How to configure SSO Mechanism in Mobile Connectivity Ⅱ

From Mobile Service in Cloud Foundry to Apps in Neo

In this scenario, there is an existing Back-end Service deployed in Neo, but the Mobile Service is deployed in Cloud Foundry. We recommend customers to migrate the Back-end Service to Cloud foundry. If they can’t, or they are in the interim period of migrating from Neo to Cloud Foundry, here are two types of “SSO Mechanism” apply to this kind of deployment:

• Application to Application SSO
• OAuth2 SAML Bearer Assertion

Application to Application SSO

• Step 1: Create destination

  • Input the URL of the protected resource in the Neo environment. 

  • Set “SSO Mechanism” to “Application-to-Application SSO” 

    • Issuer: Name a issuer.
    • Audiance: The value get from SAP Cloud Platform Cockpit in Neo, navigate to {Your Global Account} > {Your Sub Account} > Security > Trust page, in the “Local Service Provider” tab, copy the “Local Provider Name” value.
    • Signing Key: You can use the “Generate Key” to generate one.

• Step 2: Navigate to the detail page of the destination created in step 1, download the “SAML Metadata” file.

• Step 3: Add Trusted Identity Provider to the sub-account in Neo enviroment.

  Navigate to {Your Global Account} > {Your Sub Account} > Security > Trust > Application Identity Provider page, click the “Add Trusted Identity Provider”: It’ll popup bellow window: Click the “Browse” button, select the “SAML Metadata” file downloaded in step 2.

OAuth2 SAML Bearer Assertion

If the Back-end Service deployed in Neo uses OAuth2SAML Authorization, you can choose this type of “SSO Mechanism”.

• Step 1: Create OAuth Client in Neo.

  Navigate to {Your Global Account} > {Your Sub Account} > Security > OAuth Clients page, and click the “Register New Client”. It’ll popup bellow window: 

  • Name: The OAuth client name
  • ID: The value will be used as “Client Key” in step 2
  • Authorization Grant: Authorization Code
  • Confidential: Check the Confidential checkbox.
  • Secret: Set the password, it will be used as “Client Secret” in step 2.

• Setp 2: Create Destination 

  • Audience: The value of the “Local Provider Name” of the sub-account in Neo environment.
    Navigate to to {Your Global Account} > {Your Sub-account} > Security > Trust > Local Service Provider page: Copy the value of “Local Provider Name”.
  • Token Service URL: The value of Token Endpoint in Neo.
    Navigate to to {Your Global Account} > {Your Sub-account} > Security > OAuth > Branding page, copy the “Token Endpoint” value.
  • Token Service URL Type: Dedicated
  • Client Key: The ID value of step 1.
  • Client Secret: The Secret value of step 1.
  • SAML Assertion Issuer: Give a name to the issuer.
  • Signing Key: You can click the “Generate Key” to generate one.

• Step 3: Navigate to the detail page of the destination created in step 2, download the “SAML Metadata” file.
  

• Step 4: Add Trusted Identity Provider to the subaccount in Neo enviroment.

  Navigate to {Your Global Account} > {Your Sub Account} > Security > Trust > Application Identity Provider page, click the “Add Trusted Identity Provider”: It’ll popup bellow window: Click the “Browse” button, select the “SAML Metadata” file downloaded in step 3, and check the “Only for OAuth2 SAML Bearer flow” checkbox.

From Mobile Service in Neo to Apps in Cloud Foundry

In this scenario, there is an existing Mobile Service deployed in Neo, but the Back-end is deployed in Cloud Foundry. We recommend customers to migrate the Mobile Service to Cloud foundry as well. If they can’t, or they are in the interim period of migrating from Neo to Cloud Foundry, here is one type of “SSO Mechanism” applies to this kind of deployment:

OAuth2 SAML Bearer Assertion

• Step 1: Get the “SAML Metadata” file of the sub-account where the Back-end service instance deployed in Cloud Foundry.

  In SAP Cloud Platform Cockpit, navigate to {Your Global Account} > {Your Sub-account} > Security > Trust Configuration page, click the “SAML Metadata” button to download it.

• Step 2: Create destination

  In Cloud Platform Mobile Services Cockpit of Neo, navigate to Mobile Applications > Native/Hybrid page, select the Mobile Application created, click the “Mobile Connectivity” feature to create a new Destination:

  • • URL: The protected url of Back-end Service deployed in Cloud Foundry

    • SSO Mechanism: OAuth2 SAML Bearer Assertion

    • Audience: In the SAML Metadata file got it in step 1, copy the value of “entityID”.

    • Token Service URL: In the SAML Metadata file got it in step 1, find the xml node pattern as following:

      <md:AssertionConsumerService Location="{Token Service URL}" Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" index="1"/>

      Copy the value of Location property.

    • Client Key: The “clientid” value of Back-end’s XSUAA service instance .

    • Token Service Password: The “clientsecret” value of Back-end’s XSUAA service instance.

    • SAML Assertion Issuer: Name a issuer.

    • Name ID Format: Set to “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”.

• Step 3: Download the “SAML Metadata” file from the “Local Provider Name” of the sub-account in the Neo environment.

  Navigate to to {Your Global Account} > {Your Sub Account} > Security > Trust > Local Service Provider page, click the “Get Metadata” to download the SAML Metadata file. 

• Step 4: Upload the “SAML Metadata” file to the Back-end Service’s sub-account in Cloud Foundry.

  In SAP Cloud Platform Cockpit, in {Your Global Account} > {Your Sub Account} > Security > Trust Configuration page: Click the “New Trust Configuration” button, in the popup window, click the “Upload” button, upload the “SAML Metadata” file got in step 3.Give this trust configuration a name.