Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
Dan_vL
Product and Topic Expert
Product and Topic Expert

Appendix N:  Using SAML with Kapsel

Support for Security Assertion Markup Language (SAML) was added to Kapsel in SP05 of the SDK.  The onpremise version of the SMP server added support for SAML in SP05.

The following samples were creating using SP07 PL01 of the SDK.

Here are a few terms that are used with SAML.
An identity provider maintains a directory of users and provides authentication.
A service provider is the web site or service that is being accessed.
A user is the person who has an account with the identity provider.

When a user logs in with the identity provider, a SAML token is returned that grants access to an application for a certain length of time.  If the SAML token is compromised it is only valid for a limited length of time against a specific application.  Multiple applications can use the same identity provider hence one user name and password or perhaps even a biometric like a fingerprint can be used.

For additional details on SAML see SAML 101 Video and Enabling Secure Onboarding Using SAML.

The following steps demonstrate how to configure the Logon example from the HCPms section to use SAML as the authentication provider for the application.

  • Using the HANA Mobile service cockpit, modify the Security Configuration of the application com.mycompany.logon from None to Form.  Form indicates SAML should be used.  The identity provider for the HCPms trial server is
    https://accounts.sap.com/saml2/idp/sso/accounts.sap.com
    and it requests your SCN user name and password.

  • Modify the context variable in LogonDemo\www\index.html to indicate that SAML should be used by adding.
        "auth":
            [
                {
                    "type": "saml2.web.post"
                }
            ],
       
  • Copy the files to the platform directory by running
    cordova -d prepare
  • Use the Android IDE or Xcode to deploy and run the project.


    Note, if the Remember me checkbox is checked, a cookie will be set that will remain valid for three months so the user name and password will not need to be re-entered.



The following steps will demonstrate how to configure the SMP server to work with an identity provider and then use that identity provider as an authentication provider for the Logon sample.  The identity provider used in this section is a hosted solution from SSOCircle that has free account registration to their hosted identity provider as well as paid offerings.

Other identity providers include Microsoft Active Directory Federation Services and Identity Provider for SAP Single Sign-On

  •     Register with SSOCircle.

  • Once registered, note the user id and remember your password.


    Choose Manage Metadata > SSOCircle Public IDP Metadata.


    Save the xml as
    c:\temp\saml\idp.ssocircle.com.xml
  • In the SMP server's management cockpit choose Settings > SAML > Local Service Provider.
    Provide a unique name and a Base URL that is the fully qualified host name of the SMP server.


    Click on Generate Key Pair.
    Click Save.
    Click Get Metadata.  Copy that file to the following location.
    C:\temp\saml\smp-metadata.xml
  • In the SMP server's management cockpit choose Settings > SAML > Trusted Identity Provider > New > and for the Metadata File click the browse button and choose
    c:\temp\saml\idp.ssocircle.com.xml


  • In the SSO Circle website choose Manage Metadata and click on Add new Service Provider.





  • Modify the application with the id of com.mycompany.logon to use a SAML Authentication provider.


    Note the Identity Provider Name can be determined by examining Settings > SAML > Trusted Identity Provider > Name.

  • Modify the host variable points to your onpremise server and ensure that the port is the HTTPS port and https is true.
    Modify the context variable in LogonDemo\www\index.html to indicate that SAML should be used by adding.
        "auth": [
                    {
                        "type": "saml2.web.post",
                        "config": {
                            "saml2.web.post.authchallengeheader.name": "com.sap.cloud.security.login",
                            "saml2.web.post.finish.endpoint.uri": "/SAMLAuthLauncher",
                            "saml2.web.post.finish.endpoint.redirectparam": "finishEndpointParam"
                        }
                    }
                ],
    Note the config section is optional.  For additional details see Enabling Secure Onboarding Using SAML.

  • Copy the files to the platform directory by running
    cordova -d prepare
  • Use the Android IDE or Xcode to deploy and run the project and after successfully registering examine the registration in the management cockpit.




Back to Getting Started With Kapsel

28 Comments