Offer simplicity for your SAP Fiori mobile users without sacrificing the security for your company

>>> NEWS: SAP  Authenticator already available for Windows phones

The latest support package (SP06) for SAP Single Sign-On 2.0, released in October, offers several improvements of the mobile single sign-on (SSO) solution:

  • Out-of-the-box support for the latest version of the native SAP Fiori Client 1.5.0 (released in October 2015);
  • Online account setup – simple and easy onboarding of end user devices with pre-defined corporate settings for mobile SSO;
  • Administrative account setup – an administrator is able to pre-configure the SAP Authenticator for one-time password (OTP) and mobile SSO on behalf of the end user, and then the end user only confirms this configuration with a passcode sent to him/her via the e-mail.

The mobile SSO solution is based on the time-based one-time password (OTP) algorithm of the open standard RFC 6238. This algorithm computes a one-time password (passcode) from a shared secret key and current time. The server side of the TOTP implementation is an add-on module for SAP NetWeaver Application Server (AS) for Java and it is part of the SAP Single Sign-On 2.0 product. The TOTP server is taking care of the mobile devices setup and disablement on user level and the administration of the TOTPLoginModule per application. SAP Authenticator is the mobile application for the TOTP client, and it is available for iOS, Android and Windows platforms.

The mobile SSO for SAP Fiori requires a SAML 2.0 identity provider configured to accept authentication with time-based one-time passwords (a configuration of the SAP Fiori server as a SAML service provider and also a trust configuration between the identity provider and the service provider). The authentication to the identity provider, using the username and passcode generated by the SAP Authenticator mobile application, triggers an IDP Initiated Single Sign-On mechanism.

In the past, this solution was available only for SAP Fiori via the mobile browser. Now, with the latest version of the SAP Single Sign-On product and the latest version of the native SAP Fiori mobile application, the mobile SSO using SAP Authenticator is also available out-of-the-box (no additional development necessary for SAP Fiori Client):


How Mobile Single Sign-On for SAP Fiori Client Works:

Once the solution is implemented, SAP Fiori users will be able to use SAP Fiori Client on their devices after a single click.

A01.png

Starting the SAP Fiori Client in one of these two ways triggers the authentication process. The SAP Authenticator generates a new passcode and sends it together with the username to the SAP Fiori Client using the parameters in the pre-configured SAP Fiori Client URL. SAP Fiori Client, on its side, opens the URL and sends an authentication request to the SAP identity provider triggering the IDP-initiated single sign-on. The identity provider checks the credentials provided, and if the check is successful, the identity provider issues a SAML 2.0 assertion for this user and for the respective service provider (SAP Fiori), and SAP Fiori Client is securely opened for the user. See the Figure below:

MobileSSO_Fiori_Client.png


This implementation requires the SAP Authenticator to be configured with a URL using a specific schema.

See the example:

com.sap.fiori.client.xcallbackurl://x-callback-url/setCredential?x-source=com.sap.authenticator&username_paramname=j_username&username_paramvalue=[username]&passcode_paramname=j_passcode&passcode_paramvalue=[passcode]


Also the SAP Fiori Client needs to be configured with a special URL.

See the example:

https://<SAPFioriHost>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?sap-client=001&saml2idp=<samlIdPname>&idplogonurl=https%253A%252F%252F<samlIdPHost>%252Fsaml2%252Fidp%252Fsso%252F<samlIdPname>%253Fsaml2sp%253D<samlSPname>

How Mobile Single Sign-On for SAP Fiori via the Browser Works:

Once the solution is implemented, SAP Fiori users will be able to use SAP Fiori applications on their devices after a single click on a bookmark via SAP Authenticator.

MobileSSO_Fiori_Browser.png

When the user clicks on the SAP Fiori application bookmark, the SAP Authenticator generates a passcode and creates a URL with respective parameters (service provider, RelayState, username and passcode) similar to this example:

https://idp_host/saml2/idp/sso?saml2sp=fiori_sp&RelayState=fiori&j_username=[username]&j_passcode=[passcode]

SAP Authenticator sends this URL to the browser and then the browser opens the URL, triggering IDP-initiated single sign-on. The identity provider, on its side, checks the credentials provided, and if the check is successful issues a SAML 2.0 assertion for this user and for the respective service provider (SAP Fiori in our example). On the next step, based on the HTTP-POST binding response, the SAP Fiori application is securely opened on the mobile device of the user.


Online Account Setup:


This new feature, released with SP06 of the SAP Single Sign-On 2.0, makes the life easier for the corporate mobile users and also unifies and synchronizes the mobile SSO configuration on corporate level, bringing more security and simplicity for the SAP Authenticator usage.

The Online Account Setup consists of the following:

  • Improved self-service with only two simple steps: (1) scan the QR code (configuration URL) and (2) confirm that you are using a passcode – both displayed in the self-service UI

Blog1.png

The access for end users to this new self-service account setup is managed with a specific authorization UME role, called OTP_ONLINE_USER. Only users who have been granted access with this role will be able to benefit from this new feature. Users who have only the UME role OTP_USER assigned to their accounts will still be able to activate their devices for OTP and mobile SSO, but no applications will be pre-configured for them out of the corporate settings available for mobile SSO enrollment on the server.

  • SAP Authentication configuration in the administrative UI with several options

(1) Configuring mandatory password protection – When the setting is Mandatory, users will not be able to activate their SAP Authenticator application without configuring a password for it.

(2) Configuring the list with corporate applications that have to be pre-configured for mobile SSO on user devices.

(3) Configuring user groups for online setup on application level – when a UME group is configured for an application, this application will be pre-configured during the setup process only for the users who are members of this group. If no group is configured for an application, this application will be pre-configured for every user during the online setup.

(4) Email configuration – Relevant for scenarios in which an administrator performs enrollment of a mobile device on behalf of a user. During the administrative enrolment, a Confirmation Code is sent via e-mail to the owner of the account (also owner of the device).  At the end of the administrative enrolment, the account status is set to “Not Confirmed”, and the account could not be used for OTP and mobile SSO. The security protection using such Confirmation Code ensures segregation of duties. This way the administrator will not be able to misuse the credentials of the user on his/her behalf. Only the user who is the owner of the account (and the mobile device) and possesses the Confirmation Code (sent to his/her e-mail address) is able to confirm the SAP Authenticator setup. This operation changes the status to “Enabled” and allows the user to proceed using his/her account for OTP or for mobile SSO.

Blog3.png

  • Administrative Device Setup

This new capability simplifies the mobile SSO enrollment process by allowing an administrator granted with proper authorizations to configure the SAP Authenticator for the end users for OTP and for mobile SSO. Once the SAP Authenticator is configured, the only step necessary for the end user is to confirm the configuration with the Confirmation Code sent to his e-mail address, as described in the previous section. The UI for administrative account setup is similar to the one for user self-service with the only difference that there is no Confirmation Code displayed, because the Confirmation Code is sent to the end user e-mail address.


Mobile SSO for SAP Fiori using SAP Single Sign-On product is a simple and secure solution – give it a try and make your company even more competitive on the market!

See also:

Mobile Single Sign-On for SAP Fiori – Step-by-Step Guide >>> a new version of the guide available since November

Simple and Secure Mobile Single Sign-On with SAP Authenticator.

To report this post you need to login first.

48 Comments

You must be Logged on to comment or reply to a post.

  1. Amer Zahid

    great blog!! … just one question..

    to try the SAP Authenticator for SSO with Fiori, I am installing the AS Java server. which UME data source should I select while installing the AS Java server? Use Java Database or Use External ABAP system?

    thanx!

    (0) 
    1. Donka Dimitrova Post author

      Hello Amer,

      You can select any one of these two. It will depend on the use case you have at your company. The solution is actually using the AS Java UME, but you can configure the UME to use an AS ABAP as Data Source or for example an LDAP Dierctoty as Data Source.

      Best regards,

      Donka Dimitrova

      (0) 
      1. Amer Zahid

        hi donka,

        thank you for your response. I am in the process of following the guide to set up SSO. I noticed in the guide that after enabling the SAML 2.0 support, the screenshot shows “Identity Provider Settings” tab:

        Guide_screenshot.jpg

        I am not getting the “Identity Provider Settings” tab as per screenshot below. .

        My_Server_screenshot.jpg

        to begin with, I also did not get the “Operational Mode” field in the initial settings tab. my server is NW 7.4 SR2 AS Java and I have also deployed the SSOAUTHLIB04_0.sca via SUM.

        please help!!

        kind regards,

        Amer.

        (0) 
        1. Donka Dimitrova Post author

          Hello Amer,

          Please, make sure that you select Operational Mode “Identity Provider” on the “Initial Settings” (first step) after enabling the SAML 2.0 support.

          This is described on page 3 of the step-by-step guide (step 3 of the “SAML 2.0 Identity Provider Setup” chapter).

          Best regards,

          Donka Dimitrova

          (0) 
          1. Amer Zahid

            hi donka,

            when I click on “Enable SAML 2.0 Support”, I don’t get any field to select this option! please see screenshot below.

            SAML2.0.jpg

            please advise.

            kind regards,

            Amer.

            (0) 
            1. Donka Dimitrova Post author

              Hello Amer,

              It seems you have no Identity Provider for your SAP NetWeaver Application Server (AS) Java. In order to add a SAML 2.0 Identity Provider you have to follow the documentation:

              Downloading and Installing the Federation Software – Identity Provider for SAP Single Sign-On

              Please, notice that the SAML 2.0 Identity Provider from SAP is part of the SAP Single Sing-On product and requires license for this product.

              Best Regards,

              Donka Dimitrova

              (0) 
              1. Amer Zahid

                Hi Donka,

                Thank you! This was the missing link! I am now getting the tab for “Identity Provider”.

                Proceeding further… For point 3 (Add trusted service provider), the prerequisite is that a local provider must be created and enabled on the ABAP system. Reference to this, should I just follow the guide or this is a step which is not mentioned in the guide and which has to be done separately?

                Greatly appreciate your advice.

                Kind regards,

                Amer.

                (0) 
                1. Donka Dimitrova Post author

                  Hello Amer,

                  In this step-by-step guide we assume that you already have SAML 2.0 Service Provider (SP) crated and enabled on the SAP ABAP system.

                  Step 3 in this guide explains how to add this SP as a Trusted SP for the SAML Identity Provider on AS JAVA.

                  If  you are missing the setup of the SAML 2.0 SP on the AS ABAP side you have first to create and enable it. If you need a guide how to do this, you can use the one mentioned in the “Prerequisite part” of the chapter 3:

                  USING SAML 2.0 AUTHENTICATION TO ACCESS FIORI APPS FROM THE PUBLIC INTERNET

                  Once you are ready with the setup of the SAML SP on the AS ABAP, you can proceed with the steps from chapter 3.

                  Best regards,

                  Donka Dimitrova

                  (0) 
  2. Syed Mohammed

    Awesome blog!!

    Currently i am facing one issue,

    Whenever i click on fiori app in sap authenticator its asking credentials for both java and Abap gateway?

    I am maintaining url like this in authenticator:

    http://idp host:50300/saml2/idp/sso?saml2sp=GW_ABAP&RelayState=fiori&j_username=[*****]&j_passcode=[*****]

    I tried maintaining both java credential as well as abap gateway but nothing works.

    Regards

    Syed

    (0) 
    1. Donka Dimitrova Post author

      Hello Syed,

      If you look at the guide here Mobile Single Sign-On for SAP Fiori – Step-by-Step Guide

      on step 68 (page 20) you will find that the URL to the application has to be with this format:

      https://<idp_host>/saml2/idp/sso?saml2sp=fiori_sp&RelayState=fiori&j_username=%5Busername%5D&j_passcode=%5Bpasscode]

      where the username and the passcode are defined as parameters.

      If you are using stars it will not work. The SAP Authenticator generates the actual URL with replacing these parameters with the current userID and the passcode generated for the request.

      Please, try to follow the rules for the URL and check if it will be working properly for you.

      Best regards,

      Donka Dimitrova

      (0) 
    1. Donka Dimitrova Post author

      Hello Jonathan,

      The Mobile SSO solution we offer at the moment is not yet available for native mobile applications (also Fiori Client). It is working only for Fiori via the web browser.

      Regards,

      Donka Dimitrova

      (0) 
    2. Dimitar Mihaylov

      Hi Jonathan,

      Mobile SSO now works out-of-box with SAP Fiori Client 1.5.0 and SAP Authenticator 1.2.0. We will update the blogs accordingly in the next days.

      Best regards,

      Dimitar Mihaylov

      (0) 
    1. Donka Dimitrova Post author

      Hello Dmitry,

      At the moment it is possible to implement SSO for SAP Fiori Client with X.509 client certificates. Please, find the links to the documentation on this topic:

      X.509 Certificate Authentication – Administrator – SAP Library

      Single Sign-On – Administrator – SAP Library

      I hope this will help. If you have further questions on how to setup the SAP Mobile Platform for these types of SSO you can post your questions in the SAP Fiori space or directly in the Mobile community: SAP for Mobile

      We are running at the moment a research project on integrating SAP Authenticator with SAP Fiori Client but I am not able to provide more details on this project.

      Best regards,

      Donka Dimitrova

      (0) 
      1. Dmitry Savinskiy

        Hello Donika,

        thanks a lot for your feedback.

        Actually we don’t use SMP middleware in our system environment and we don’t want to implement one.

        We connect our mobile devices (iPad, iOS 8) directly to SAP NetWeaver Gateway.

        We have implemented SSL certificate in mobile profile and able to get data via SAP Fiori Client.

        The Problem is that authentication screen is displayed very oft and user should every time enter user credentials in it. (by change apps, session timeout, etc.)

        Do you know any solution to avoid it by standard SAP Fiori Client (from AppleStore, PlayStore)? Is it possible to implement SSO with Active Directory for SAP Fiori Client? (without SAP Mobile Platform)

        Regards

        Dmitry

        (0) 
        1. Dimitar Mihaylov

          Hi Dmitry,

          For iOS you can configure SSO using Kerberos which should work also with SAP Fiori Client. For details see the following blog: Mobile Single Sign On from iOS 7 to SAP NetWeaver. The limitations are that the user will be asked for his Windows password every 10 hours which is the validity of the Kerberos ticket, as well in order to obtain a Kerberos ticket you need a VPN connection from the iOS device to the corporate network. Because of these limitations we do not consider this as a real single sign-on solution but for your particular case it might be sufficient.

          With our next release of SAP SSO, which should be available in the next weeks, we will enhance the Mobile SSO scenario so that it is based on two-factor authentication which is a strong requirement that we see from many customers. Other important features in the new release are those for risk-based authentication and authorization which can help customers implement very sophisticated policies who can access a certain system, under what conditions, with what authentication mechanism, from what device, with limited or with full access permissions, etc. Soon in a new blog we will provide more details on the topics.

          We are also intensively discussing with our Fiori colleagues an integration between SAP Authenticator and SAP Fiori Client and hopefully we will have some positive results soon.

          Best regards,

          Dimitar Mihaylov

          (0) 
            1. Dimitar Mihaylov

              Hello Dmitry,

              The SAP Fiori Client can be customized as described here – http://scn.sap.com/docs/DOC-56080. As a first step we plan to provide instructions and sample code how customers can modify the app in order to integrate it with SAP Authenticator. Let me know if such approach would be acceptable for your scenario and if you would be interested to receive an early version of the instructions and the sample code.

              Best regards,

              Dimitar Mihaylov

              (0) 
            2. Dimitar Mihaylov

              Hello Dmitry,

              Mobile SSO now works out-of-box with SAP Fiori Client 1.5.0 and SAP Authenticator 1.2.0. We will update the blogs accordingly in the next days.

              Best regards,

              Dimitar Mihaylov

              (0) 
  3. Vishnu Pankajakshan Panicker

    Hi Donka,

    First of all the Blog was awesome…great job..:)

    Do you have any document link for FIORI SSO using a AD server.

    users will enter there corporate network username and password to login.

    Please help me or guide me.

    Regards,

    Vishnu

    (0) 
    1. Donka Dimitrova Post author

      Hello Vishnu,


      Please, find the link to Fiori documentation, that describes how to implement Kerberos authentication for Fiori: Kerberos/SPNego – Setup of Fiori System Landscape – SAP Library


      Here you will be able to find info about the other SSO technologies supported for Fiori:

      Best Regards,

      Donka Dimitrova

      (0) 
      1. Vishnu Pankajakshan Panicker

        Hi Donka,

        If in the current landscape ,if SSO is established with Active Directory using SSO 2.0,then hope i just want to do the  ONE-TIME PASSWORD AUTHENTICATION SETUP FOR SAML2.0 IDENTITY PROVIDER , Then followed my SAP Authenticator configuration..

        Correct me if i am wrong.??

        Regards,

        Vishnu

        (0) 
      2. Pradeep Bompally

        Hi Donka,

         

        These links are not working. Can you re post the links Please. I am trying to configure SSO using kerberos for S/4 Fiori Launch pad/ apps. If the user login to laptop using AD credentials and open the S/4 URL in the browser it should give access to the system without login. If this is not possible by Keberos can I use the same setup (Mobile SSO setup using SAML) for internal network (Not Public)?

         

        Thanks,

        Pradeep

        (0) 
  4. Uday Bhoomagoud

    Most mobile devices seem to have Biometric reader these days (atleast IPHONE Does) ,  Is there a way to configure FIORI app/SAP Authenticator to make use of one’s figure print to authenticate him, that’s really solves some serious security concerns !!

    Is this something under consideration?

    (0) 
  5. R. de Jong

    Hi Donka,

    I was wondering if this scenario would also work if the Service Provider was SMP.

    Since in our landscape we have SMP in front of the Netweaver Gateway.

    Best regards,

    Rob

    (0) 
    1. Dimitar Mihaylov

      Hi Rob,

      It should work by using SAP MYSAPSSO2 cookies: http://help.sap.com/saphelp_smp303svr/helpdata/en/7c/2fae81700610148918ca83e4d9b8f8/content.htm

      The SAP SSO system can authenticate the user based on the OTP credentials and issue a MYSAPSSO2 cookie instead of SAML2 assertion.

      However we do not recommend to use MYSAPSSO2 cookies for external access scenarios. We are currently working on an integration with reverse proxies to enable network-edge authentication and SSO:

      http://help.sap.com/saphelp_smp304svr/helpdata/en/7c/2fb7eb700610149d7b94cf68f2fc1e/content.htm

      We can have a meeting to discuss what’s currently possible and what’s planned for the next release.

      Regards,

      Dimitar

      (0) 
      1. R. de Jong

        Hello Dimitar,

        in the scenario we are currently trying to set up we were aiming for SAML at SMP and then SAPSSO2 towards the gateway.

        We use SAML also because we need to map the users towards their SAP-id’s.

        For us network-edge authentication is also a requirement which we adress by Mutual authentication by our reverse proxy (which is in front of SMP) .

        We are very much interested in setting up a meeting to discuss this further.

        Regards,

        Rob

        (0) 
        1. Dimitar Mihaylov

          Hello Rob,

          What kind of client do you use – regular browser, standard SAP Fiori Client, customized SAP Fiori Client, or custom built mobile app based on SMP SDK?

          In order to setup a call please send me an email at <firstname>.<lastname><AT>sap.com.

          Regards,

          Dimitar Mihaylov

          (0) 
  6. John Molina

    Hi Donka,

    We followed the step by step guide and your 38 point us the following error message:

    error sap SSO.PNG

    Please can you tell us where we made a mistake?

    Thank you

    Best regard

    (0) 
    1. Dimitar Mihaylov

      Hi John,

      The metadata file is signed and in order to import this you would need to provide the signing certificate. The alternative would be to export the metadata unsigned or remove the signature from the current one, i.e. <Signature>…</Signature>.

      Regards,

      Dimitar

      (0) 
  7. Con Pirzas

    Hi Donka & Dimitar,

    As SAP Authenticator is now available for mobile single sign-on, why would you still use SAP Fiori Client for mobile single sign-on?

    regards,

    Con.

    (0) 
    1. Donka Dimitrova Post author

      Hello Con,

      SAP Authenticator is the mobile client that is used for the Mobile SSO solution for browser based applications on the mobile devices and also for SAP Fiori Client.

      The solution itself allows the user to use it starting from SAP Authenticator, by selecting the proper trusted business application, or starting from the business application itself (particularly SAP Fiori Client).

      It is not the SAP FIori Client used for the solution. The solution itself is supporting SAP Fiori on the mobile device including also the support of the native mobile application SAP Fiori Client.

      Regards,

      Donka Dimitrova

      (0) 
  8. Con Pirzas

    Hi Donka,

    Thankyou for your  response.

    Are you please able to provide some benefits to why you would use SAP Fiori Client on a mobile device to access Fiori Applications, when you could just use the mobile device browser to access Fiori Launchpad via a URL?

    regards,

    Con.

    (0) 
  9. Ilke Tutku Senol

    Hello Donka,

    Thank you for the article. I want to ask a question.

    We need to install and configure “SAP Authenticator”  to mobile device And we can open Fiori HTTP link from that app. But how can we use SSO for the Fiori Web Link that are sent via email? (for example fiori approvals)

    Regards

    Tutku

    (0) 

Leave a Reply