Show TOC

Using a Third-Party Certificate ProviderLocate this document in the navigation structure

SAP Mobile Platform SDK includes a Provider API, which enables apps to download certificates from third-party infrastructures.

Implementing Content from Third-Party Certificate Providers

The CertificateProvider API implements a Logon extension for integrating non-Afaria certificate provider options, for example, MobileIron or AirWatch, or file-system installation.


Install a Client Hub application on the client device and enable an SSO pincode.

Creating an Xcode Library Project

To implement the certificate from the your third-party provider, create a new static linked library project in Xcode.

You can obtain the required SAP Mobile Platform SDK dependencies from Service Marketplace. The libraries come bundled with the SAP Mobile Platform SDK installer. Unzip the installer on your system, then add the following dependency to your project:
maflogonuing.a min version: 1.203.0

Creating the Certificate Provider Implementation


The Provider class implements the CertificateProvider protocol:
@interface CertificateProviderSample : NSObject <CertificateProvider>


  1. Implement the getCertificate method:
    -(void) getCertificate:(id<CertificateProviderDelegate>)aProviderDelegate
    In this method, if the provider implementation requires a UI, the current view controller can be retrieved from the provider delegate instance:
    [aPluginDelegate currentViewController];
  2. When the SecIdentityRef is created, call the provider delegate instance:
    [pluginDelegate onGetCertificateSuccess:clientIdentity];
    If any error prevents the return of a valid SecIdentityRef, call this method with an NSError instance:
    [pluginDelegate onGetCertificateFailure: anError];
    After a successful registration, when the application has stopped and restarted, the LogonManager needs the SecIdentityRef again because it is stored only in the provider. Use the getStoredCertificate method:
    -(BOOL)getStoredCertificate:(SecIdentityRef *)secIdentityRef error:(NSError **)anError
    When you call this method, return the SecIdentityRef that was selected during registration. This is a sync method; therefore, do not show any UI here.
    If users inadvertently delete the registration or forget the passcode, LogonManager invalidates the registration and calls this method:
    -(BOOL) deleteStoredCertificateWithError:(NSError **)anError
    If the provider can successfully remove the stored certificate, deleteStoredCertificateWithError returns yes. In case of an error, it returns no and the error description.
    Note This method is called in the beginning of the registration process to ensure that no client certificate exists, for example, from a previous registration.

Setting the CertificateProvider


  • You can set the CertificateProvider on the MAFLogonUIViewManager instance:
    CertificateProviderSample *certificateProviderSample = [[[CertificateProviderSample alloc] init] autorelease];
    [logonUIViewManager setCertificateProvider:certificateProviderSample];
  • If your application does not require a CertificateProvider, you can remove it by setting a nil:
    [logonUIViewManager setCertificateProvider:nil];

Refreshing a Certificate

The certificate used for registration and communicating with the server might become invalid at some point, for example, if the validity period ends.

When a used certificate becomes invalid and you want to use a different, valid one, call:
-(void) refreshCertificate;
  1. Calls the deleteStoredCertificate method, so CertificateProvider can delete the invalid certificate.
  2. Calls the getCertificate method to set a new, valid certificate. This method is called only if the deleteStoredCertificate returns yes.