Show TOC

Creating a SAML2 Trusted Identity ProviderLocate this document in the navigation structure

Based on the metadata file that the provider sends you, create and configure a SAML2 trusted identity provider.

Prerequisites

  • Obtain from the SAML identity provider administrator a SAML2 metadata file, which contains all the information that is needed to communicate with the identity provider.
  • Determine from the SAML2 identity provider administrator whether the user's identity is contained in the title, or in an attribute, of the SAML 2.0 assertion.
  • If the user's identity is contained in an attribute of the SAML 2.0 assertion, determine the name of the attribute.

Procedure

  1. In Management Cockpit, select Start of the navigation path Settings Next navigation step SAML Next navigation step Trusted Identity Provider End of the navigation path.
  2. Click New.
  3. Complete the required information.
    Table 1: SAML2 Trusted Identity Provider Properties
    Property Default Value Description

    Metadata File

    None

    Navigate to, and upload the SAML2 metadata file you obtained from the SAML2 identity provider. Values from the file automatically populate the remaining fields.

    Caution Any required fields (marked by "*") that do not automatically populate indicate that the metadata file is incomplete. Obtain another metadata file.

    In most cases, do not modify the metadata file, except to enter a description and source, and select a user ID Source. Do not change any other fields unless your are certain that you understand the effects of the change.

    Name

    None

    The name of the identity provider. Do not change.

    Description

    None

    A short description for this identity provider.

    Single Sign-on URL

    None

    The identity provider's endpoint (URL) to which the service provider sends an authentication request.

    Single Sign-on Binding

    HTTP-POST

    The metadata imported from the identity provider may indicate support for various bindings. The only binding supported by SAP Mobile Platform SDK clients is HTTP-POST. SAP Mobile Platform Server also supports redirect, but SAP Mobile Platform SDK does not.

    Do not change this value, unless it shows a value other than HTTP-POST. If you do need to change this value, you very likely must also change the Single Sign-On URL. Inspect the identity provider metadata file to determine the URL that is associated with the HTTP-POST binding, and copy that URL into this property.

    Single Logout URL

    None

    Single logout is not supported by SAP Mobile Platform SDK clients. The URL and binding for logout are shown here only for informational purposes.

    Single Logout Binding

    HTTP-POST

    The SAML-specified HTTP binding the service provider uses to send a logout request. This field is filled in from identity provider metadata. Do not change.

    Signature Algorithm

    SHA-1

    The cryptographic algorithm that computes the digest of the digital signatures in the SAML protocol messages. SHA-1 is the default value; this field is not extracted from the identity provider metadata. Change to SHA-256 if your identity provider uses SHA-256.

    Signature Certificate

    None

    The X.509 certificate used by the identity provider to digitally sign the SAML protocol messages. This field is automatically populated from identity provider metadata. Do not change.

    User ID Source

    SUBJECT

    The location in the SAML assertion from which the user's unique name (ID) is taken when logging in.

    • SUBJECT obtains the ID from the name identifier in the assertion’s subject (<saml:Subject>) element.
    • ATTRIBUTE obtains the ID from a SAML attribute in the assertion.

    Change this value to ATTRIBUTE if the identity provider returns user ID as part of an attribute.

    Source

    None

    The name of the SAML attribute from which the user's unique name is obtained, if User ID Source is ATTRIBUTE. Not used if user ID source is SUBJECT.

    SAML Proxy

    Disabled

    If enabled, you can access the SAML identity provider through SAP Mobile Platform Server.

    If you set to Enabled:
    1. Click Add, and select the endpoint connection URL that matches the SSO URL. For example, if the SSO URL is http://localhost:8779/saml2/localidp/sso, a matching enpoint connection URL is http://localhost:8779/saml2/localidp.
    2. Click Save. If two matching endpoint connection URLs are defined, for example, http://localhost:8779/saml2/localidp and http://localhost:8779/saml2, an error occurs and you see this message: Multiple endpoint connection URLs match the single sign-on URL. See Defining Back-End Connections.
    3. Set these back-end connection properties:
      • Allow Anonymous Access, and

      • Select either Rewrite URL in SMP or Rewrite URL in Back-End System.

  4. Click Save.

Results

When the SAML2 authentication flow begins, SAP Mobile Platform Server generates a SAML2 request with the identity provider URL, and posts the request to the proxy connection URL that matches the SSO URL.

Next Steps

  • If you have not already done so, create a local service provider before you use SAML2 in a security profile.
  • If you are using Active Directory Federation Services (ADFS) as your identify provider, you must either enable Java Development Kit for strong encryption or configure ADFS to disable encryption. By default, ADFS encrypts the SAML assertion when sending it to SAP Mobile Platform Server.