/wp-content/uploads/2015/07/sap_logo_752838.png

Howto setup MobileSecure to authenticate against Microsoft Active Directory Federation Service

Introduction

This guide describes what you need to configure in your SAP MobileSecure account, so MobilePlace (its end user interface) as well as the MobileSecure Admin Portal authenticates against MS Active Directory Federation Services

It describes the steps that were necessary for me to make it work, therefore might not be complete, correct or might have some unnecessary steps as well. This is not official product documentation of neither SAP MobileSecure nor MS ADFS – for further information see MobileSecure Documentation and Active Directory Federation Services

Goal

The goal of setting up SAML authentication is being able to use the MS AD managed users also with your MobileSecure account. This removes the necessity to manage users/passwords within MobileSecure’s own user store.

The final flow should be the following:

  1. User enters sapmobilesecure.com/sapmobileplace.com url in his browser
  2. MobileSecure checks if there is already an authenticated session for this browser
    1. If not, MobileSecure redirects to ADFS
  3. ADFS asks the user to authenticate with his/her credentials
  4. After authentication ADFS redirects to MobileSecure
  5. MobileSecure trusts the authentication being done by ADFS and lets the user enter MobilePlace/MobileSecure Admin Portal.


Tasks

To enable MobileSecure SAML authentication with ADFS, you’ll just have to do the following steps:

  1. Configure MobileSecure to trust your ADFS
  2. Configure ADFS to know and trust your MobileSecure account
  3. Map attributes of the SAML assertion between ADFS and MobileSecure

Prerequisites

  • Working MS ADFS
  • Working productive MobileSecure Account (Note: SAML authentication feature is not enabled in Trial and Demo accounts)

Configuration within MobileSecure Admin


The first task will be to configure MobileSecure so it know everything about the SAML IdP and its response.

  1. To make MobileSecure trust your ADFS you’ll have to provide some details. So you need to get the metadata file from ADFS https://<YOUR_ADFS_SERVICE_HOST>/federationmetadata/2007-06/federationmetadata.xml
  2. In MobileSecure Admin: Go to Account => Enterprise Access => Single-Sign On
  3. Load metadata file of your ADFS
  4. Now the trust is established in one directionPicture18.png
  5. To continue with mapping the SAML assertion attributes, check “Extract user information from SAML Identity Provider”
  6. Click “Apply Changes”
  7. Click “Download Metadata” to get the Mobile Place Service Provider Metadata file (you’ll need this later to make ADFS trust your Mobile Secure account)
  8. To actually activate this configuration on MobileSecure side, you’ll now have to enable it. You can have either AD/LDAP/cloud authentication or SAML, only one of them can be active. So switching this will deny access to any cloud or AD/LDAP authenticated user
  9. Go to Account => MobilePlace
  10. Select Single sign-on

Picture3.png

Configuration within MS ADFS

Now you need to let your ADFS know about your MobileSecure account and configure some settings.

  1. In MS ADFS Management Console: Expand the Trust RelationshipsPicture19.png
  2. Click “Add Relying Party Trust” (right hand side) and start the WizardPicture20.png
  3. Import the Mobile Secure Metadata file you saved earlierPicture21.png
  4. Give it a name
    Picture23.png
  5. Don’t use multi-factor (for now)
    Picture24.png
  6. Allow all users to enter (you could also define different rules, but keep it simple for now)Picture25.png
  7. Add the trust
    Picture26.png
  8. Start the Claims Rules dialog
    Picture27.png
  9. Now add an Issuance Transform Rule
    Picture28.png
  10. Select “Send LDAP Attributes as Claims”
    Picture29.png
  11. Now select all LDAP Attributes that you want to be available as part of the SAML Assertion send back to Mobile Secure – typically this would be a unique user identifier, first and last name, email as well as phone number. (Note: This is optional, you can use these attributes e.g. as a filter on the Mobile Secure side, for more information see MobileSecure Administration Guide)Picture30.png
  12. Now everything is configured on both sides. The trust has been established in both directions.
  13. As a last (optional) step you can complete the attribute mapping (this will allow to prefill the first and last name as well as email address when a user enters Mobile Place for the very first time) go back to MobileSecure Admin: Go to Account => Enterprise Access => Single-Sign On and hit the “Perform SSO-Test”-Button.
    Picture17.png
  14. This will take you to your Identity Provider’s Logon Screen. After successful logon you’ll see a screen like this, which lists all the available attributes of the SAML Assertion and the how they are mapped to Mobile Secure’s user attributes.Picture31.png
  15. If you need to adjust this (as maybe not all of the fields are mapped correctly). Close this screen and click “Map Attributes”
  16. Fill the fields as shown below and click ok. (Note: Be exact with the Assertion Attribute names as they have to match the IDP config – even if this means putting a full url into the field)
    Picture33.png
  17. You can run the test again and again until your mapping is correct/complete.

See it working

All the configuration work has been done, now you can test it out.

For MobilePlace

  • Open https://<MOBILESECURE_ACCOUNT>.sapmobileplace.com and you should immediately be forwarded to the IDP Login

Picture32.png

  • Logon with a user of the IDP
  • When logging into MobilePlace for the very first time you user’s credentials will be prefilled with the details form the Assertion (if Mapping has been setup)
    Picture34.png
  • Then you should be taken to MobilePlace

Picture14.png


For the MobileSecure Admin

  • You don’t have to do any additional configuration. You just have to use your account specific admin url (https://<ACCOUNTNAME>-portal.sapmobilesecure.com) to be redirected to ADFS for authentication. You’ll have the same flow as for MobilePlace.
  • Note: Obviously the user you are trying to login with needs to have an administrative role within MobileSecure.

Picture15.png

Conclusion

This Howto Guide showed the steps necessary to configure SAP MobileSecure to work with MS ADFS for MobilePlace and MobileSecure Admin. There are some details to take care of (e.g. names of Assertion Attributes that need to exactly match, account specific link for MobileSecure Admin), so please keep these in mind.

Similar Content

Howto setup MobileSecure to authenticate against SAP Cloud Identity

Howto setup MobileSecure to authenticate against MS ADFS

Howto setup MobileSecure to authenticate against Centrify Identity Service

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

Leave a Reply