Example application configuration for SAML2 authentication, with SSO achieved through principal propagation to the front-end server.
You have installed a SAML2 identity provider and configured it Management Cockpit, under
.You have to create a SAML2 local service provider and configure settings for the SAML2 trusted identity provider you are using.For detailed information, see the SAP Mobile Platform Server documentation at http://help.sap.com/mobile-platform.
You have performed the necessary steps to enable principal propagation to the Fiori front-end server. For more information, see Setting Up Communication Channels.
On any computer on the network, in a supported browser, enter the URL for the Management Cockpit and log in. The URL has the format: https://<host_name>:<https_admin_port>/Admin/
On the Applications
page, choose New
.
In the New Application
dialog box, enter the following values:
Field | Value |
---|---|
ID |
Unique application identifier in reverse domain notation. This is the application identifier that the application developer assigns or generates during application development. The administrator uses the application ID to register the application with the server, and the client application uses the application ID to send requests to the server. |
Name | Descriptive name for the application, for example, |
Vendor | (Optional) Vendor who developed the application, for example, |
Type |
|
Description | (Optional) Short description of the application |
Save your entries.
On the Back End
page, configure the following:
Field | Value |
---|---|
Endpoint | The URL the application uses to access business data on the Fiori front end server. It has the following format:
|
Certificate alias |
|
Rewrite Mode |
|
SSO Mechanisms | Add |
Save your entries.
On the Authentication
page, enter a name for the new security profile.
Under Authentication Providers
, choose Add
.
Add the SAML
authentication provider and configure the following:
Field | Value |
---|---|
Authentication Providers |
|
Control Flag |
|
Identity Provider Name | Name of the SAML identity provider you configured |
Add the Principle Propagation authentication provider and configure the following:
Field | Value |
---|---|
Authentication Providers |
|
CA Signing Alias | Alias in the system keystore that contains the CA signing certificate and private key to sign the dynamically generated certificate for the authenticated user (see Prerequisites, above). Example: |
Subject Pattern | Pattern that is used to define the SubjectDN in the generated certificate. The subjectDN must match the configuration in Gateway. Note The variable End of the note. Example: |
Save your entries.
When you edit the hybrid app from the cockpit, available feature plugins are listed on the Client Policy
screen. Feature plugins are typically JavaScript APIs that provide access to the native APIs of the mobile device (implemented as Apache Cordova plugins, for example, camera and geolocation).
You can indicate features that should be restricted from the application users.
On the Client Policy
page, under Feature Restriction Policies
, view the current status of feature restrictions.
Column | Description |
---|---|
Plugin | A list of feature plugins that are available with the application, such as Camera, Contacts, and Print. |
Description | Feature plugin descriptions, such as Cordova Camera Plugin, Cordova Contacts Plugin, and SAP Push Plugin. |
Allowed | Indicates whether the feature is allowed or restricted. By default, features are allowed. |
To enable a feature for the application, select the row and click Allow
.
A checkmark appears in the Allowed
column.
To restrict a feature for the application, select a row and click Restrict
.
An exclamation mark (!) appears in the Allowed
column.
Save your entries.