SSO with SAML2 Authentication

SSL Setup

If you use SAML 2.0 to authenticate users, you can add the principal propagation module to forward the user principals and credentials to the back end. The SSL setup is as follows:

Set up one-way SSL between SAP Fiori Client, SAP Web Dispatcher, and SAP Mobile Platform Server.
Set up mutual SSL between SAP Mobile Platform Server and the Fiori front-end server. Mutual SSL is required between these components because the user principals and credentials are forwarded from SAP Mobile Platform Server to the back end through a process called principal propagation, in which temporary X.509 certificates are generated to be used on the Fiori front-end server. User mapping then takes place in the Fiori front-end server.

Note Note

This section describes how to establish secure network communication and set up trust between the components in a scenario with SAP Mobile Platform Server (on-premise).

For information about SAP HANA Cloud Platform mobile services, see the SAP HANA Cloud Platform mobile services documentation at https://help.hana.ondemand.com/hana_cloud_platform_mobile_services/frameset.htm.

End of the note.

Task	Description
Configuring the client to trust SAP Web Dispatcher	You can have the SAP Web Dispatcher server certificate signed by a well-known CA which is already in the truststore as populated by the device manufacturer, or have it signed by an internal CA. In the latter case, use an MDM solution such as Afaria to distribute the signing certificate to the clients.
Configuring SAP Web Dispatcher Profile Parameters	Configure SSL termination and reencryption. Configure the SAP Web Dispatcher server port. Configure the connection to SAP Mobile Platform Server.
Replacing Default SAP Web Dispatcher PSEs	Replace the default self-signed server certificate with a CA-signed certificate.
Configuring SAP Web Dispatcher to Trust the Client	Import the Afaria CA signing certificate into the truststore so that Web Dispatcher will trust the user certificate presented by the client.
Configuring SAP Web Dispatcher to Trust SMP Server	Import the CA certificate used to sign the SAP Mobile Platform Server certificate into the truststore.
Replacing Default SAP Mobile Platform Server Certificate	Replace the default self-signed certificate with a CA-signed certificate.
Configuring SMP Server to Trust SAP Web Dispatcher	Map the Impersonator role to the subjectDN of the SAP Web Dispatcher client PSE.
Configuring SMP Server to Trust the Fiori Front-End Server	Import the CA certificate used to sign the Fiori front-end server certificate into the SAP Mobile Platform keystore.
Enabling Mutual SSL with the Fiori Front-End Server	Create a technical user certificate to be used for mutual SSL between SAP Mobile Platform Server and the Fiori front-end server.
Enabling Principal Propagation to the Fiori Front-End Server	In principal propagation, temporary X.509 user certificates are generated at runtime to enable user principals and credentials to be forwarded from SAP Mobile Platform Server to the back end. Generate a signing certificate for these temporary certificates.
Configuring the Fiori Front-End Server to Trust SMP Server	Import the SAP Mobile Platform Server technical user certificate into the truststore.
Enabling Principal Propagation on the Fiori Front-End Server	The Fiori front-end server has to trust the temporary user certificates generated by the principal propagation module.

Example Application Configuration for SSO

Example Configuration: SAML 2.0 Authentication