Introducing SAP Fiori Client 1.2
The Fiori and SMP Hybrid SDK teams have been at work on the next version of the SAP Fiori Client. The application will soon be available in the Apple and Google app stores, so I thought I’d take some time and tell you about it. We got a lot of feedback from the Fiori team, our internal colleagues, our partners and customers, and have added a lot of features to the applications and simplified some aspects of the application, especially initial configuration.
There are two versions of the SAP Fiori Client, the app store version and a custom version customers can build using the SMP Hybrid SDK (Kapsel). The app store version of the application is simply a mobile application built using the SDK and distributed through the public app stores. In this article, I’ll focus most of my attention on the app store version of the client, but much of this applies to a custom version a well. Any feature I describe in this article is already available to SDK customers as that product was released before the app store version was created. The only differences between the two versions is that a custom version of the application can be, well, customized (application icon & title, splash screen, additional Cordova plugins, custom security configurations and pre-configured server configuration).
Here’s a list of the new features of SAP Fiori Client version 1.2:
- Support for Android 5.0 and for iOS 7.1 and 8.1
- Support for connection to SAP Fiori using a direct connection to the Fiori Frontend server or through the SAP Mobile Platform Server or HANA Cloud Platform mobile services
- Enhancements to the application’s initial configuration including support for the SAP Mobile Place Discovery Service
- Application Passcode
- Support for Basic Authentication and user certificate authentication (only with SAP Mobile Secure) and SAML
- Mobile Qualities & Feature Restriction Policy
- Enhanced error pages – we’ve cleared up some of the error messages to make it easier for users to understand what’s happened
- Settings Screen enhancements
I’ll describe most of these enhancements in the sections that follow.
Mobile OS Support
The SAP Fiori Client supports Android and iOS today. Since the SAP Fiori Client is an Apache Cordova application, OS support is limited to versions supported by Apache Cordova. Other issues limit SAP Fiori Client supported to a subset of the OS versions supported by Cordova.
For Android, there is a known WebView memory leak issue with Android 4.1.2, so the SAP Fiori Client is only supported on Android 4.1.3 through Android 5.0.
For iOS devices, the SAP Fiori Client is supported on iOS 7.1, 7.1.1, 7.1.2, 8.1, 8.1.1, and 8.2. There are known issues with iOS 8.0, so that version of the OS is not supported.
Support for Microsoft Windows 8.1 is planned, but I do not have any details I can share.
Authentication Scenarios
The team has spent a lot of effort to enhance the security capabilities of the application. This version of the application has additional certificate configuration options including an option to configure certificates through SAP Mobile Secure. We have also added support for Basic Authentication, user certificate authentication (only with SAP Mobile Secure) and SAML.
I’ll try to go into more details on these capabilities in a future post; in the meantime, you should be able to obtain additional details in the SMP and Fiori documentation.
Native Device Capabilities (AKA: Mobile Qualities)
With this release, the SAP Fiori Client adds the first set of Mobile Qualities (which I described in this post: http://scn.sap.com/community/mobile/blog/2014/10/13/update-on-fiori-mobile). Added to this version of the SAP Fiori Client are Cordova plugins that provide support for the following native capabilities:
- Camera
- Barcode Scanner
- Geolocation
The plan is for the SAP Fiori Client to add native capabilities (through Cordova plugins) that SAP Fiori will be able to take advantage of. I’m not saying anything about when Fiori will take advantage of these qualities, only that it can after we’ve made them available in the SAP Fiori Client.
What’s interesting about this is that when the SAP Fiori Client is connected to the Fiori back-end through SMP, the SMP server can restrict access to these Mobile Qualities. We did this to provide customers with additional protection for their environment, if they want it.
The mobile qualities will be enabled in the application by default. Nothing is being been done (or can be done, really) to hide the operating system prompt of the user to allow an application to use specific native capabilities (like camera or geolocation) if they’re in the application and/or being used by the application. Android applications prompt the user to enable certain qualities when the application is installed, iOS prompts the first time the capability is used by the application. In an SMP environment, an administrator can disable specific qualities and they won’t operate in the affected SAP Fiori Client application.
Initial configuration
The SAP Fiori Client is being used by companies of all sizes, and simplifying the initial configuration of the SAP Fiori Client was one of the goals for this release. In previous versions of the SAP Fiori Client, the application only worked directly against the Fiori Frontend Server and could be configured with a simple endpoint URL. With this release, we’re adding support for SMP to the app store version of the application.
The SMP configuration is a little more complicated. The application needs the SMP Server endpoint URL as well as the ID of the application on the SMP server. So, if you think about the SAP Fiori Client initial configuration, the user would have to either provide a Fiori URL or an SMP server URL and, only if it’s a SMP configuration, an app ID. Those things can all be easily configured in a custom SAP Fiori Client, but it would be hard for end users to know the difference and be able to accurately provide all the values the app would need to complete its configuration.
A custom SAP Fiori Client application can be pre-configured at build time, so the application deployed to end users, either through an Enterprise App Store or a Mobile Application Management solution, already includes the settings it needs to operate in the customer’s environment.
With SAP Fiori Client 1.2, all the user has to do is enter a URL or email address as shown in Figure 1.
Figure 1 – SAP Fiori Client Initial Configuration
The email address is used to retrieve the application settings from SAP Mobile Place (http://scn.sap.com/community/mobile/blog/2014/07/29/what-is-mobile-place-new-mobile-app-managment-capability-in-sap-mobile-secure) and apply it to the application’s configuration. Essentially the application uses the user’s email domain and an application ID (hard-coded into the app store version of the SAP Fiori Client) to lookup the corresponding settings for the application in Mobile Place.
The URL can either be a Fiori endpoint URL or a specially formatted URL that provides the additional information the SAP Fiori Client uses to configure for an SMP connection.
For SMP configuration, you would provide something similar the following:
https://mycompany.com/fiori?fioriURLIsSMP=true&appID=com.mycompany.fiori
The fioriURLisSMP parameter tells the SAP Fiori Client whether (or not) the endpoint URL points to an SMP server. When this parameter is true, you will also have to add the appID parameter which must match the application configuration definition ID on the SMP server. There are other parameters supported as well, please refer to the Fiori and/or SMP documentation for details.
Passcode
One of SAP’s security requirements is that all applications be protected by an application passcode. With some of the SSO and authentication capabilities of the SAP Fiori Client, it’s possible that an unauthorized user could access application if they were able to obtain physical access to the device (if were lost for example, but not password protected). To add an extra layer of protection, the app store version of the SAP Fiori Client comes preconfigured with settings to enable a passcode for the application as shown in Figure 2. The application is configured to require a passcode of a minimum of 8 characters.
Figure 2 – SAP Fiori Client Passcode
Now, as you can see in the figure, the passcode can be easily disabled by the user. Simply tap the Disable Passcode button and you’re ready to go. If you later forget your passcode, you can use the Forgot Passcode capability provided by the application to reset the application settings.
If you’re using a custom version of the SAP Fiori Client, you’ll be able to set your own passcode policy for the application by making some simple changes to the application project’s appConfig.js file.
If SAP Fiori Client is used with SMP, any local passcode policy is ignored and instead the application uses the passcode policy that has been configured for the application by the SMP Server. In this scenario, the passcode can be required or disabled based on the administrator’s settings.
First Use Tips
After you have provided the Fiori endpoint URL and set or disabled a passcode, the SAP Fiori Client application will display the Tips page shown in Figure 3. This page will only display the first time you use the SAP Fiori Client after setting the Fiori endpoint URL.
Figure 3 – SAP Fiori Client First Use Tips Page
The content of this page can be customized if you’re using a custom version of the SAP Fiori Client. You can change the content or you can modify the application so this page never displays.
Application Settings
With previous versions of the SAP Fiori Client, changing the application’s configuration was a simple matter, you opened the settings application and made the changes you needed. On Android, the settings app was an integral part of the application where on iOS, application settings were accessed via the external Settings application. In SAP Fiori Client 1.2, settings are accessed directly from within the application for both operating systems.
As mentioned earlier, the SAP Fiori Client configuration is now a little more…complicated, the application has to deal with more access scenarios. Because of this, we had to make some changes to the way the settings worked. Figure 4 shows the new settings screen.
Figure 4 – SAP Fiori Client Settings Application on Android
With the previous versions of the application, the application user could directly edit the Fiori endpoint URL in the settings screen. In this version of the SAP Fiori Client, in order to make changes to the endpoint URL, you’ll have to remove the existing URL configuration by tapping the Clear All Application Settings button shown in the bottom of the figure.
Once you do that, you’ll be taken to the configuration screen shown in Figure 1 where you can enter the updated configuration URL or email address.
Emailing the Application Log
The SAP Fiori Client comes with default settings that control what information is logged by the application. In the past, there was an option to enable the log and a separate option for setting the log level. In this version of the SAP Fiori Client, the log is enabled by default and you can only set the log level.
To view the log, open the menu on Android or the toolbar (by double-tapping on the screen) for iOS and there’s an option for viewing the log file. New in this release is a button, shown in Figure 5, that allows you to send an email with the log contents. Users will use this option when they encounter an issue and need to send details about the issue to an administrator or help desk resource.
Figure 5 – SAP Fiori Client Log Viewer
The log is not intended to be consumed by application users. There’s a lot of stuff in there and no effort has been made to make the content easily viewable from within the application.
Documentation
With earlier versions of the SAP Fiori Client, the application’s user guide was published as a PDF file which wasn’t very readable on a smartphone. For this release, the SAP Knowledge Management Team published the content as a mobile-friendly web site as shown in the following figure. You can access the application’s user guide at http://help.sap.com/Download/Multimedia/fc12/index.html.
Now you can easily get the help you need directly from within the SAP Fiori Client application as shown in Figure 6. To access help, open the menu on Android or the toolbar (by double-tapping on the screen) for iOS and select the Help option.
Figure 6 – SAP Fiori Client Online Help
Hi John Wargo,
Nice blog...
I have following issue in fiori client mobile app, can pls help me on this.
Unable to view the Done button in custom application in FIORI client Mobile App.
Hello John!
Very helpflul Information. A Statement above is that SAP is supporting iOS and Android and in future Windows8.1.
Is there also a plan to support Blackberry (incl. Secure Blackberry)?
br
Thanks for the valuable information provided.
Could you elaborate a bit on whether there already is or is planned support for URL schemes that could help to easily set up Fiori client, e.g. by providing the Fiori URL
I do not understand what you're looking for. As I described above, we've added features to make it easy to configure the SAP Fiori Client, what else are you looking for?
Sorry John, if I was a bit unspecific. I understand that you have options to pre-configure the client either using SMP and pre-configured clients (old way) or using SAP Mobile Place (new way).
You could e.g. send an email to a client that has this link sapfiori://configure?url=http://myfioryhost.example.com/ where "url" would be our fiori launchapd URL. Fiori client could register to URL schema "sapfiori" and take the launchpad URL from the link.
However, thinking as I'm writing: This, of course, would put the users at risk for getting spoofed setup emails either breaking already established corporate setup or even the worse opening a vector for phising attacks so one obviously would only allow such method in a secure / managed environment and or only at first startup / if not yet being already set.
Anyways: Takeaway here is: To pre-configure fiori client you'll either need SMP or SAP Mobile Place, right?
Kind regards
Jens
We wanted to add that capability, but security concerns kept us from doing so. So, you can use Mobile Place or send the user a pre-configured URL that they can copy and paste into the application's configuration. You can also build your own version of the application and pre-configure it before deployment.
We're looking at other options for making this simpler.
Ok, already assumed that security concerns might be a drawback when thinking about offering such a capability.
Thanks for letting us now / sharing insights on this
Hi John,
there might be a way to make app-configuration available in an EMM-Vendor independent way. Our EMM-Vendor airwatch started an initiative called App-Configuration for Enterprise (ACE). The idea is to use standard features of the mobile devices OS. In case of app configuration the solution is described here. And there is already a plugin for cordova existing for using app configuration on iOS.
Regards,
Kai
Hi John,
That's great information and a good step forward!
Regarding the user certificate authentication: can you explain why this requires SAP Mobile Secure? As the Fiori Client is "just" a wrapper for the Browser (plus some Caching) I would expect that it also comes with a native support for x.509 certificates (aka user certificates). This works fine when we access the Launchpad on Mobile Devices with the Browser. But unfortunately, not with the FIORI client 1.x. Any plans to support that in future w/o deploying SMP or Mobile Secure?
Thanks,
Klaus
It's simply because the implementation of this (today) is using capabilities exposed by Afaria. We expect to be able to remove this limitation.
This would definitely be a big plus for fiori client, especially since SAP states that "saving a Fiori application as a Safari home screen icon" is not supported on iOS http://service.sap.com/sap/support/notes/1898042 (note says this applies to iOS 6 / 7 but I'm quite positive that iOS 8 is also not supported)
Looking forward for your team to overcome said limitiation of the Fiori Client
Cheers
Jens
hello,
i try to connect the sap IOS Fiori Client Version 1.2.3 trough the SMP to our launchpad!
But i get on the ios only a blank page without error message - in the Fiori APP logfile I can find this error message:
In the SMP Logfile i can find this error message:
any idea - thanks!
There are some more detailed steps on how to configure the SMP server to proxy a Fiori app at the links below that might help.
I would in particular check to see if you have the rewrite mode selected as Rewrite URL in Backend System.
http://scn.sap.com/docs/DOC-56080
Integration of SAP Mobile Platform into SAP Fiori Landscape - SAP Library
Hi John,
I am testing HCPms by SAP Fiori Client (1.2.3), I enter the following URL https://hcpms-c5194000trial.hanatrial.ondemand.com/fiori?fioriURLIsSMP=true&appID=com.sap.fiorihcp, and then enter the correct user name and password, and then submit feedback Check your connection data.
HCPms is using SAML, so accessing HCPms would be redirected to SAP ID service, with Browser it worked fine.
Have you been tested for HCPms? Another guidance document can be shared it.
Some additional findings:
I think the link above is not working, since there's no such a service called .../fiori on HCPms. The connection cannot be built and there's no log on HCPms side.
The queston is, maybe /fiori is just a placeholder, what are we expected to put in this place? I think it's some service on HCPms that handles the parameter fioriURLIsSMP and appID .........
I know /odata/applications/v1/com.sap.fiori.hunter/Connections traditionally takes care of the registration but it doesn't recognize fioriURLIsSMP.
OK I've succeeded in this.
The URL is the Fiori LaunchPad URL, the parameters are for Fiori Client, not for the server side.
Example:
https://hcpms-xxxtrial.hanatrial.ondemand.com/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchPad.html?appid=com.sap.fiori.client&fioriURLIsSMP=true
hi John,
Thanks for the updated info.
Could you please comment on support of Fiori client for Microsoft surface(Windows NT) and Blackberry.
Regards,
Ajay
No plans to support BlackBerry. Windows 8.1 support is planned.
Thanks again.
I tried to test custom Fiori Client for HCPms trial version, appConfig.js follows:
"AppID": "com.sap.fioir.client",
"FioriURL": "https://hcpms-c5194000trial.hanatrial.ondemand.com/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html",
"FioriURLIsSMP": true,
"Auth": [{
"Type": "saml2.web.post",
"Config": {
"Saml2.web.post.authchallengeheader.name": "com.sap.cloud.security.login",
"Saml2.web.post.finish.endpoint.uri": "/ SAMLAuthLauncher",
"Saml2.web.post.finish.endpoint.redirectparam": "finishEndpointParam"
}
}]
SMP sdk version is sp06 pl02
Run-time error as follows:
2015-03-09 11:20:09.319 RDS Fiori Client[283:1303] SMP_AUTH_PROXY ERROR connection:willSendRequestForAuthenticationChallenge:, getMatchedCredential error: (null)
2015-03-09 11:20:09.364 RDS Fiori Client[283:1303] SMP_AUTH_PROXY ERROR populateClientIdentityListFromKeychain:, no identity item found
2015-03-09 11:20:09.372 RDS Fiori Client[283:1303] SMP_AUTH_PROXY ERROR connection:willSendRequestForAuthenticationChallenge:, Authentication Error: no client certificate available for mutual authentication
2015-03-09 11:21:20.686 RDS Fiori Client[283:3613] SMP_AUTH_PROXY ERROR connection:willSendRequestForAuthenticationChallenge:, getMatchedCredential error: (null)
2015-03-09 11:21:20.722 RDS Fiori Client[283:8047] SMP_AUTH_PROXY ERROR populateClientIdentityListFromKeychain:, no identity item found
2015-03-09 11:21:20.732 RDS Fiori Client[283:8047] SMP_AUTH_PROXY ERROR connection:willSendRequestForAuthenticationChallenge:, Authentication Error: no client certificate available for mutual authentication
2015-03-09 11:21:21.824 RDS Fiori Client[283:60b] webView:didFailLoadWithError - -999: The operation couldn’t be completed. (NSURLErrorDomain error -999.)
2015-03-09 11:21:30.019 RDS Fiori Client[283:60b] ER:MAFLogon Authentication needed for request! url: https://hcpms-c5194000trial.hanatrial.ondemand.com:443/odata/applications/v1/com.sap.fioir.client/ConnectionsresponseStatusCode:401 responseStatusMessage:HTTP/1.1 401 Unauthorized
2015-03-09 11:21:30.024 RDS Fiori Client[283:60b] ER:MAFLogon Registration failed
By the way, SAP Fiori client From app store test is ok. I guess problem from auth configuration from appConfig.js, What is the configuration with SAP Fiori Client?
What is the URL you providing to the SAP Fiori Cient from the app store?
The parameters on the URL mostly map to settings in the appConfig.js with the exception of the optional config portion used above when specifying SAML.
SAP Fiori Client set url:https://hcpms-c5194000trial.hanatrial.ondemand.com/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?appid=com.sap.fiori.client&fioriURLIsSMP=true&authtype=saml2.web.post
Correction: I write the above error, AppID should be com.sap.fiori.client instead of com.sap.fioir.client.
Custom Fiori Client to see the effect is to open the page will not jump to SAML authentication page, and SAP Fiori Client will automatically jump to there.
Also, I use SMP SDK sp06 pl02, compiled by the Fiori Client version is displayed as 1.2.0.
The problem is resolved.
config.js change :
"Auth": [{
"Type": "saml2.web.post"
}]
Hi John,
thanks a lot for you Information.
I have an Issue with Fiori Client 1.2.3(from iTunes) in my system landscape. "Done"-Button is not displayed on the preview of attached documents for the standard fiori principal apps for erp 1.0 and it's not possible to close this view and navigate back to the app.
It was installed the standard fiori principal apps for erp 1.0 as embedded implementation without SMP.
My system landscape has follow components:
• SAP ERP 6.0 EHP6 (ABAP),
• SAP_BASIS SP13,
• SAP_ABA SP13,
• SAP NETWEAVER 7.03 SP13,
• SAP GATEWAY 2.0 (GW_CORE, IW_FND, IW_BEP) SP09,
• IW_PGW 06
• UI add-on for SAP EHP3 for SAP NETWEAVER 7.0 SP11,
• Fiori Principal Apps for SAP ERP 1.0 SP05.
If I test SAP Fiori Client 1.2.3 with the fiori apps for ERP in demo cloud, "Done"-button is displayed. Is any additional configuration activities or parameter settings should be done in launchpad config(LPD_CUST) based on SAP NetWeaver 7.0 EHP3?
What should I check in my implementation?
Best regards
Dmitry
Hey John.
Great post, Do you have some more details on the Authentication Scenarios when using the Appstore fiori client app for iOS ? It seems that a SMP server is required if you want X.509 authentication ?
//Lau
Without anticipating John's answer, it seems that there's currently technical dependancy to Afaria.
http://scn.sap.com/community/mobile/blog/2015/02/03/introducing-sap-fiori-client-12#comment-566899
SMP should not be necessary, SAP Mobile Secure would suffice.
Please correct me if I'm wrong, everybody
Cheers
Jens
Hey Jens. hope that John can guide us in the right direction. I was able to find this (But think it is only valid if you want to actually use it via SMP):
http://help.sap.com/saphelp_smp306sdk/helpdata/en/b2/99923cc0b94400acab320c812cc026/content.htm
The only thing about sso on the help page (SAP Fiori Client – SAP Help Portal Page) is:
SAP Fiori Client supports the standard Fiori SSO configuration. The application does not support basic authentication and will not operate in an environment where a self-signed certificate is used.
I wanted to comment on
"The application does not support basic authentication"
Can you mention where this is listed? I would like to get this corrected.
When I go to SAP Help Portal Page for version 1.2 (SAP Fiori Client – SAP Help Portal Page) and click on
Security Configuration>Authentication and Certificate Requirements
It says
The application supports Basic authentication and mutual authentication.
Regards,
Dan van Leeuwen
Dan,
indeed that help side mentions Basic authentication an mutual authentication. Is "mutual authentication" authentication via Client X.509 certificates? If so one could argue that the help page should sport a passage that mentions that the latter is only available when having SMP or Mobile Secure. I think the current wording is not particulary precise and even could be missleading.
If I got it wrong and authentication via Client X.509 certificates without SMP / Mobile Secure is supported (I tried myself and had no luck) than I will be more than happy to stand corrected 😆
if mututal authentication means something completely different in the context of the help file, it would be great If you (SAP?) could clarfiy.
Many thanks and kind regards
Jens
Hey Daniel.
Thanks for the fast response
It is listed in the RDS for fiori:
If you look at the document MF7_NWG20_BB_ConfigGuide_EN_XX (MF7 – Mobilizing Fiori Apps) in the RDS it states that:
SAP Fiori Client supports the standard Fiori SSO configuration. The application does not support basic authentication and will not operate in an environment where a self-signed certificate is used. So before running SAP Fiori Client, you can import the Launchpad CA certificate to the device trust list (refer Appendix – Import CA Root Certificates).
In this section, you can learn more about how to initialize the configuration.
The guide you are referencing is to me more a user guide than an admin guide. As jens write, I am really interested in a matrix that states what authentication the appstore client support, what authentication the custom fiori client with and without SMP support.
Hi Lau,
The Fiori RDS document you quoted is from Q1/2015 release, and the Fiori Client version by then was much earlier. This also explains why in the past the help portal stated the same but now it's different.
I think later in the RDS document we need to mention the Fiori Client version to avoid confusion.
Regards
Hunter
Hi John
We are planning to put this client on our Enterprise App store which is managed by Apperian and distribute to the end users. We also want to pre-configure the production url of Fiori before distributing.
Seems like the end url is not configurable by Apperian. The fiori client does not allow.
Is it possible only with Afaria or Mobile Place? Can't other MAM solutions configure the end url.
Regards
Sandip
If you wish to pre-configure the Fiori URL before placing the app on your enterprise app store, one option would be to create a custom Fiori App that has the Fiori URL specified in it. This would be specified in the appConfig.js file. See
Getting Started with Kapsel - Part 14 -- SAP Fiori Client (New in SP04)
for further details on how to build the custom SAP Fiori Client.
I have not myself tried this but I believe you can use a device management solution such as SAP Afaria or others to configure similar settings that are in the appConfig.js file on iOS.
1. If the MDM supports JSON format, then Create your JSON object and a version as follow:
Ex:
config={
"appID":"fiori",
"fioriURL":"https://<your-host>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?sap-client=100&sap-language=EN",
"fioriURLIsSMP":false,
"passcodePolicy":{}
}
2. If the MDM does not support JSON, then convert the above json to base64
Ex:
Convert this:
{
"appID":"fiori",
"fioriURL":"https://<your-host>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?sap-client=100&sap-language=EN",
"fioriURLIsSMP":false,
"passcodePolicy":{}
}
To something like that below:
eyANCiJhcHBJRCI6ImZpb3JpIiwNCiJmaW9yaVVSTCI6Imh0dHBzOi8vb
GRjaXUzZS53ZGYuc2FwLmNvcnA6NDQzMjYvc2FwL2JjL3VpNV91aTUvd
WkyL3VzaGVsbC9zaGVsbHMvYWJhcC9GaW9yaUxhdW5jaHBhZC5odG1
sP3NhcC1jbGllbnQ9MTAwJnNhcC1sYW5ndWFnZT1FTiIsDQoiZmlvcmlV
UkxJc1NNUCI6ZmFsc2UsDQoicGFzc2NvZGVQb2xpY3kiOnt9DQp9DQo=
3. In this case after you do the base64 conversion, you need to add the version parameter so it should look like this:
version=1
config= eyANCiJhcHBJRCI6ImZpb3JpIiwNCiJmaW9yaVVSTCI6Imh0dHBzOi8vb
GRjaXUzZS53ZGYuc2FwLmNvcnA6NDQzMjYvc2FwL2JjL3VpNV91aTUvd
WkyL3VzaGVsbC9zaGVsbHMvYWJhcC9GaW9yaUxhdW5jaHBhZC5odG1
sP3NhcC1jbGllbnQ9MTAwJnNhcC1sYW5ndWFnZT1FTiIsDQoiZmlvcmlV
UkxJc1NNUCI6ZmFsc2UsDQoicGFzc2NvZGVQb2xpY3kiOnt9DQp9DQo=
Hope that helps,
Dan van Leeuwen
Hey Daniel.
Do you know if this can be done for the appstore version of the SAP Fiori Client ?
I have not myself tried it but that is my understanding that yes you can configure the initial URL of the Fiori Client from the App Store or a custom build on iOS using MDM.
Regards,
Dan van Leeuwen
Do you know anyone who has tried it ? I tried to configure this in SAP Mobile Secure without any luck :/
There are multiple users with the problem:
SAP Fiori client deployment using MobileIron
//Lau
I believe Ali Chalhoub has tried this. Ali, any comments or pointers?
Dan van Leeuwen
We have done this with other customers and it worked fine.
Hey Daniel.
I am now able to configure the launchpad url using SAP Mobile Secures Managed App Configuration:
Think I configured the url incorrectly the first time around.
Thanks for all your help 🙂
Hey Daniel.
Do you know if it would be to possible to get the Fiori Client app to remember the user's credentials (with or without custom coding) ? or would it be possible to push the user name and password to the device using managed app configurations ?
//Lau
When the Fiori App is proxied through an SMP server it is possible to configure the SMP server to use a SSO mechanism so that the credentials (user name and password) provided to the the SMP server during registration are passed on to the Fiori App.
I am not sure about the managed app configurations question. Which MDM product are you using?
In a future SP after SP08, we are looking at adding a feature to remember what client certificate was selected by a user when accessing a Fiori App that requires an X.509 certificate. Currently if the app is removed from memory the user would need to re-select the client certificate used for authentication.
Regards,
Dan van Leeuwen
Great news, generally speaking. However, would that mean that authenticating using an X.509 certificate would work with the vanilla Fiori client from the App Store / Google Play? Or would one still need SAP SSO for this?
Kind regards
Jens
SMP just needs to be configured with X.509 Authetication and this would be supported with the Application for iTunes or Google Play Store. Example URL using prebuilt client would be like:
https://MySMPServer.corp:8080/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?appid=my.x509.app&fioriURLIsSMP=…
Starting in Fiori Client 1.3 (just released), SMP is no longer required for X509.
Thanks Kevin for your update on this.
I understood that with Fiori Client 1.2 you could use SMP as target for your vanilla fiori client and specify a client certificate along within the URL.
However, I'm not sure about Fiori client 1.3. What would be needed (infrastructure wise) to have the client using a X.509 certificate? I tried with an iOS device that had a client certificate deployed on. Our FES is set to accept that certificate. This works when simply opening the launchpad URL from FES in mobile safari. However, it does not work with vanilla Fiori 1.3 client. Beware. We don't own SMP hence not proxying through SMP but direct access to FES.
Many thanks. Any input is much appreciated.
My understanding is that when an iOS device or simulator has installed a client certificate onto the device that certificate is only available to apps that were signed by the Apple's developer certificate such as Mail and Mobile Safari.
See https://developer.apple.com/library/ios/qa/qa1745/_index.html
If you happen to have SAP Afaria in your landscape that can be used to supply the SAP Fiori Client with the appropriate certificate. In Fiori Client 1.3, this is enabled by adding the following parameter &certificate=com.sap.afaria to the fioriURL in the Fiori Client.
If you are building the SAP Fiori Client you can create certificate provider that would work with another third party MDM solution or you could create a separate app that obtains access to the certificate and then shares it with the custom SAP Fiori Client using keychain sharing feature within Xcode.
Hope that helps,
Dan van Leeuwen
Thanks a bunch, Dan, that made some things considerably clearer.
Unfortunatelly we don't have Afaria in our landscape, as we're rolling MobileIron. So I suppose providing the vanilla Fiori 1.3 client just using the URL parameter &certificate is not gonna work, right?
On building our own Fiori client: Would we need SMP entitlement and an SMP server running as outlined here Setting Up the Development Environment - Developer - SAP Library? I suppose yes, is that correct?
Many thanks again for your responding so quickly.
Cheers
Jens
<<I suppose providing the vanilla Fiori 1.3 client just using the URL parameter &certificate is not gonna work, right?
Correct
<<On building our own Fiori client: Would we need SMP
No, the SMP server is optional. It can be used to enable offline OData support, Push notifications, different security options etc.
I believe one approach would be to build a custom SAP Fiori Client and then use the X 509 Certificate Provider Interface with your MDM solution to provide the X 509 certificate to the SAP Fiori Client. In SP08 of the SDK, you could specify &certificate=com.example.certificatefromfileprovider.CustomCertificateProvider
to the fioriURL.
I have tried something sort of similar on Android but in a regular Cordova/Kapsel app.
Using the X.509 Certificate Provider to Register using a Client Certificate
Note that as of SP08 of the SDK, the Certificate Provider interface does not require registering with an SMP server. I believe it integrates via the &certificate fioriURL parameter.
The other approach would be to do keychain sharing between an app that somehow acquires the cert and your custom built SAP Fiori Client.
One other point to clarify is that the certificate= parameter is to be used with the name of a certificate provider and not the name of a certificate.
Regards,
Dan van Leeuwen
Thanks again Dan. Good to know one would not need a SMP Server. Do you by chance know if the "Trial Entitlement" for Mobile SDK (currently unfortunatelly only SP 7) from the SAP store would suffice for building our custom Fiori client of would we need to contact our sales rep?
Will try to get my head around the different possibilities
Thanks again
I believe the SP07 trial SDK would be sufficient to implement the key chain sharing approach with a custom SAP Fiori Client.
If you were to create a certificate provider, I believe that in SP07, it required registering with an SMP server. That restriction was removed in SP08 if I am not mistaken.
Dan
Hi Lau,
I try to add the config as below to config, but it shows Error!. Did you encounter this before? It didn't shows that is the error. This is the value that I insert.
{"appID":"fiori","fioriURL":"http://URL/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?sap-client=800&sap-language=EN","fioriURLIsSMP":false,"passcodePolicy":{}}
I need to embedded the URL into the SAP Fiori Client apps, so when user launch it they no need to set the URL as already pre-configured.
Thanks.
Did you paste or type it ?
Paste it.
Just try to type it. Also same with Error!
Tried with simple {"appID":"fiori"} also hit the error.
Hey Adrian.
I have no problems with pasting your config string. I am using Chrome and SAP Mobile Secure in the cloud.
//Lau
Sorry previously I'm using our own SAP Afaria that hit the problem. Tried with Mobile Secure, it working and able to push the SAP Fiori Client with embedded URL. Thanks.
By the way, have you try with Android? I try to do the same thing, but in the Managed App Configuration don't have the Add button.
Any idea how to do it for Android?
Thanks.
Hi John,
Great updates, I'm happy to see this keeps getting the attention it deserves.
Do you have any comments on caching and performance in Fiori Client and how that may be enhanced over time? For example, the SAPUI5 libraries, is there any way to keep those in the app rather than having to download them?
We tested many different scenarios, and decided that pre-packaging the UI5 libraries would help in the first iteration, but as soon as UI5 was updated on the back-end, you'd have to download the new version all over again, so not much benefit gained.
Not much more that I can say as I'm no longer the PM for the SAP Fiori Client.
Hey John,
Thanks for the updates and sorry to hear you're not the PM anymore. Who is the new one? Where did you move onto?
Hi John,
Great post.
A little update:
Current version of SAP Fiori Client is 1.2.4
Regards
Mariusz
John Wargo
Thanks for the post. I understand some apps aren't supported on mobile devices however - i.e. Order from Requisitions. Is there a list anywhere of the apps that are/are not supported on Mobile Devices?
Specifically, I didn't see anything in the documentation for the app, My Purchasing Document Items, regarding whether it's compatible on mobile devices.
Thanks!
Interesting article John, just wanted to ask about the license cost,
I know SAP Fiori on HTML 5 comes free in a proper ECC set up with Net weaver etc. But is there any license cost per user to run the Fiori client such as
Look forward to the response