$(function () { pageContext.i18n.modTalk = 'moderation talk'; pageContext.i18n.replyToComment = 'Reply'; pageContext.i18n.modTalkEmpty = 'moderation talk is empty'; pageContext.url.getModTalk = "/comments/%25ID%25/listModTalk.json"; pageContext.url.possibleCommentRecipients = "/comments/%ID%/possibleRecipients.json"; pageContext.url.commentEdit = '/comments/%25ID%25/edit.html'; pageContext.url.commentView = '/comments/%ID%/view.html'; pageContext.i18n.commentVisibility = { 'full': 'Viewable by all users', 'op': 'Viewable by the original poster', 'mod': 'Viewable by moderators', 'opAndMod': 'Viewable by moderators and the original poster', 'other': 'Advanced visibility', 'dialogTitle': 'Comment visibility', 'selectGroups': 'Visible to groups', 'selectOther': 'Other recipients', 'selectOriginalPoster': 'Original poster', 'selectModerators': 'Moderators', 'selectAssignees': 'Asked to answer users' }; pageContext.i18n.commentMenuLabels = { 'comment-edit': 'comments.menu.edit', 'comment-delete': 'comments.menu.delete', 'comment-convert': 'comments.menu.convert' };pageContext.i18n.answer= { bestAnswer: 'Best Answer', controlBar : { accept: 'Accept', unaccept: 'Unaccept', acceptCommand: 'Accept this answer as correct', cancelAcceptedCommand: 'Remove this answers accepted status' } }; window.croles = { u: false, op: false, m: false, og: false, as: false, ag: false, dc: false, doc: false, eo: false, ea: false }; tools.init({ q: { e: false, ew: false, eo: false, r: false, ro: false, d: false, dow: false, fv: false, c: false, co: false, p: false, tm: false , ms: false, mos: false }, n: { f: false, vf: false, vfo: false, vr: false, vro: false, c: false, co: false, vu: false, vd: false, w: false, wo: false, l: false }, c: { e: false, eo: false, d: false, dow: false, ta: false, tao: false, l: false }, a: { e: false, ew: false, eo: false, d: false, dow: false, a: false, aoq: false, ao: false, tc: false, tco: false, p: false, tm: false }, pc: croles }, { tc: true, nsc: true }); commandUtils.initializeLabels(); }); Skip to Content
avatar image
Former Member

Fiori iOS SDK - SAML and OAUTH examples - not for productive use?

I have gone through the Fiori iOS SDK tutorials and note with interest that the generated code (by the Assistant app) for the SAML and OUTH examples states this in the `SAMLAuthViewController` class ('func sapURLSession()'):

"/// Note: This automatic server trust is for only testing purposes. The intented use is to install certificate to the device. Do not use it productively!"

Can someone with more security knowledge please explain this?

Is this piece of code just blindly trusting the server regardless. what *should* it do in a production scenario? Is there any documentation where I can learn more about what to code in here for real life situations?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    Apr 06, 2017 at 05:11 AM

    Jason,

    This code can be deleted without replacing it with anything else. The only situation when you might need this, is when the server had certificates that the phone cannot validate (i.e. the root CA is not in the list of trusted CAs - in which case you'd install the server certificate on the phone manually). This could happen if you're connecting to custom test servers, but as the SDK always connects to SAP CP, which has valid certificates for HTTPS, this stuff is superfluous.

    Hope that makes sense

    Andreas

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 05, 2017 at 05:11 AM

    Jason,

    I'd like to emphasize that the Assistant-generated code is not meant for productive use. We state this in the Assistant itself, but I feel I should repeat this, because I've seen messages on the Assistant out there in the public that I don't quite agree with. The purpose of the Assistant is to give people who are new to the SDK a quick start on ending up with a working app, having code that functions, and a starting point for further exploration. But we do expect that productive app development is most likely starting either from scratch or based on other existing app projects. (I'm not implying you thought different, this is just a general remark)

    To your specific question, we should just remove that piece of code from the generated app as it is not required for the connection with Mobile Services and SAP ID Service, but rather an internal leftover from some other testing. I think you can check the documentation on `NSURLAuthenticationMethodServerTrust` and `URLCredential(trust:)` to understand how this is circumventing server certificate validation, but we will remove this to avoid further confusion.

    Thanks for reporting this,
    Andreas

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Apr 06, 2017 at 02:44 AM

    I have read and understand that apps generated by the Assistant arer not for productive use.... However I really hope SAP looks up and investigate Yeoman and its community which scaffolds a new web app for you which you then finish off. I.e. it generates the initial boiler plate. This is also very similar to the SAP Web IDE template.

    I really hope SAP enables the Assistant like this so that we can generate an app - enhance it - then move it to PRD. It would then be a powerful tool...

    Back to the actual question though - so you're saying that piece of code is not required in this specific test of SAML. But what "should" be happening there if this was going to be changed to be production ready?

    The generated code comment is "The intented use is to install certificate to the device.". Just looking for ideas as to how to continue my research. ;-)

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Apr 06, 2017 at 08:09 AM

    Excellent... I misunderstood the purpose of that code. Thankyou for the explanation... And please..... turn the Assistant app into Yeoman for Fiori iOS. ;-)

    Add comment
    10|10000 characters needed characters exceeded