Skip to Content
0

How to access services via own SAML-based authentication solution

May 03, 2017 at 11:49 PM

304

avatar image
Former Member

I have gone through tutorials but unable to find information below.

Problem: We would like to use our own SAML-based authentication solution and wanted to access service providers using new SDK.

So please guide us on what would be our request parameters for SAML requests. If you share sample curl SAML request or tutorial link also will helps.

Currently we have created sample app using iOS assistant which uses default web view based SAML authentication but in my organization we need to use our own solution.

10 |10000 characters needed characters left characters exceeded
Former Member

I have configured our own enterprise IdP in "SAP Cloud Platform Cockpit" and I got expected encoded SAMLResponse. (SAP Cloud Platform Cockpit -> Security -> Trust -> Application Identity Provider)

SAMLResponse Type: "SAML Response with Signed Message & Encrypted Assertion"

As mentioned above, I am getting SAML response with "Encrypted Assertion" and due to that I am unable to open finish/return url on browser and getting application 500 error.

Error Message: "Authentication failed. Reason: SAML2Assertion received could not be decrypted."

Please let me know if I have missed any configuration to handle "Encrypted Assertion".

Any help would be grateful.

0
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Andreas Schlosser
May 09, 2017 at 08:25 AM
0

Viral,

If you've configured your own custom IdP in the SAP CP Cockpit, you should actually not be required to do anything specific at all. The redirects and the handling in the SDK should automatically work just fine for you.

If you indeed want to implement your own handling by connecting via the SDK to an endpoint directly (not going via Mobile Services), then you need to pursue the route that Robin suggested.

In case you just want to control the web view yourself, that handles the authentication flow, you'll find more instructions also in the link that Robin shared - you'll want to read about the WebViewPresenters.

Thanks
Andreas

Show 4 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Thank you for your answer. I will check SAP CP Cockpit for the same.

Could you please let me know below two details with respect to new SDK:

1. How we can log/trace Webview request-response details. I tried this using default Webview delegate methods but those methods are not calling during SAML authentication.

2. Is SAML authentication possible using custom login screen and not using webview? If yes, please let me know what are the request-response parameters I need to pass. If you share sample Curl command SAML request will helps.

Any help would be grateful.

0

Viral,

If you're unsure, you can always set the root logger to .debug level and you'll get a full dump of all log messages the SDK produces. If you already know what you're looking for, you can also be more specific and only turn up the log volume for specific modules or frameworks: https://help.sap.com/doc/978e4f6c968c4cc5a30f9d324aa4b1d7/Latest/en-US/Documents/Frameworks/SAPCommon/Logging.html.

For authentication related logging, please change the log level for SAP.Foundation.Authentication, i.e.

Logger.shared(named: "SAP.Foundation.Authentication").logLevel = .debug

The reason why you don't get the callbacks might be that the authentication flow in the web view didn't complete?

In general, SAML cannot be used with your own login screens - the way SAML works is that the user gets redirected to a screen that is controlled by the authentication server (IdP), where the user needs to provide credentials like username/password or a certificate. This is where the security of SAML stems from - the user doesn't need to provide credentials to a potentially untrusted app.

If you'd like to control the login screen yourself, you may want to consider either speaking to the owner of your company IdP if he could provide a mobile specific version.

Hope that helps

Andreas

0
Former Member
Andreas Schlosser

Thanks for detail reply.

I would like to share with you that I have configured our own enterprise IdP in "SAP Cloud Platform Cockpit" and I got expected encoded SAMLResponse. (SAP Cloud Platform Cockpit -> Security -> Trust -> Application Identity Provider)

SAMLResponse Type: "SAML Response with Signed Message & Encrypted Assertion"

As mentioned above, I am getting SAML response with "Encrypted Assertion" and due to that I am unable to open finish/return url on browser and getting application 500 error.

Error Message: "Authentication failed. Reason: SAML2Assertion received could not be decrypted."

Please let me know still what kind of configuration I have to do to handle "Encrypted Assertion" use case. Any help would be grateful.

0

Viral,

Unfortunately I cannot help you further on this particular case; this seems to be more of a core SAP Cloud Platform question/problem than an SDK issue. I guess if you've already configured your enterprise IdP successfully you are aware of the documentation at https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/dc618538d97610148155d97dcd123c24.html# - and I couldn't see any hints on handling of encrypted assertions.

May I ask you to create a specific question on this topic using the 'SAP Cloud Platform' tag, please?

Thanks
Andreas

0
Robin van het Hof
May 04, 2017 at 01:48 PM
0

Hi Viral,

I haven't have any experience with the SDK and a 3rd party SAML solution, but I think modifying the generated `SAMLAuthViewController` class to point to your custom solution should suffice?

Especially these URL's:

let resourceURL = Constants.appUrl+"/SalesOrderHeaders"
let authURL     = Constants.sapcpmsUrl.absoluteString+"/SAMLAuthLauncher"
let finishURL   = Constants.sapcpmsUrl.absoluteString+"/SAMLAuthLauncher?finishEndpointParam=someUnusedValue"

See https://help.sap.com/doc/978e4f6c968c4cc5a30f9d324aa4b1d7/Latest/en-US/Documents/Frameworks/SAPFoundation/Authentication.html for more info on the different SAML steps.

Show 1 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Thank you for your answer.

Could you please let me know below two details with respect to new SDK:

1. How we can log/trace Webview request-response details. I tried this using default Webview delegate methods but those methods are not calling during SAML authentication.

2. Is SAML authentication possible using custom login screen and not using webview? If yes, please let me know what are the request-response parameters I need to pass. If you share sample Curl command SAML request will helps.

Any help would be grateful.

0