/wp-content/uploads/2015/03/sap_logo_333927.png

Appendix N:  Using SAML with Kapsel

Support for Security Assertion Markup Language (SAML) was added to Kapsel in SP05 of the SDK.  The onpremise version of the SMP server added support for SAML in SP05.

The following samples were creating using SP07 PL01 of the SDK.

Here are a few terms that are used with SAML.
An identity provider maintains a directory of users and provides authentication.
A service provider is the web site or service that is being accessed.
A user is the person who has an account with the identity provider.

When a user logs in with the identity provider, a SAML token is returned that grants access to an application for a certain length of time.  If the SAML token is compromised it is only valid for a limited length of time against a specific application.  Multiple applications can use the same identity provider hence one user name and password or perhaps even a biometric like a fingerprint can be used.

For additional details on SAML see SAML 101 Video and Enabling Secure Onboarding Using SAML.

The following steps demonstrate how to configure the Logon example from the HCPms section to use SAML as the authentication provider for the application.

  • Using the HANA Mobile service cockpit, modify the Security Configuration of the application com.mycompany.logon from None to Form.  Form indicates SAML should be used.  The identity provider for the HCPms trial server is
    https://accounts.sap.com/saml2/idp/sso/accounts.sap.com

    and it requests your SCN user name and password.

  • Modify the context variable in LogonDemo\www\index.html to indicate that SAML should be used by adding.
        "auth":
            [
                {
                    "type": "saml2.web.post"
                }
            ],
        
  • Copy the files to the platform directory by running
    cordova -d prepare
  • Use the Android IDE or Xcode to deploy and run the project.
    image2.PNG

    Note, if the Remember me checkbox is checked, a cookie will be set that will remain valid for three months so the user name and password will not need to be re-entered.

    image3.PNGimage3b.PNG

The following steps will demonstrate how to configure the SMP server to work with an identity provider and then use that identity provider as an authentication provider for the Logon sample.  The identity provider used in this section is a hosted solution from SSOCircle that has free account registration to their hosted identity provider as well as paid offerings.

Other identity providers include Microsoft Active Directory Federation Services and Identity Provider for SAP Single Sign-On

  •     Register with SSOCircle.
  • Once registered, note the user id and remember your password.
    image6b.PNG

    Choose Manage Metadata > SSOCircle Public IDP Metadata.
    image6.PNGimage5.PNG

    Save the xml as

    c:\temp\saml\idp.ssocircle.com.xml
  • In the SMP server’s management cockpit choose Settings > SAML > Local Service Provider.
    Provide a unique name and a Base URL that is the fully qualified host name of the SMP server.
    image7.PNG

    Click on Generate Key Pair.
    Click Save.
    Click Get Metadata.  Copy that file to the following location.

    C:\temp\saml\smp-metadata.xml
  • In the SMP server’s management cockpit choose Settings > SAML > Trusted Identity Provider > New > and for the Metadata File click the browse button and choose
    c:\temp\saml\idp.ssocircle.com.xml

    image8.PNG

  • In the SSO Circle website choose Manage Metadata and click on Add new Service Provider.
    image10.PNG
    image11.PNG
  • Modify the application with the id of com.mycompany.logon to use a SAML Authentication provider.
    image12.PNG

    Note the Identity Provider Name can be determined by examining Settings > SAML > Trusted Identity Provider > Name.

  • Modify the host variable points to your onpremise server and ensure that the port is the HTTPS port and https is true.
    Modify the context variable in LogonDemo\www\index.html to indicate that SAML should be used by adding.
        "auth": [
                    {
                        "type": "saml2.web.post",
                        "config": {
                            "saml2.web.post.authchallengeheader.name": "com.sap.cloud.security.login",
                            "saml2.web.post.finish.endpoint.uri": "/SAMLAuthLauncher",
                            "saml2.web.post.finish.endpoint.redirectparam": "finishEndpointParam"
                        }
                    }
                ],
    

    Note the config section is optional.  For additional details see Enabling Secure Onboarding Using SAML.

  • Copy the files to the platform directory by running
    cordova -d prepare
  • Use the Android IDE or Xcode to deploy and run the project and after successfully registering examine the registration in the management cockpit.
    image13.PNG
    image14.PNG

Back to Getting Started With Kapsel

To report this post you need to login first.

26 Comments

You must be Logged on to comment or reply to a post.

  1. jitendra kansal

    Hi Dan,

    I am not able to reach to SMP host FQDN from mobile but able to hit through smp server ip.not use URL as http://smpserverip:8080 instead of https://smpserverhost ? (in both cases: settings>SAML>LSP & while adding a new service provider)

    When i click on Register button on Logon app, i dont see screen after, it has got stuck on spinning page.

    Can you please attach the index.html file for this scenario?

    Regards,

    JK

    (0) 
    1. Daniel Van Leeuwen Post author

      Have you tried looking at the page with Web Inspector to see if there is an error reported?

      When modifying the context variable, make sure that each line ends with a comma except the last line.

      The following site is a good one to validate the JSON used in the context variable.  JSONLint – The JSON Validator.

      I believe you need to use the fully qualified domain name of the SMP server when you are using HTTPS.  If you attempt to register from the device to the SMP server using the ip address the registration will fail when using HTTPS.

      (0) 
  2. andre dourson

    HI Daniel

    thanks for the awesome tutorial, it is really helpful. I wonder if you already managed to get SAML auth up and running with a load balancer + relay server on top of smp ?

    I Managed to get the saml auth working fine (with a lot of pain though) with microsoft Idp (AFDS3) together with SSO using X509 certificates/principal propagation.

    However now that  we added the load balancer and relay server on top of smp, don’t know how to configure kapsel to take care of these additional components. There is very little doc on sap side to explain the context parameter, so not sure which one to pick for my specific scenario

    i m looking for concrete examples of the parameters to pass in the context in order to enable the registration from kapsel

    thx in advance

    Andre

    (0) 
      1. andre dourson

        Thanks for the reply, in the meantime, I managed to find the right parameters in the context section, and the ADFS auth is working, however I still cannot register my device as I’ve got a error 1005 “the network connection is lost”. Do you know if there is any setting on the Relay Server for session/connection reset or something like this ? I believe that might be my issue now

        A

        (0) 
      2. andre dourson

        Ok now that everything seems to work well, and in case someone is interested, here is the set of parameters to use to allow SAML auth thru a Load balancer + Relay Server

        In Settings > SAML > Local Service Provider, configure the base URL like

        https:<load balancer fqdn>:<port number>/cli/iarelayserver/<Farm ID>

        Please note that the /cli/iarelayserver is only valid for a linux RS, for windows the path needs to be adjusted accordingly

        2. in Kapsel, we added the following context info

        var context = {

                            “serverHost” : “<load balancer fqdn>”,

                            “https” : “true”,

                            “serverPort” : “<port number>”,

                            “farmId” : “<farmID>”,

                            “resourcePath” : “cli/iarelayserver”

                        };

                      

                        context.auth =  [

                                         {

                                         “type”: “saml2.web.post”,

                                         “config”: {

                                         saml2.web.post.authchallengeheader.name: “com.sap.cloud.security.login”,

                                         “saml2.web.post.finish.endpoint.uri”: “/SAMLAuthLauncher”,

                                         “saml2.web.post.finish.endpoint.redirectparam”: “finishEndpointParam”

                                         }

                                         }

                                         ]

        (0) 
  3. Frankie Fan

    Hi Daniel,

    Do you know how to configure the IDP for appliactions hosted on HCPms?

    I can only configure the IDP on HCP cockpit.

    On HCPms cockpit there is no authentication tab to configure it.

    (0) 
  4. Frankie Fan

    Another question:

    When I using the SSOCircle as the default IDP, I encounter the problem “Unable to do SSO or Federation”. Anybody can give some advice?

    Screenshot.png

    (0) 
  5. Frankie Fan

    Hi Daniel,

    One question, I cannot obtain the user name from the registrationContext. After registered successfully, the returned registrationContext is as following:

    {“https”:true,”resourcePath”:””,”communicatorId”:”REST”,”farmId”:”0″,”serverPort”:443,”activationCode”:””,”domain”:””,”securityConfig”:””,”mobileUser”:””,”password”:””,”serverHost”:”hcpms-trial.hanatrial.ondemand.com”,”user”:””}

    Could you give some advice? How can I get the user value?

    Thanks for your help. 😐

    (0) 
      1. Frankie Fan

        OK, Thanks for your reply.

        Now I want to use SCI(SAP Cloud Identity) as the IDP, and I need the user name to deal with some application logics. Do you have any advice? 

        Regards,

        Frankie Fan

        (0) 
  6. Chirag Chauhan

    Hi Daniel,

    I have setup the SMP server with required information for SAML authentication (SSOCircle as IdP).

    I am able to register the user successfully to SMP using Chrome Advanced REST Client. The parameters for REST Client are:

    URL: https://<SMP-Server-IP-Address>:8081/odata/applications/latest/<AppID>/Connections

    Header: {“Content-Type”: “application/json”}

    Payload: {“DeviceType”:”Windows”}

    Now I wanted to achieve the SMP registration using SAML SSO2 via HTTPS POST method. The code looks like this:

                   var serverURL = smpServerProtocol + “://” + smpServerHost + “:” + smpServerPort;

                    var sURL = serverURL + “/odata/applications/latest/” + applicationId + “/Connections”;

                    var oHeaders = {};

                    oHeaders[‘Content-Type’] = “application/json”;

                    var connectionData = {    

                        DeviceType: “Windows”

                    };

                    console.log(sURL);

                    var request = {

                        headers: oHeaders,

                        requestUri: sURL,

                        data: connectionData,

                        method: “POST”

                    };

                    OData.request(request, logonSuccessCallback, logonErrorCallback);

    The registration fails with error [Object object] and even there were no entries in SMP Cockpit logs.

    Please let me know if I am missing anything here.

    Thanks,

    Chirag.

    (0) 
      1. Chirag Chauhan

        Thanks Daniel for quick response.

        With Logon plugin, I am getting error as:

        LogonJsView.js: error sending initial SAML request{“exceptionCode”:0,”exceptionDescription”:”The certificate authority is invalid or incorrect”}

        (0) 
          1. Chirag Chauhan

            Thanks Daniel.

            I have done the required configuration for HTTPS. Now I am able to do SMP registration through SAML authentication using Logon plugin.

            Now I am trying to achieve the SMP registration using SAML SSO2 via HTTPS POST method. The code looks like this:

                           var serverURL = smpServerProtocol + “://” + smpServerHost + “:” + smpServerPort;

                            var sURL = serverURL + “/odata/applications/latest/” + applicationId + “/Connections”;

                            var oHeaders = {};

                            oHeaders[‘Content-Type’] = “application/json”;

                            var connectionData = {  

                                DeviceType: “Windows”

                            };

                            console.log(sURL);

                            var request = {

                                headers: oHeaders,

                                requestUri: sURL,

                                data: connectionData,

                                method: “POST”

                            };

                            OData.request(request, logonSuccessCallback, logonErrorCallback);

            I believe I am missing some header or data parameter convey SAML authentication, but not sure how to set it.

            Any help/pointers will be appreciated.

            Thanks.

            (0) 
  7. Guru prasanna

    Hi Dan,

    I followed all the steps but when click on register button it is throwing the below error and stuck at that page itself please help here.

    07-29 11:13:22.322: E/SMP_AUTH_PROXY(1805): com.sap.mp.cordova.plugins.authProxy.AuthProxyException: The server certificate failed validation on client side. Details :java.security.cert.CertPathValidatorException: Trust anchor for certification path not found..

    07-29 11:13:22.790: I/Choreographer(1805): Skipped 36 frames!  The application may be doing too much work on its main thread.

    07-29 11:13:22.932: D/CordovaLog(1805): file:///android_asset/www/plugins/com.sap.mp.cordova.plugins.logon/www/common/modules/InAppBrowserUI.js: Line 225 : InAppBrowserUI.js: error sending initial SAML request{“errorCode”:-109,”description”:”The server certificate failed validation on client side. Details :java.security.cert.CertPathValidatorException: Trust anchor for certification path not found..”}

    07-29 11:13:22.935: I/chromium(1805): [INFO:CONSOLE(225)] “InAppBrowserUI.js: error sending initial SAML request{“errorCode”:-109,”description”:”The server certificate failed validation on client side. Details :java.security.cert.CertPathValidatorException: Trust anchor for certification path not found..”}”, source: file:///android_asset/www/plugins/com.sap.mp.cordova.plugins.logon/www/common/modules/InAppBrowserUI.js (225)

    (0) 
  8. Chirag Chauhan

    Hi Daniel,

    I am using Kapsel logon plugin to register the user to SMP via SAML authentication. During the SAML authentication, the user provides username and password in Identity Provider login screen, I am expecting that I will get the same username/password from authenticationContext.registrationContext. But then I found out that the user and password fields of authenticationContext.registrationContext are blank. Can you please let me know Is there a way to get username/password used during SAML authentication? If Yes, then how?

    Thanks

    (0) 
    1. Frankie Fan

      Hi Chirag,

      I have asked this problem before. Then as Daniel said, we cannot get this infor only by using logon plugin. And I haven’t got a workaround.

      (0) 

Leave a Reply