Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
janschober
Participant

Howto setup MobileSecure to authenticate against Centrify Identity Service

Introduction

This guide describes what you need to configure in your SAP MobileSecure account, so MobilePlace (its end user interface) as well as the MobileSecure Admin Portal authenticates against Centrify Identity Service https://www.centrify.com/products/identity-service/

It describes the steps that were necessary for me to make it work, therefore might not be complete, correct or might have some unnecessary steps as well. This is not official product documentation of neither SAP MobileSecure nor Centrify Identity Service - for further information see MobileSecure Documentation and Centrify Identity Service https://www.centrify.com/products/identity-service/

Goal

The goal of setting up SAML authentication is being able to use the Centrify managed users also with your MobileSecure account. This removes the necessity to manage users/passwords within MobileSecure's own user store.

The final flow should be the following:

  1. User enters sapmobilesecure.com/sapmobileplace.com url in his browser
  2. MobileSecure checks if there is already an authenticated session for this browser
    1. If not, MobileSecure redirects to Centrify
  3. Centrify asks the user to authenticate with his/her credentials (even two-factor as it has some email-based token mechanism build in)
  4. After authentication Centrify redirects to MobileSecure
  5. MobileSecure trusts the authentication being done by Centrify and lets the user enter MobilePlace/MobileSecure Admin Portal.


Tasks

To enable MobileSecure SAML authentication with Centrify Identity Service, you'll have to do the following steps:

  1. Configure MobileSecure to trust your Centrify
  2. Configure Centrify to know and trust your MobileSecure account
  3. Map attributes of the SAML assertion between Centrify and MobileSecure

Prerequisites

  • Working Centrify Identity Service
  • Working productive MobileSecure Account (Note: SAML authentication feature is not enabled in Trial and Demo accounts)

Configure MobileSecure in Centrify

As a first step, you'll have to create a so called web application in your Centrify account, this will hold all the configuration for the interaction between it and MobileSecure.

  1. Login to your Centrify Account
  2. Switch to the "Apps" tab and click "Add Web Apps"
  3. In the following dialog select the "Custom" tab and select SAML
  4. Finally hit "Close" and you should be taken to this screen, which will be filled step by step later during the setup. For now, important on this page is the possibility to download the service provider metadata. Click the link to download it to your desktop


Configuration within MobileSecure Admin

The first task will be to configure MobileSecure so it know everything about the SAML IdP and its response.

  1. To make MobileSecure trust your Centrify account you'll have to provide the Identity Provider SAML metadata you downloaded earlier.
  2. In MobileSecure Admin: Go to Account => Enterprise Access => Single-Sign On
  3. Load metadata file of your Centrify Application
  4. Now the trust is established in one direction
  5. To continue with mapping the SAML assertion attributes, check “Extract user information from SAML Identity Provider”
  6. In the following dialog enter "nameid" as the field to map to the MobileSecure User name

    NOTE: You have to be very exact on the attribute name (case-sensitive and name) - if you miss this setting you'll get a SAML authentication error when you try to login to MobilePlace. You can later always fix this, by coming back to this screen after everything is configured. Then hit the SSO-Test-Button and you can see all attributes that come back as part of the Assertion



  7. Click "Apply Changes"
  8. Click "Download Metadata" to get the Mobile Place Service Provider Metadata file (you'll need this later to make Centrify trust your Mobile Secure account)
  9. To actually activate this configuration on MobileSecure side, you'll now have to enable it. You can have either AD/LDAP/cloud authentication or SAML, only one of them can be active. So switching this will deny access to any cloud or AD/LDAP authenticated user
  10. Go to Account => MobilePlace
  11. Select Single sign-on

Configuration within Centrify

Now you need to let your Centrify Identity Service know about your MobileSecure account and configure some settings.

  1. In your Centrify Account on the WebApplication's main screen, hit the "Upload SP metadata" button and select the file you downloaded earlier from Mobile Secure
  2. Then deselect "Encrypt Assertion" and don't forget to save
  3. Now switch to the "Description" section and enter a Name, Description and Logo
  4. On the "User Access" section select "Everybody" (you could obviously change this and add some roles etc, so only specific users are allowed for MobilePlace, but for the sake of simplicity)
  5. Don't forget to save once more and you are done.
  6. Now everything is configured on both sides. The trust has been established in both directions.
  7. You can run the test again and again until your mapping is correct/complete.


See it working

All the configuration work has been done, now you can test it out.


For MobilePlace

  1. Open https://<MOBILESECURE_ACCOUNT>.sapmobileplace.com and you should immediately be forwarded to the IDP Login
  2. Enter your Centrify username
  3. Enter your password and then an email will be sent to your registered Email-Adress as a second factor authentication

  4. You should get this email in your inbox
  5. Click or copy the link (careful it needs to be opened in the same browser window)

  6. When logging into MobilePlace for the very first time you'll have to fill in your user's details
  7. Then you should be taken to MobilePlace


For the MobileSecure Admin

  • You don't have to do any additional configuration. You just have to use your account specific admin url (https://<ACCOUNTNAME>-portal.sapmobilesecure.com) to be redirected to Centrify for authentication. You'll have the same flow as for MobilePlace.
  • Note: Obviously the user you are trying to login with needs to have an administrative role within MobileSecure.

Conclusion

This Howto Guide showed the steps necessary to configure SAP MobileSecure to work with Centrify Identity Service for MobilePlace and MobileSecure Admin. There are some details to take care of (e.g. names of Assertion Attributes that need to exactly match, account specific link for MobileSecure Admin), so please keep these in mind.

Similar Content

Howto setup MobileSecure to authenticate against SAP Cloud Identity

Howto setup MobileSecure to authenticate against MS ADFS

Howto setup MobileSecure to authenticate against Centrify Identity Service