Howto setup MobileSecure to authenticate against SAP Cloud Identity
This guide describes what you need to configure in your SAP MobileSecure account, so MobilePlace (its end user interface) as well as the MobileSecure Admin Portal authenticates against SAP Cloud Identity.
It describes the steps that were necessary for me to make it work, therefore might not be complete, correct or might have some unnecessary steps as well. This is not official product documentation of neither SAP MobileSecure nor SAP Cloud Identity – for further information see MobileSecure Documentation and SAP Cloud Identity.
The goal of setting up SAML authentication is being able to use the SAP Cloud Identity managed users also with your MobileSecure account. This removes the necessity to manage users/passwords within MobileSecure’s own user store.
The final flow should be the following:
- User enters sapmobilesecure.com/sapmobileplace.com url in his browser
- MobileSecure checks if there is already an authenticated session for this browser
- If not, MobileSecure redirects to Cloud Identity
- Cloud Identity asks the user to authenticate with his/her Cloud Identity credentials
- After authentication Cloud Identity redirects to MobileSecure
- MobileSecure trusts the authentication being done by Cloud Identity and lets the user enter MobilePlace/MobileSecure Admin Portal.
To enable MobileSecure SAML authentication with Cloud Identity, you’ll just have to do the following steps:
- Configure MobileSecure to trust your SAP Cloud Identity account
- Map attributes of the SAML assertion between SAP Cloud Identity and MobileSecure
- Configure SAP Cloud Identity to know and trust your MobileSecure account
- Working SAP Cloud Identity Account
- Working productive MobileSecure Account (Note: SAML authentication feature is not enabled in Trial and Demo accounts)
Configuration within MobileSecure Admin
The first task will be to configure MobileSecure so it know everything about the SAML IdP and its response.
- To make MobileSecure trust your Cloud Identity account you’ll have to provide some details. So you need to get the metadata file from SAP Cloud Identity account https://<ACCOUNT_NAME>.ondemand.com/saml2/metadata
- In MobileSecure Admin: Go to Account => Enterprise Access => Single-Sign On
- Load metadata file of SAP Cloud Identity account
- Now the trust is established in one direction
- To continue with mapping the SAML assertion attributes, check “Extract user information from SAML Identity Provider”
- Click “Apply Changes”
- Click “Download Metadata” to get the Mobile Place Service Provider Metadata file (you’ll need this later to make Cloud Identity trust your Mobile Secure account)
- To actually activate this configuration on MobileSecure side, you’ll now have to enable it. You can have either AD/LDAP/cloud authentication or SAML, only one of them can be active. So switching this will deny access to any cloud or AD/LDAP authenticated user
- Go to Account => MobilePlace
- Select Single sign-on
Configuration within SAP Cloud Identity Admin
Now you need to let your Cloud Identity account know about your MobileSecure account and configure some settings.
- In SAP Cloud Identity Admin Console (https://<ACCOUNT_NAME>.ondemand.com/admin): Open Applications
- Add a new application for your Mobile Secure account
- Configure each section of the new app
- In SAML 2.0 Configuration Section: Upload the Mobile Place Service Provider Metadata file
- In Name ID Attribute Section: Select profile ID as Name Id attribute
- In SAML Assertion Attributes: Enter these Assertion Attributes
- In Default Attributes: Set these default attributes (Note: This is optional, you can use these attributes e.g. as a filter on the Mobile Secure side, for more information see MobileSecure Administration Guide)
- In Identity Provider Section: Select “SAP Cloud Identity”
- On the Authentication and Access Tab: Set the User Application Access to “Private”
- Note that you can also activate Tow-Factor Authentication on this screen, see http://scn.sap.com/community/security/blog/2015/07/16/enable-two-factor-authentication-with-sap-cloud-identity-service for more details.
- Now everything is configured on both sides. The trust has been established in both directions.
- As a last (optional) step you can complete the attribute mapping (this will allow to prefill the first and last name as well as email address when a user enters Mobile Place for the very first time) go back to MobileSecure Admin: Go to Account => Enterprise Access => Single-Sign On and hit the “Perform SSO-Test”-Button.
- This will take you to your Identity Provider’s Logon Screen. After successful logon you’ll see a screen like this, which lists all the available attributes of the SAML Assertion and the how they are mapped to Mobile Secure’s user attributes.
- If you need to adjust this (as maybe not all of the fields are mapped correctly). Close this screen and click “Map Attributes”
- Fill the fields as shown below and click ok. (Note: Be exact with the attribute names as they have to match the IDP config)
- You can run the test again and again until your mapping is correct/complete.
See it working
All the configuration work has been done, now you can test it out.
- Open https://<MOBILESECURE_ACCOUNT>.sapmobileplace.com and you should immediately be forwarded to the IDP Login
- Logon with a user of the IDP
- When logging into MobilePlace for the very first time you user’s credentials will be prefilled with the details form the Assertion (if Mapping has been setup)
- Then you should be taken to MobilePlace
For the MobileSecure Admin
- You don’t have to do any additional configuration. You just have to use your account specific admin url (https://<ACCOUNTNAME>-portal.sapmobilesecure.com) to be redirected to Cloud Identity for authentication. You’ll have the same flow as for MobilePlace.
- Note: Obviously the user you are trying to login with needs to have an administrative role within MobileSecure.
This Howto Guide showed the steps necessary to configure SAP MobileSecure to work with SAP Cloud Identity for MobilePlace and MobileSecure Admin. There are some details to take care of (e.g. names of Assertion Attributes that need to exactly match, account specific link for MobileSecure Admin), so please keep these in mind.