps.eu10.hana.ondemand.com/odata/applications/latest/testsaml/Connections

Request Payload:

<?xml version='1.0' encoding='utf-8'?>
 <entry xmlns="http://www.w3.org/2005/Atom"
 xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices"
 xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">
 <title type="text"/>
 <updated>2012-06-15T02:23:29Z</updated>
 <author>
 <name/>
 </author>
 <category term="applications.Connection" scheme="http://schemas.microsoft.com/ado/
 2007/08/dataservices/scheme"/>
 <content type="application/xml">
 <m:properties>
 <d:DeviceType>iPad</d:DeviceType>
 <d:DeviceModel m:null="true" />
 </m:properties>
 </content>
 </entry>
Status 201 Created

Request headers:

Content-Type: application/atom+xml
Cookie: JSESSIONID=s%3AIR1g1MdJDRkbutFiE2Sbrxc4YTS1b_Pb.y6ptKBimMH%2FokntVEAu%2FF1DfGM2uiEzczq0yTejRItA; __VCAP_ID__=4cd4a91c-2690-424c-6fc9-754d

Response headers:

Set-Cookie: X-SMP-APPCID=b46df728-c5d8-4c03-a175-71f7a496280e;
Content-Type: application/atom+xml;charset=utf-8

Response:

<?xml version="1.0" encoding="utf-8"?><entry xmlns="http://www.w3.org/2005/Atom"
xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata"
xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices"
xml:base="https://mobileciathanamobile-x054703e3.neo.ondemand.com/odata/applications/latest/com.sap.maf.test_SAML2/">
<id>https://mobileciathanamobile-x054703e3.neo.ondemand.com/odata/applications/latest/com.sap.maf.test_SAML2/Connections('b46df728-c5d8-4c03-a175-71f7a496280e')</id>
<title type="text"></title><updated>2015-01-19T08:44:20Z</updated><author><name></name></author>
<link rel="edit" title="Connection" href="Connections('b46df728-c5d8-4c03-a175-71f7a496280e')"></link>
<category term="applications.Connection" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme"></category>
<content type="application/xml"><m:properties><d:ETag>2015-01-19 08:44:20.0</d:ETag>
<d:ApplicationConnectionId>b46df728-c5d8-4c03-a175-71f7a496280e</d:ApplicationConnectionId>
<d:AndroidGcmPushEnabled m:type="Edm.Boolean">false</d:AndroidGcmPushEnabled>
<d:AndroidGcmRegistrationId m:null="true"></d:AndroidGcmRegistrationId><d:AndroidGcmSenderId></d:AndroidGcmSenderId>
<d:ApnsPushEnable m:type="Edm.Boolean">false</d:ApnsPushEnable><d:ApnsDeviceToken m:null="true"></d:ApnsDeviceToken><d:ApplicationVersion>1.0</d:ApplicationVersion>
<d:BlackberryPushEnabled m:type="Edm.Boolean">false</d:BlackberryPushEnabled><d:BlackberryDevicePin m:null="true"></d:BlackberryDevicePin>
<d:BlackberryBESListenerPort m:type="Edm.Int32">0</d:BlackberryBESListenerPort><d:BlackberryPushAppID m:null="true"></d:BlackberryPushAppID>
<d:BlackberryPushBaseURL m:null="true"></d:BlackberryPushBaseURL><d:BlackberryPushListenerPort m:type="Edm.Int32">0</d:BlackberryPushListenerPort>
<d:BlackberryListenerType m:type="Edm.Int32">0</d:BlackberryListenerType><d:CollectClientUsageReports m:type="Edm.Boolean">true</d:CollectClientUsageReports>
<d:ConnectionLogLevel>NONE</d:ConnectionLogLevel><d:CustomizationBundleId m:null="true"></d:CustomizationBundleId>
<d:CustomCustom1></d:CustomCustom1><d:CustomCustom2></d:CustomCustom2><d:CustomCustom3></d:CustomCustom3><d:CustomCustom4></d:CustomCustom4>
<d:DeviceModel m:null="true"></d:DeviceModel><d:DeviceType>iPad</d:DeviceType><d:DeviceSubType m:null="true"></d:DeviceSubType>
<d:DevicePhoneNumber m:null="true"></d:DevicePhoneNumber><d:DeviceIMSI m:null="true"></d:DeviceIMSI><d:E2ETraceLevel>Low</d:E2ETraceLevel>
<d:EnableAppSpecificClientUsageKeys m:type="Edm.Boolean">false</d:EnableAppSpecificClientUsageKeys>
<d:FeatureVectorPolicyAllEnabled m:type="Edm.Boolean">true</d:FeatureVectorPolicyAllEnabled>
<d:LogEntryExpiry m:type="Edm.Int32">7</d:LogEntryExpiry><d:MaxConnectionWaitTimeForClientUsage m:type="Edm.Boolean">false</d:MaxConnectionWaitTimeForClientUsage>
<d:MpnsChannelURI m:null="true"></d:MpnsChannelURI><d:MpnsPushEnable m:type="Edm.Boolean">false</d:MpnsPushEnable>
<d:PasswordPolicyEnabled m:type="Edm.Boolean">false</d:PasswordPolicyEnabled><d:PasswordPolicyDefaultPasswordAllowed m:type="Edm.Boolean">false</d:PasswordPolicyDefaultPasswordAllowed>
<d:PasswordPolicyMinLength m:type="Edm.Int32">8</d:PasswordPolicyMinLength><d:PasswordPolicyDigitRequired m:type="Edm.Boolean">false</d:PasswordPolicyDigitRequired>
<d:PasswordPolicyUpperRequired m:type="Edm.Boolean">false</d:PasswordPolicyUpperRequired><d:PasswordPolicyLowerRequired m:type="Edm.Boolean">false</d:PasswordPolicyLowerRequired>
<d:PasswordPolicySpecialRequired m:type="Edm.Boolean">false</d:PasswordPolicySpecialRequired><d:PasswordPolicyExpiresInNDays
    m:type="Edm.Int32">0</d:PasswordPolicyExpiresInNDays>
<d:PasswordPolicyMinUniqueChars m:type="Edm.Int32">0</d:PasswordPolicyMinUniqueChars><d:PasswordPolicyLockTimeout m:type="Edm.Int32">0</d:PasswordPolicyLockTimeout>
<d:PasswordPolicyRetryLimit m:type="Edm.Int32">20</d:PasswordPolicyRetryLimit><d:ProxyApplicationEndpoint>https://vmw3815.wdf.sap.corp:44309/sap/opu/odata/GBHCM/LEAVEREQUEST/</d:ProxyApplicationEndpoint>
<d:ProxyPushEndpoint m:null="true"></d:ProxyPushEndpoint><d:PublishedToMobilePlace m:type="Edm.Boolean">false</d:PublishedToMobilePlace>
<d:UploadLogs m:type="Edm.Boolean">true</d:UploadLogs><d:WnsChannelURI m:null="true"></d:WnsChannelURI>
<d:WnsPushEnable m:type="Edm.Boolean">false</d:WnsPushEnable><d:FeatureVectorPolicy m:type="Bag(applications.FeatureVectorPolicy)"></d:FeatureVectorPolicy>
</m:properties></content></entry>

Note

At any point when the SAML session is invalid, or the binding cookies on the client side expire, you must encounter SAML form response.


Last update: August 12, 2020