Show TOC

Creating a SAML2 Local Service ProviderLocate this document in the navigation structure

Create a SAML2 local service provider that can communicate with a trusted identity provider to determine whether a requesting user is authorized to access a secured resource.

Prerequisites

Configure the SAP Mobile Platform SAML service provider certificate generator in Management Cockpit (Start of the navigation path Settings Next navigation step System End of the navigation path).

Context

Configure the provider using a certificate that is either:
  • Generated by SAP Mobile Platform, or

  • Signed by your own PKI/CA system.

Procedure

  1. In Management Cockpit, select Start of the navigation path Settings Next navigation step SAML Next navigation step Local Service Provider End of the navigation path.
  2. Complete the required information.
    Table 1: SAML2 Local Service Provider Properties
    Field Description

    Local Provider Name

    A unique name that identifies the local service provider within all the trusted identity providers you plan to use. To ensure uniqueness, use a name you are certain that no one else has registered, such as DN::mysmp1. Maximum length is 256 characters. The name appears as a trusted identity provider and represents this SAP Mobile Platform installation.

    Base URL

    The base URL for the local service provider.

    For a single SAP Mobile Platform installation where clients connect directly to the server, you can use the fixed IP address or host name of your SAP Mobile Platform Server, for example, https://198.164.10.18:8081.

    For an SAP Mobile Platform cluster, or when clients connect from the Internet and a load-balancer/reverse-proxy sits between clients and SAP Mobile Platform, enter the URL of either the load balancer or the reverse-proxy.

    To test SAP Mobile Platform SDK clients, you must use an HTTPS URL. If you are testing locally with something like a REST client, HTTP works.

    Signing Key

    The Base64-encoded signing key for your SAP Mobile Platform installation.

    • For certificates that are generated by SAP Mobile Platform, leave this field blank, and generate a key pair.

    • For certificates that are signed by your own PKI/CA system, copy and paste the signing key and signing certificate that you receive from your PKI system. The key must be unencrypted, and in DER-encoded PKCS #8 format. For example, if you start with the key.p12 certificate file:
      1. On a command line, run:
        openssl pkcs12 -in key.p12 -nocerts -nodes | openssl pkcs8 -topk8 -inform pem -outform der -nocrypt | base64 -w 0 > key
        openssl pkcs12 -in key.p12 -nokeys -clcerts | openssl x509 -outform der | base64 -w 0 > cert
      2. Paste the contents of key into Signing Key.

      3. Paste the contents of cert into Signing Certificate.

    Signing Certificate

    The full text of the certificate that identifies your SAP Mobile Platform installation.

    • For certificates that are generated by SAP Mobile Platform, leave this field blank, and generate a key pair.

    • For certificates that are signed by your own PKI/CA system, see Signing Key, above.

  3. (Optional) If you left the Signing Key and Signing Certificate fields blank, click Generate Key Pair.
  4. Click Save.

    After you save, you cannot change the signing key or signing certificate.

  5. Click Get Metadata to download the SAML 2.0 XML metadata that describes SAP Mobile Platform as a service provider.

Next Steps

  • Before you use SAML2 in a security profile, configure a trusted identity provider.

  • Send the metadata file you generated to the trusted identity provider you plan to use.