Show TOC

Enabling Secure Onboarding Using SAMLLocate this document in the navigation structure

Security Assertion Markup Language (SAML) is an XML-based open standard data format for exchanging authentication and authorization data. Both SAP HANA Cloud Platform mobile services and SAP Mobile Platform Server support SAML authentication. The Logon plugin can use SAML authentication with or without Mobile Place.

Only SAP Hana cloud Platform mobile services can directly publish the registration configuration (which may or may not include SAML configuration) to the Mobile Place server by selecting an option in the management cockpit for SAP Hana Cloud Platform mobile services. Whereas for SAP Mobile Platform Server, in order to use Mobile Place to provision the configuration to the device, you must manually upload the registration configuration to the Mobile Place server.

Enabling SAML Authentication

Configure registration context for the Logon plugin to perform SAML authentication. You can use the context parameter refreshSAMLSessionOnResume to skip/allow SAML authentication during application restart and data vault unlock. By default, the refreshSAMLSessionOnResume is set as always.

To send server request, the AuthProxy plugin calls sap.Logon.performSAMLAuth method and its server request for success callback.
Note This configuration is not applicable during application registration.

For example, offline applications use offline data and synchronize periodically with server data. In this case, set the context parameter refreshSAMLSessionOnResume to skip the SAML authentication.

Sample registration context:

var context = {
"serverHost": "hcpms-i826633trial.hanatrial.ondemand.com", //Place your SMP 3.0 server name here
"serverPort": "0",
"https": "true",
"passcode": "Password1",
"passcode_CONFIRM": "Password1",
"unlockPasscode": "Password1",
"refreshSAMLSessionOnResume":"skip",
"auth": [
{
"type": "saml2.web.post",
"config": {
"saml2.web.post.authchallengeheader.name": "com.sap.cloud.security.login",
"saml2.web.post.finish.endpoint.uri": "/SAMLAuthLauncher",
"saml2.web.post.finish.endpoint.redirectparam": "finishEndpointParam"
}
}
]
Enabling Your Application to Use Mobile Place

To enable your application to use Mobile Place, set mobilePlace to true in the Logon context in index.html in the www folder.

When Mobile Place is enabled, these SAML configuration items are automatically included in the registration context to enable SAML authentication during logon:

  • saml2.web.redirect.identifyingHeader.name: The value of this key is used by server response to indicate a SAML challenge is required. When a client sends a request to the server and the server's response includes this header value, this indicates that the server has requested SAML authentication. The client should initialize a SAML authentication process.
  • saml2.web.redirect.finish.endpoint The value of this key indicates the initial URL for the client to start the SAML authentication. The client should send the request to this URL in a UIWebView control, as the server will return an HTML page for the request.
  • saml2.web.redirect.finish.endpoint.param The value of this key indicates when the SAML authentication has finished. When the server sends a response with the value in its URL, this indicates SAML authentication is done, and the client can continue the logon process.

When you use SAML authentication with Mobile Place, the application ID is automatically configured on the Mobile Place server.

Note A reserved key, "%%providedContext", is used in the Logon plugin's data vault to store SAML authentication configuration data. As a general rule, all reserved keys in the data vault start with "%%". Avoid name your key starting with "%%" to avoid a conflict.