Howto setup MobileSecure to authenticate against Centrify Identity Service
This guide describes what you need to configure in your SAP MobileSecure account, so MobilePlace (its end user interface) as well as the MobileSecure Admin Portal authenticates against Centrify Identity Service https://www.centrify.com/products/identity-service/
It describes the steps that were necessary for me to make it work, therefore might not be complete, correct or might have some unnecessary steps as well. This is not official product documentation of neither SAP MobileSecure nor Centrify Identity Service – for further information see MobileSecure Documentation and Centrify Identity Service https://www.centrify.com/products/identity-service/
The goal of setting up SAML authentication is being able to use the Centrify managed users also with your MobileSecure account. This removes the necessity to manage users/passwords within MobileSecure’s own user store.
The final flow should be the following:
- User enters sapmobilesecure.com/sapmobileplace.com url in his browser
- MobileSecure checks if there is already an authenticated session for this browser
- If not, MobileSecure redirects to Centrify
- Centrify asks the user to authenticate with his/her credentials (even two-factor as it has some email-based token mechanism build in)
- After authentication Centrify redirects to MobileSecure
- MobileSecure trusts the authentication being done by Centrify and lets the user enter MobilePlace/MobileSecure Admin Portal.
To enable MobileSecure SAML authentication with Centrify Identity Service, you’ll have to do the following steps:
- Configure MobileSecure to trust your Centrify
- Configure Centrify to know and trust your MobileSecure account
- Map attributes of the SAML assertion between Centrify and MobileSecure
- Working Centrify Identity Service
- Working productive MobileSecure Account (Note: SAML authentication feature is not enabled in Trial and Demo accounts)
Configure MobileSecure in Centrify
As a first step, you’ll have to create a so called web application in your Centrify account, this will hold all the configuration for the interaction between it and MobileSecure.
- Login to your Centrify Account
- Switch to the “Apps” tab and click “Add Web Apps”
- In the following dialog select the “Custom” tab and select SAML
- Finally hit “Close” and you should be taken to this screen, which will be filled step by step later during the setup. For now, important on this page is the possibility to download the service provider metadata. Click the link to download it to your desktop
Configuration within MobileSecure Admin
The first task will be to configure MobileSecure so it know everything about the SAML IdP and its response.
- To make MobileSecure trust your Centrify account you’ll have to provide the Identity Provider SAML metadata you downloaded earlier.
- In MobileSecure Admin: Go to Account => Enterprise Access => Single-Sign On
- Load metadata file of your Centrify Application
- Now the trust is established in one direction
- To continue with mapping the SAML assertion attributes, check “Extract user information from SAML Identity Provider”
- In the following dialog enter “nameid” as the field to map to the MobileSecure User name
NOTE: You have to be very exact on the attribute name (case-sensitive and name) – if you miss this setting you’ll get a SAML authentication error when you try to login to MobilePlace. You can later always fix this, by coming back to this screen after everything is configured. Then hit the SSO-Test-Button and you can see all attributes that come back as part of the Assertion
- Click “Apply Changes”
- Click “Download Metadata” to get the Mobile Place Service Provider Metadata file (you’ll need this later to make Centrify trust your Mobile Secure account)
- To actually activate this configuration on MobileSecure side, you’ll now have to enable it. You can have either AD/LDAP/cloud authentication or SAML, only one of them can be active. So switching this will deny access to any cloud or AD/LDAP authenticated user
- Go to Account => MobilePlace
- Select Single sign-on
Configuration within Centrify
Now you need to let your Centrify Identity Service know about your MobileSecure account and configure some settings.
- In your Centrify Account on the WebApplication’s main screen, hit the “Upload SP metadata” button and select the file you downloaded earlier from Mobile Secure
- Then deselect “Encrypt Assertion” and don’t forget to save
- Now switch to the “Description” section and enter a Name, Description and Logo
- On the “User Access” section select “Everybody” (you could obviously change this and add some roles etc, so only specific users are allowed for MobilePlace, but for the sake of simplicity)
- Don’t forget to save once more and you are done.
- Now everything is configured on both sides. The trust has been established in both directions.
- You can run the test again and again until your mapping is correct/complete.
See it working
All the configuration work has been done, now you can test it out.
- Open https://<MOBILESECURE_ACCOUNT>.sapmobileplace.com and you should immediately be forwarded to the IDP Login
- Enter your Centrify username
- Enter your password and then an email will be sent to your registered Email-Adress as a second factor authentication
- You should get this email in your inbox
- Click or copy the link (careful it needs to be opened in the same browser window)
- When logging into MobilePlace for the very first time you’ll have to fill in your user’s details
- Then you should be taken to MobilePlace
- You don’t have to do any additional configuration. You just have to use your account specific admin url (https://<ACCOUNTNAME>-portal.sapmobilesecure.com) to be redirected to Centrify for authentication. You’ll have the same flow as for MobilePlace.
- Note: Obviously the user you are trying to login with needs to have an administrative role within MobileSecure.
This Howto Guide showed the steps necessary to configure SAP MobileSecure to work with Centrify Identity Service for MobilePlace and MobileSecure Admin. There are some details to take care of (e.g. names of Assertion Attributes that need to exactly match, account specific link for MobileSecure Admin), so please keep these in mind.