MAF Onboarding Scenarios

The MAF logon manager supports multiple onboarding scenarios, based on the most common infrastructure setups supported by enterprise mobile applications.

For example, an enterprise might have SAP Mobile Platform installed and use reverse proxy to route Internet requests to intranet-hosted Gateway systems. An alternate scenario also uses SAP Mobile Platform, but does not use reverse proxy, and only allows intranet access to the Gateway.

Note: You can test HTTPS connections only by using actual iOS devices. Additionally, the root CA certificate and all intermediate CA certificates that are used to sign the SAP Mobile Platform or reverse proxy certificates must be installed on the device. The iOS simulator does not contain the full implementation of the iOS Security Framework, and the server’s SSL certificate cannot be validated by the iOS CFNetwork Framework.

Direct SAP Mobile Platform

The direct SAP Mobile Platform  landscape contains an SAP NetWeaver Gateway (subsequently referred to as Gateway) server. SAP Mobile Platform server is installed and configured to connect to the Gateway server. Connections are accepted only from the company intranet.


Direct SAP Mobile Platform
This table shows the information that users must provide, in the MAF logon UI, to use this type of connection. The parameter values depend on the configuration the administrators set.
Parameter Name Example Value
Server Host <SMP_HOST_NAME>
User Name <USERNAME>
Password <PASSWORD>
Server Port <SMP_SERVER_HTTP(S)_PORT>
Secured Connection ON - DEFAULT
Security Configuration EMPTY  - DEFAULT <SMP_SECURITY_CONFIG_NAME>
By default, the secured connection (HTTPS) is ON, so also by default, the connection type is HTTPS.

Cloud-Based SAP Mobile Platform

The cloud-based SAP Mobile Platform landscape is similar to the direct SAP Mobile Platform scenario; however, the SAP Mobile Platform server is installed in the cloud.


Cloud-Based SAP Mobile Platform
This table shows the information that users must provide, in the MAF logon UI, to use this type of connection. The parameter values depend on the configuration the administrators set.
Parameter Name Example Value
Server Host < SMP_SERVER_HOST_NAME>
User Name <USERNAME>
Password <PASSWORD>
Server Port < SMP_SERVER_HTTPS_PORT>
Secured Connection ON - DEFAULT
Security Configuration EMPTY  - DEFAULT <SMP_SERVER_SECURITY_CONFIG_NAME>
By default, the secured connection (HTTPS) is ON, so also by default, the connection type is HTTPS.

SAP Mobile Platform with Third-Party Proxy

The SAP Mobile Platform with third party proxy landscape is similar to the direct SAP Mobile Platform scenario, but you can access the SAP Mobile Platform server from both the Internet and intranet. The reverse proxy enables the mobile device to access the landscape from the Internet.


SAP Mobile Platform with Third-Party Proxy
This table shows the information that users must provide, in the MAF logon UI, to use this type of connection. The parameter values depend on the configuration the administrators set.
Parameter Name Example Value
Server Host <PROXY_HOST_NAME>
User Name <USERNAME>
Password <PASSWORD>
Server Port <PROXY_HTTP(S)_PORT>
Secured Connection ON
Security Configuration EMPTY  - DEFAULT <SMP_SERVER_SECURITY_CONFIG_NAME>
By default, the secured connection (HTTPS) is ON, and is set to port 443. When the secured connection is OFF, the default port used is 80.

Direct Gateway

The direct Gateway landscape contains only the Gateway system, and restricts access to the intranet. The mobile device must connect to the intranet via internal Wi-Fi or through VPN.


Direct Gateway
This table shows the information that users must provide, in the MAF logon UI, to use this type of connection. The parameter values depend on the configuration the administrators set.
Parameter Name Example Value
Server Host <GATEWAY_HOST_NAME>
User Name <GATEWAY_ USERNAME>
Password <GATEWAY_ PASSWORD>
Path <PATH_TO_GATEWAY_CONTENT>
Server Port <GATEWAY_HTTP(S)_PORT_NUMBER>
Secured Connection ON - DEFAULT
The default value of the path is the ping URL of the Gateway server (https://gwhost:gwport/sap/bc/ping). You can customize the path by modifying the MAFLogonManagerNG.bundle/MAFLogonOperationsDefaultValues.plist default value of keyMAFLogonOperationContextResourcePath. If you modify this file in the application’s IPA file, you must resign the file with a valid signing key before you can distribute it.

Gateway with Third-Party Proxy

The Gateway with third-party proxy landscape contains a Gateway server that resides inside the company intranet, and a third-party reverse proxy that enables the mobile device to access the Gateway from the Internet.


Gateway with Third-Party Proxy
This table shows the information that users must provide, in the MAF logon UI, to use this type of connection. The parameter values depend on the configuration the administrators set.
Parameter Name Example Value
Server Host <GATEWAY_HOST_NAME>
User Name <GATEWAY_ USERNAME>
Password <GATEWAY_ PASSWORD>
Server Port <GATEWAY_HTTPS_PORT_NUMBER>
Secured Connection ON - DEFAULT
The default value of the path is the ping URL of the Gateway server (https://gwhost:gwport/sap/bc/ping). You can customize the path by modifying the MAFLogonManagerNG.bundle/MAFLogonOperationsDefaultValues.plist default value of keyMAFLogonOperationContextResourcePath. If you modify this file in the application’s IPA file, you must resign the file with a valid signing key before you can distribute it.

Other Configuration Prerequisites for Onboarding Scenarios

You must properly configure the Gateway system so the MAF logon UI component can detect the direct Gateway setup.

All requests in all onboarding scenarios go through the default sap-client (client 100). To change that, adjust your ICF configuration for the server (SICF transaction in Gateway System). See http://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/cae5cc356c3254e10000000a42189b/frameset.htm.

Parent topic: Logon Configuration Options