/wp-content/uploads/2015/06/sap_logo_730076.png

Howto setup MobileSecure to authenticate against SAP Cloud Identity

Introduction

This guide describes what you need to configure in your SAP MobileSecure account, so MobilePlace (its end user interface) as well as the MobileSecure Admin Portal authenticates against SAP Cloud Identity.

It describes the steps that were necessary for me to make it work, therefore might not be complete, correct or might have some unnecessary steps as well. This is not official product documentation of neither SAP MobileSecure nor SAP Cloud Identity – for further information see MobileSecure Documentation and SAP Cloud Identity.

Goal

The goal of setting up SAML authentication is being able to use the SAP Cloud Identity managed users also with your MobileSecure account. This removes the necessity to manage users/passwords within MobileSecure’s own user store.

The final flow should be the following:

  1. User enters sapmobilesecure.com/sapmobileplace.com url in his browser
  2. MobileSecure checks if there is already an authenticated session for this browser
    1. If not, MobileSecure redirects to Cloud Identity
  3. Cloud Identity asks the user to authenticate with his/her Cloud Identity credentials
  4. After authentication Cloud Identity redirects to MobileSecure
  5. MobileSecure trusts the authentication being done by Cloud Identity and lets the user enter MobilePlace/MobileSecure Admin Portal.

Tasks

To enable MobileSecure SAML authentication with Cloud Identity, you’ll just have to do the following steps:

  1. Configure MobileSecure to trust your SAP Cloud Identity account
  2. Map attributes of the SAML assertion between SAP Cloud Identity and MobileSecure
  3. Configure SAP Cloud Identity to know and trust your MobileSecure account

Prerequisites

  • Working SAP Cloud Identity Account
  • Working productive MobileSecure Account (Note: SAML authentication feature is not enabled in Trial and Demo accounts)

Configuration within MobileSecure Admin

The first task will be to configure MobileSecure so it know everything about the SAML IdP and its response.


  1. To make MobileSecure trust your Cloud Identity account you’ll have to provide some details. So you need to get the metadata file from SAP Cloud Identity account https://<ACCOUNT_NAME>.ondemand.com/saml2/metadata
  2. In MobileSecure Admin: Go to Account => Enterprise Access => Single-Sign On
  3. Load metadata file of SAP Cloud Identity account
  4. Now the trust is established in one direction
  5. To continue with mapping the SAML assertion attributes, check “Extract user information from SAML Identity Provider”Picture1.png
  6. Click “Apply Changes”
  7. Click “Download Metadata” to get the Mobile Place Service Provider Metadata file (you’ll need this later to make Cloud Identity trust your Mobile Secure account)
  8. To actually activate this configuration on MobileSecure side, you’ll now have to enable it. You can have either AD/LDAP/cloud authentication or SAML, only one of them can be active. So switching this will deny access to any cloud or AD/LDAP authenticated user
  9. Go to Account => MobilePlace
  10. Select Single sign-on

Picture3.png


Configuration within SAP Cloud Identity Admin

Now you need to let your Cloud Identity account know about your MobileSecure account and configure some settings.


  1. In SAP Cloud Identity Admin Console (https://<ACCOUNT_NAME>.ondemand.com/admin): Open ApplicationsPicture4.png
  2. Add a new application for your Mobile Secure account
    Picture5.png
  3. Configure each section of the new app
    Picture6.png
  4. In SAML 2.0 Configuration Section: Upload the Mobile Place Service Provider Metadata filePicture7.png
  5. In Name ID Attribute Section: Select profile ID as Name Id attributePicture8.png
  6. In SAML Assertion Attributes: Enter these Assertion AttributesPicture9.png
  7. In Default Attributes: Set these default attributes (Note: This is optional, you can use these attributes e.g. as a filter on the Mobile Secure side, for more information see MobileSecure Administration Guide)Picture10.png
  8. In Identity Provider Section: Select “SAP Cloud Identity”Picture11.png
  9. On the Authentication and Access Tab: Set the User Application Access to “Private”Picture12.png
  10. Note that you can also activate Tow-Factor Authentication on this screen, see http://scn.sap.com/community/security/blog/2015/07/16/enable-two-factor-authentication-with-sap-cloud-identity-service for more details.
  11. Now everything is configured on both sides. The trust has been established in both directions.
  12. As a last (optional) step you can complete the attribute mapping (this will allow to prefill the first and last name as well as email address when a user enters Mobile Place for the very first time) go back to MobileSecure Admin: Go to Account => Enterprise Access => Single-Sign On and hit the “Perform SSO-Test”-Button.
    Picture17.png
  13. This will take you to your Identity Provider’s Logon Screen. After successful logon you’ll see a screen like this, which lists all the available attributes of the SAML Assertion and the how they are mapped to Mobile Secure’s user attributes.Picture16.png
  14. If you need to adjust this (as maybe not all of the fields are mapped correctly). Close this screen and click “Map Attributes”
  15. Fill the fields as shown below and click ok. (Note: Be exact with the attribute names as they have to match the IDP config)Picture2.png
  16. You can run the test again and again until your mapping is correct/complete.

See it working

All the configuration work has been done, now you can test it out.

For MobilePlace

  • Open https://<MOBILESECURE_ACCOUNT>.sapmobileplace.com and you should immediately be forwarded to the IDP Login

Picture13.png

  • Logon with a user of the IDP
  • When logging into MobilePlace for the very first time you user’s credentials will be prefilled with the details form the Assertion (if Mapping has been setup)
    Picture34.png
  • Then you should be taken to MobilePlace

Picture14.png

For the MobileSecure Admin

  • You don’t have to do any additional configuration. You just have to use your account specific admin url (https://<ACCOUNTNAME>-portal.sapmobilesecure.com) to be redirected to Cloud Identity for authentication. You’ll have the same flow as for MobilePlace.
  • Note: Obviously the user you are trying to login with needs to have an administrative role within MobileSecure.

Picture15.png

Conclusion

This Howto Guide showed the steps necessary to configure SAP MobileSecure to work with SAP Cloud Identity for MobilePlace and MobileSecure Admin. There are some details to take care of (e.g. names of Assertion Attributes that need to exactly match, account specific link for MobileSecure Admin), so please keep these in mind.

Similar Content

Howto setup MobileSecure to authenticate against SAP Cloud Identity

Howto setup MobileSecure to authenticate against MS ADFS

Howto setup MobileSecure to authenticate against Centrify Identity Service

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

Leave a Reply