Configuring SAP Fiori Client for Single Sign-On with Android SAP Authenticator
Overview
You can locally build an SAP Fiori Client plugin to work with Android SAP Authenticator by installing Apache Cordova. After this implementation, your users will be able to log on to SAP Fiori Client through single sign-on (SSO). For more information about the SSO configuration, see Setting Mobile Single Sign-On.
For this process, SAP Authenticator should use the URL for an identity provider (IdP) initiated SSO, starting with sapfioriclient:// scheme and containing j_username=[username]&j_passcode=[passcode] parameters, in order to launch a SAP Fiori Client build as described in this blog. The IdP should use TOTPLoginModule for authentication. For more information about the login module settings, see Configuring the Login Modules.
NOTE
If you already have SAP Fiori Client on your system, skip the first two sections and go to Running SAP Fiori Client with Android SAP Authenticator section. |
Scenario Description
-
- SAP Authenticator sends a URL for IdP-initiated SSO to SAP Fiori Client.
- An employee chooses the SAP Fiori Client application from the SAP Authenticator’s list of favorite applications. Note: A user adds the application as favorite by activating mobile SSO and scanning a QR code.
- SAP Authenticator generates a passcode and sets the username and passcode in the URL.
- SAP Authenticator sends the URL to SAP Fiori Client.
- SAP Fiori Client processes the URL by setting its scheme.
- SAP Fiori Client sends an authentication request containing the passcode and the user’s name, password or cookie.
- The IdP processes the request and issues a SAML 2.0 assertion, which is sent back in the response to the SAP Fiori Client.
- SAP Fiori Client redirects the SAML 2.0 assertion to the SAP Fiori or AS ABAP service provider and the user accesses the application.
- SAP Authenticator sends a URL for IdP-initiated SSO to SAP Fiori Client.
- If you are using the AS ABAP service provider, see Mobile Single Sign-On for SAP Fiori.
- If you are using the SAP Fiori service provider, see Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet.
Prerequisites
- SAP Mobile Platform (SMP)
- Android 3.0 (API level 11)
- Apache Ant
- JDK
- Android SDK
- Eclipse plugins
- Git
- Node.js
- Apache Cordova
To fulfill these prerequisites, you should proceed as follows:
- Install SAP Mobile Platform SDK.
For more information about this installation, see Installation: SAP Mobile Platform SDK for Windows.
- Download and extract a binary Apache Ant distribution.
For more information, see Prerequisites at Setting Up the Development Environment.
- Install Java JDK.
For more information, see Setting Up the Development Environment.
- Install Android SDK.
For more information, see Setting Up the Development Environment.
Make sure that in the Android SDK Manager you have installed the required packages listed in SDK Manager. In addition, if you are using a proxy server, configure HTTP proxy and port.
- If you are using Eclipse, download and install the plugins.
For more information, see Setting Up the Development Environment.
- Install Git.
For more information, see Installing Git at Setting Up the Development Environment.
- Install Node.js v0.10.* and its package manager, npm, because it is necessary for the installation of Apache Cordova.
For more information, see Node.js.
CAUTION We recommend you install v0.10.25 node version because the latest version, v0.12.0, has incompatibility problems and may produce an error like the following:
“…Request path contains unescaped characters…”CAUTION If you are using a proxy server, you must configure npm. For more information, see Setting Up the Development Environment.
- Install Apache Cordova with the following command.
npm install -g cordova@
CAUTION You have to install the Apache Cordova version according to the description in Installing Apache Cordova with Node.js. You can check the available Apache Cordova version on your Windows OS with the following info command: npm info cordova.
- Restart the command prompt and verify the Apache Cordova installation by entering the following command.
cordova -v
Creating SAP Fiori Client with Apache Cordova
- Modify C:SAPMobileSDK3KapselSDKappsfiori_clientconfig.json file with the following code.{
“packageName”: “com.sap.fiori.client”,
“targetFolder”: “FioriClient”,
“appName”: “FioriClient”,
“platforms”: [“android”],
“crosswalkLocation” : “C:\Crosswalk\crosswalk cordova-10.39.235.15-arm\bin”
}
Note: In the above example I use version 10.39.235.15 of Crosswalk Cordova. If you have installed another version, set the path with your correct bin directory location.
- If necessary, install Crosswalk and plugman.As of SMP SDK 3.0 SP06, the Fiori Client on Android should use Crosswalk to render HTML pages rather than the Android WebView for improved performance. When Crosswalk is used, the platform must be Android only as plugman is used rather than the Cordova command-line interface (CLI) which can build cross-platform projects. For more information about the Crasswalk installation, see Cordova with Crosswalk. You install plugman with the npm install -g plugman command. For more information, see Installing Plugman.
- Create a Cordova project containing Kapsel and Cordova plugins.Go to folder C:SAPMobileSDK3KapselSDKappsfiori_client and run the following commands:
npm install
node create_fiori_client.js
The create_fiori_client.js script creates the project.
- Build and run the project.
- If you are using Crosswalk, you can build and run the project with C:SAPMobileSDK3KapselSDKappsfiori_clientFioriClientcordova
un.bat. - If you are not using Crosswalk, but the standard WebView, copy the files to the platform directory by running cordova -d prepare and use the Android IDE to deploy and run the project.
- If you are using Crosswalk, you can build and run the project with C:SAPMobileSDK3KapselSDKappsfiori_clientFioriClientcordova
Running SAP Fiori Client with Android SAP Authenticator
The Android SAP Authenticator is a mobile application installed on Android mobile devices. This application is used to generate passcodes for one-time password authentication. For more information, see SAP Authenticator Mobile Application.
- Add a plugin to support a custom URL scheme.You need to add a specific plugin to your SAP Fiori Client project in order to handle the sapfioriclient URL scheme. You can use the following Apache Cordova plugin: https://plugins.telerik.com/plugin/custom-url-scheme.You can install the plugin according to the following conditions:
- If Crosswalk is used, you install the plugin by using plugman.plugman install –platform android –project . –plugin https://github.com/Telerik-Verified-Plugins/Custom-URL-scheme –variable URL_SCHEME=sapfioriclient
- If Crosswalk is not used, you install the plugin by using the command-line interface (CLI).cordova plugin add https://github.com/Telerik-Verified-Plugins/Custom-URL-scheme –variable URL_SCHEME=sapfioriclient
As a result, a new folder with the plugin is created, which contains LaunchMyApp.js.
- Add the following new method at the end of the LaunchMyApp.js plugin file.
function handleOpenURL(url) { // wrapping in a little timeout, so it doesn’t interfere with other apps’ setup
setTimeout(function() {
customScheme = “sapfioriclient”;
sap.FioriClient.MobileSSO = url.replace(customScheme + “://”, “https://“);
}, 300);
};
- Update fioriclient.js to use the handled URL.The code to be added is marked in green.
…var goToFioriURL = function(errorCallback) {sap.FioriClient.getFioriURL(function (retrievedFioriURL) {if (!context.smpRegContext){// If sap.FioriClient.context.smpRegContext is null,// don’t allow the user to skip// the logon plugin by changing the URL.// sap.FioriClient.context.smpRegContext will be set//once logon is successful.// Once logon completes and the app navigates to the URL,//sap.FioriClient.context.smpRegContext will// be undefined, so it will pass this test.return;}if (!isUrl(retrievedFioriURL)) {errorCallback();return;}if (!sap.FioriClient.MobileSSO) {setFioriURL(retrievedFioriURL);}// Add extra query string to force page reload.var buster = “smphomebuster=” + Math.random()*10000000000000000;…var getFioriURL = function(callback) {function getFioriURLFromAppPreferencesFailed(error) {sap.Logger.info(error, ‘FIORI_CLIENT’);// The Fiori URL wasn’t found, so use the hardcoded value.doHttpsConversionIfNeeded(context.appConfig.fioriURL, callback);}function getFioriURLFromAppPreferencesSuccess(url) {if (sap.FioriClient.MobileSSO) {url = sap.FioriClient.MobileSSO;}if (url != null) {doHttpsConversionIfNeeded(url, callback);} else {doHttpsConversionIfNeeded(context.appConfig.fioriURL, callback);}}sap.AppPreferences.getPreferenceValue(‘fioriURL’, getFioriURLFromAppPreferencesSuccess, getFioriURLFromAppPreferencesFailed);};…
- Build and run the SAP Fiori Client project on your Android device (emulator).For more information, see step 4 in Creating SAP Fiori Client with Apache Cordova section.
SAP Fiori Client should be ready to handle any mobile SSO requests from SAP Authenticator. That means when a user adds SAP Fiori Client account and application in SAP Authenticator, the user will be able to log on to the SAP Fiori Client through mobile SSO.
More Information
New NetWeaver Information at SAP.com
Very Helpfull