Skip to Content

No certificate issue found on Android Devices - no real workaround

Hi

We have a mixture of corporate Android devices and BYOD Android devices and have an annoying popup when starting an application via SAP Fiori Client to Install certificates. This is the case when authenticating via SAP Cloud Identity Authentication services.

There are some OSS notes 2132513 and 2682934 on this topic however there is no real solution for this. We need an alternative way of building our application where this error does not occur.

We have applications going live and this popup is a major showstopper.

Screenshot of the issues being experienced.

Has anyone had this issue and fixed it with some sort of workaround? The BYOD devices are the challenge because we cannot load any certificates onto the person's phone.

Kind Regards

Phil Cooley

no-cert-found.png (190.7 kB)
Add a comment
10|10000 characters needed characters exceeded

Related questions

8 Answers

  • Best Answer
    Posted on Apr 02, 2019 at 06:21 AM

    Hi Phil,

    this is the IAS asking the client for a client certificate (an SAP Passport with your S-User). Android answers in a very misleading way when there is no certificate present. This does unfortunately not disappear when you configure alternative authentication methods on your IAS (we did SAML2 with a corporate IDP).

    There is a way to get rid of it: Open an incident for your IAS tenant (component: BC-IAM-IDS) and request that your IAS tenant should not ask for client certificates anymore. SAP will need from a few days up to two weeks (dependent on some maintenance life-cycle) to deactivate this. We did not experience any drawbacks in our scenario and are thinking about requesting this to be done to all our IASes routinely.

    The only other way to mitigate this is to build your own Android client and configure it to ignore these requests.

    Cheers, Lutz

    Add a comment
    10|10000 characters needed characters exceeded

    • Thanks Lutz Rottmann - this is exactly what we need. The certificate request should be removed from all IAS tenants. In our case we cannot build an Android client because the application is being used mostly for users that bring their own device (BYOD) so we cannot control what applications/browsers they have on their own devices.

      I had logged 2 incidents for 2 separate clients for this same issue as this is stopping 2 Go Lives and I have included this in the incident so let's hope they can bypass the cert check for both of those tenants and we can move on and go live!

      Thanks!

  • Posted on Jun 25, 2019 at 08:39 AM

    Dear Phil,

    Now it is possible to disable the client certificate request manually. Our development team can do that after opening a ticket on component BC-IAM-IDS. Make sure you also provide your tenant id.

    I have also corrected kba according to the new process:

    2682934 - "No certificate found" error on Android with SAP Cloud Platform Identity Authentication as Identity Provider

    Best Regards,

    Zsuzsa Nemeth

    Add a comment
    10|10000 characters needed characters exceeded

    • Thankyou Zsuzsa Nemeth - makes sense but going even further would be good to have this as an option within the SAP Cloud Identity tenant settings - definitely reduce the support involved here from SAP and also provide the ability for administrators to change this much faster if required. This is a good first step though so thankyou.

      Kind Regards

      Phil Cooley

  • Posted on Apr 02, 2019 at 06:12 AM

    Do you use certificate based authentication for the corporate Android devices? Then the URL used in the Fiori Client might be setup as described in Enabling Client Certificate Authentication to use

    https://<my application>.cert.<SAP Cloud Platform region host>/

    as the endpoint. I would suggest to have a MDM configuration for the BYOD users that sets them the URL without cert so no certificate is requested in the first place.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Apr 02, 2019 at 02:04 PM

    Per one of our developers:

    In order to avoid the client certificate prompt dialog on Android client, for app store Fioriclient, the fiori url can set the fiori url parameter handleX509 to false. For custom Fiori client, handleX509 property can be set in appconfig.js file.

    For example:

    https://www.google.com?handleX509=false

    For details, please refer to the below comment copied from in custom fiori client appconfig.js

    /**

    * handleX509 - This property is only supported on Android and iOS. When true (the default), the Fiori Client will attempt to handle

    * X509 challenges encountered by the webview. Unless a different certificate source was configured, this would mean

    * showing a certificate picker dialog on Android client. When set to false, the Fiori Client will ignore X509 challenges the webview

    * encounters. Setting this to false can be useful if users are not expected to authenticate with client certificates

    * and it is not easy to configure the server to not give X509 challenges.

    */

    //"handleX509": true,

    Add a comment
    10|10000 characters needed characters exceeded

    • Thanks Mark Wright I think what I did not make clear in the question is that one scenario is via Fiori Client application and the other is running the application directly on an Android device for BYOD users. We have used the X509 false option for the Fiori client and this works ok but this is not a great workaround mainly because each new user has to make sure they use the updated URL and of course it comes down to training and user provisioning etc.

      For BYOD devices though this is not an option.

      I have 2 incidents open about this issue as it is stopping 2 Go Lives so if the option for the IAS tenant that Lutz included is possible then would be great to get confirmation on this one.

  • Posted on Apr 02, 2019 at 07:37 PM

    Dear Phil,


    Please see the KBA that describes the case in details: 2682934 - "No certificate found" error on Android with SAP Cloud Platform Identity Authentication as Identity Provider


    As KBA says the only workaround:


    "As a workaround use other browser in Android device."


    Best Regards,
    Barnabás Paksi

    Add a comment
    10|10000 characters needed characters exceeded

    • Thanks Barnabas Zoltan Paksi - I included the KBA in the question as I have read this already. As this is a consumer facing scenario the workaround is not great. I cannot tell users of BYOD devices to use some other browser to get the application they should be able to just run without issue to work.

      This is a serious issue and a major roadblock for customers. On one hand we have this great user experience offering and then on the other we have this certificate popup and a seriously poor user experience offering. Not great and should be fixed as soon as possible.

      Kind regards

      Phil

  • Posted on Jun 11, 2019 at 08:55 PM

    Phil Cooley,

    How did you get on with this? Was SAP able to switch off prompting for client certificate at the IAS tenant level? If so, how long did it take? I'm potentially looking at requesting the same as we have a similar use case to you and a similar problem (pain). This really should be a customer configuration option in IAS.

    Thanks,

    Brendan

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jul 31, 2020 at 09:47 AM

    Dear Phil Cooley and everybody else who may still be interested in this subject ( Gregor Wolf , Brendan Farthing ?),

    there is now an improvement request on influence.sap.com for this issue:

    SAP Cloud Identity Authentication: Deactivate TLS Client Certificates by Default and add Customizing

    as part of the SAP Cloud Platform – Platform Foundation" campaign.

    Please kindly consider voting for it.

    Best regards, Lutz

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Apr 03, 2019 at 09:41 AM
    -1

    Dear Lutz Rottmann/Gregor Wolf,

    Thanks for the hints and suggestions. Actually this is a missing functionality completely in the Identity Authentication Service, so it cannot be disabled immediately. I guess raising an incident is not a good option but raising a feature request according to e.g. SAP Note "

    11 - Requested function is not in standard system" can be an option.

    Regards,

    Barnabás

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.