Offer simplicity for your SAP Fiori mobile users without sacrificing the security for your company
>>> NEWS: SAP Authenticator already available for Windows phones
The latest support package (SP06) for SAP Single Sign-On 2.0, released in October, offers several improvements of the mobile single sign-on (SSO) solution:
- Out-of-the-box support for the latest version of the native SAP Fiori Client 1.5.0 (released in October 2015);
- Online account setup – simple and easy onboarding of end user devices with pre-defined corporate settings for mobile SSO;
- Administrative account setup – an administrator is able to pre-configure the SAP Authenticator for one-time password (OTP) and mobile SSO on behalf of the end user, and then the end user only confirms this configuration with a passcode sent to him/her via the e-mail.
The mobile SSO solution is based on the time-based one-time password (OTP) algorithm of the open standard RFC 6238. This algorithm computes a one-time password (passcode) from a shared secret key and current time. The server side of the TOTP implementation is an add-on module for SAP NetWeaver Application Server (AS) for Java and it is part of the SAP Single Sign-On 2.0 product. The TOTP server is taking care of the mobile devices setup and disablement on user level and the administration of the TOTPLoginModule per application. SAP Authenticator is the mobile application for the TOTP client, and it is available for iOS, Android and Windows platforms.
The mobile SSO for SAP Fiori requires a SAML 2.0 identity provider configured to accept authentication with time-based one-time passwords (a configuration of the SAP Fiori server as a SAML service provider and also a trust configuration between the identity provider and the service provider). The authentication to the identity provider, using the username and passcode generated by the SAP Authenticator mobile application, triggers an IDP Initiated Single Sign-On mechanism.
In the past, this solution was available only for SAP Fiori via the mobile browser. Now, with the latest version of the SAP Single Sign-On product and the latest version of the native SAP Fiori mobile application, the mobile SSO using SAP Authenticator is also available out-of-the-box (no additional development necessary for SAP Fiori Client):
How Mobile Single Sign-On for SAP Fiori Client Works:
Once the solution is implemented, SAP Fiori users will be able to use SAP Fiori Client on their devices after a single click.
Starting the SAP Fiori Client in one of these two ways triggers the authentication process. The SAP Authenticator generates a new passcode and sends it together with the username to the SAP Fiori Client using the parameters in the pre-configured SAP Fiori Client URL. SAP Fiori Client, on its side, opens the URL and sends an authentication request to the SAP identity provider triggering the IDP-initiated single sign-on. The identity provider checks the credentials provided, and if the check is successful, the identity provider issues a SAML 2.0 assertion for this user and for the respective service provider (SAP Fiori), and SAP Fiori Client is securely opened for the user. See the Figure below:
This implementation requires the SAP Authenticator to be configured with a URL using a specific schema.
See the example:
Also the SAP Fiori Client needs to be configured with a special URL.
See the example:
How Mobile Single Sign-On for SAP Fiori via the Browser Works:
Once the solution is implemented, SAP Fiori users will be able to use SAP Fiori applications on their devices after a single click on a bookmark via SAP Authenticator.
When the user clicks on the SAP Fiori application bookmark, the SAP Authenticator generates a passcode and creates a URL with respective parameters (service provider, RelayState, username and passcode) similar to this example:
SAP Authenticator sends this URL to the browser and then the browser opens the URL, triggering IDP-initiated single sign-on. The identity provider, on its side, checks the credentials provided, and if the check is successful issues a SAML 2.0 assertion for this user and for the respective service provider (SAP Fiori in our example). On the next step, based on the HTTP-POST binding response, the SAP Fiori application is securely opened on the mobile device of the user.
Online Account Setup:
This new feature, released with SP06 of the SAP Single Sign-On 2.0, makes the life easier for the corporate mobile users and also unifies and synchronizes the mobile SSO configuration on corporate level, bringing more security and simplicity for the SAP Authenticator usage.
The Online Account Setup consists of the following:
- Improved self-service with only two simple steps: (1) scan the QR code (configuration URL) and (2) confirm that you are using a passcode – both displayed in the self-service UI
The access for end users to this new self-service account setup is managed with a specific authorization UME role, called OTP_ONLINE_USER. Only users who have been granted access with this role will be able to benefit from this new feature. Users who have only the UME role OTP_USER assigned to their accounts will still be able to activate their devices for OTP and mobile SSO, but no applications will be pre-configured for them out of the corporate settings available for mobile SSO enrollment on the server.
- SAP Authentication configuration in the administrative UI with several options
(1) Configuring mandatory password protection – When the setting is Mandatory, users will not be able to activate their SAP Authenticator application without configuring a password for it.
(2) Configuring the list with corporate applications that have to be pre-configured for mobile SSO on user devices.
(3) Configuring user groups for online setup on application level – when a UME group is configured for an application, this application will be pre-configured during the setup process only for the users who are members of this group. If no group is configured for an application, this application will be pre-configured for every user during the online setup.
(4) Email configuration – Relevant for scenarios in which an administrator performs enrollment of a mobile device on behalf of a user. During the administrative enrolment, a Confirmation Code is sent via e-mail to the owner of the account (also owner of the device). At the end of the administrative enrolment, the account status is set to “Not Confirmed”, and the account could not be used for OTP and mobile SSO. The security protection using such Confirmation Code ensures segregation of duties. This way the administrator will not be able to misuse the credentials of the user on his/her behalf. Only the user who is the owner of the account (and the mobile device) and possesses the Confirmation Code (sent to his/her e-mail address) is able to confirm the SAP Authenticator setup. This operation changes the status to “Enabled” and allows the user to proceed using his/her account for OTP or for mobile SSO.
- Administrative Device Setup
This new capability simplifies the mobile SSO enrollment process by allowing an administrator granted with proper authorizations to configure the SAP Authenticator for the end users for OTP and for mobile SSO. Once the SAP Authenticator is configured, the only step necessary for the end user is to confirm the configuration with the Confirmation Code sent to his e-mail address, as described in the previous section. The UI for administrative account setup is similar to the one for user self-service with the only difference that there is no Confirmation Code displayed, because the Confirmation Code is sent to the end user e-mail address.
Mobile SSO for SAP Fiori using SAP Single Sign-On product is a simple and secure solution – give it a try and make your company even more competitive on the market!
Mobile Single Sign-On for SAP Fiori – Step-by-Step Guide >>> a new version of the guide available since November