A Single Sign-On (SSO) implementation brings simplicity for your end-users and more security for your company. There are also other benefits out of an SSO implementation, like cost savings due to reduced number of password related IT tickets for example, but the most important goal is always to make your corporate environment more secure and to simplify the processes for the end-users.

With the latest support package (SP04) for SAP Single Sign-On 2.0, released on Nov. 03, 2014, you can extend your SSO solution even further and offer your end users “Mobile Single Sign-On” – a straightforward authentication mechanism to favorite applications and trusted websites on their mobile devices.


The benefits for your employees and your company:

Your mobile users will have only one password to remember, less typing of complicated UserIDs/Passwords and more time for actual work!

Your company will have stronger security and more simplicity for all business processes enabled for mobile access!

How it is possible to be so easy and still so secure?

The Mobile SSO solution we offer is based on Time-based One Time Password (TOTP) Algorithm of the open standard RFC 6238. This algorithm computes a one-time passcode from a shared secret key and a current time. The secret key is generated by the server and it is transferred on the mobile device only once, during the device registration process. The device registration process is possible only within the corporate network in order to minimize the risk. The secret key is stored encrypted on the mobile device.

SAP Authenticator offers password protection. The password is defined during the installation of the application, it is used only for the encryption/decryption of the secret key, and it is not stored on the device. The password offers additional level of security, that is not available with the other similar OTP generator applications existing on the market.

Mobile SSO implementation with TOTP is easier to setup and support compared to, for example, a Mobile SSO implementation based on client certificates, where a Public Key Infrastructure is necessary. Mobile SSO with TOTP could be enabled easily also for scenarios that allow a “Bring Your Own Device” (BYOD) policy, where the transfer and the storage of client certificates is difficult or impossible.

How to enable Mobile SSO:

The enablement of Mobile SSO requires implementation of One-Time Password Authentication on the company side with installation of the SSO AUTHENTICATION LIBRARY 2.0 and relevant policy configuration with enablement of the TOTPLoginModule for the respective system, see Implementation guide for more details.

Once the Mobile SSO is enabled for the company, end-users will be able to activate their device(s) for Mobile SSO in two simple steps: First, they need to install SAP Authenticator on their device (available for iOS, Android and Windows platforms), selecting “Advanced mode” and then activate SAP Authenticator for their corporate UserID. Once the device is activated, users will be able to add their favorite applications and trusted web sites as bookmarks in the SAP Authenticator, and start using them easily and securely with only one click on the respective bookmark.

To simplify the bookmark setup process, corporate administrators could generate QR codes for all Mobile SSO activated web applications and to provide these QR codes to the interested end-users.

Going back to the security topic, let’s see what happens behind the scene once the user clicks on a bookmark:

We assume that the user already started the SAP Authenticator application earlier in same day and now he wants to start using one of his bookmarked web applications, for example SAP Mobile Portal.

MobileSSO_Portal.png

When the user clicks on the Mobile Portal bookmark, the SAP Authenticator generates a new passcode and creates a URL (for example https://portal_host/irj/portal?j_username=[username]&j_passcode=[passcode]), providing in the URL the UserName and the Passcode necessary for authentication. Then SAP Authenticator sends the URL to the browser and the browser opens the requested resource. The user sees only the authentication result when the requested resource appears.

Mobile SSO with SAP Single Sign-On is a simple and secure solution for mobile access to your corporate business processes – give it a try and make your company even more competitive on the market!

See also:

Mobile Single Sign-On for SAP Fiori – Step-by-Step Guide

Mobile Single Sign-On for Cloud Applications – Step-by-Step Guide

To report this post you need to login first.

22 Comments

You must be Logged on to comment or reply to a post.

  1. Tim Alsop

    What happens if the device owner leaves their device unattended or it gets stolen ? Surely this would mean that somebody else can logon to the application as the device owner (the corporate user id that was used when the authenticator was activated) since there is no request for user to enter a password or pin code during logon…

    (0) 
    1. Donka Dimitrova Post author

      Hello Tim,

      As it has been mentioned in the blog, SAP Authenticator offers password protection and when the device is left unattended only the owner, who knows the password for the application, will be able to use it.

      When the device is stolen there is a quick deactivation on server side, that could be performed by the user (self-service) or by the IT support.


      Best regards,

      Donka Dimitrova


      (0) 
      1. Tim Alsop

        ok, thank you. I noticed a password was mentioned, but I was not understanding when the user enters this password. I was thinking it was just entered during activation of the app. I have since found the installation guide for the app and noticed that there is a configuration option to turn on the password prompt.

        (0) 
  2. Tamas Szirtes

    Hi,

    Does it work with the Fiori Client? Can I achieve 2 factor auth without SMP?

    Thanks,

    Tamas

    (0) 
      1. Tamas Szirtes

        Hi Donka,

        Thanks for your quick reaction. How does it work? I understand that the SAP Authenticator generates a URL, which opens in the browser. With Fiori Client there is no browser. Could you pls explain it?

        Thanks,

        Tamas

        (0) 
        1. Donka Dimitrova Post author

          Hello Tamas,

          If you mean Fiori app for mobile, then the Mobile SSO will not be working becuse we don’t support yet native applications.

          Regards,

          Donka

          (0) 
    1. Dimitar Mihaylov

      Hi Sai,

      On what BB version would like to use SAP Authenticator? Please note that native Android apps can be installed on BB 10.2.1 without any need of conversion. If you use this or higher version then there is a very good chance that you can install and use SAP Authenticator for Android. Please check the following link for details how to install Android apps on BB 10 – link.

      Regards,

      Dimitar

      (0) 
    2. Dimitar Mihaylov

      Hi Sai,

      I have successfully installed the Android version of SAP Authenticator on Blackberry Z10 (OS 10.2.1.2977). In order to be able to install Android apps from Google Play Store you need a tool, for example Snap (http://redlightoflove.com/snap/) or similar. Most of these tools are native Blackberry apps (BAR files) and I have used the Chrome extension “PlayBook App Manager Extension” to install it on BB Z10 – see http://forums.berryverse.com/threads/76-How-to-Side-Load-apps-on-your-BlackBerry-10-device. After that, open Snap, enter your credentials and you will get access to Google Play Store and will be able to download and install SAP Authenticator. Please note that you will need also the ZXing Barcode Scanner (https://play.google.com/store/apps/details?id=com.google.zxing.client.android&hl=en) from Play Store.

      The good news is that the complete functionality of SAP Authenticator is working on BB 10. The only issue I had is with the barcode scanner – sometimes it crashes before scanning the QR code.

      Best regards,

      Dimitar Mihaylov

      (0) 
  3. Simon Kemp

    Hi Donka Dimitrova

    Firstly thank you for writing this blog post. I was wondering if you know if it is possible to configure or extend SAP Authenticator to cater for multiple user accounts? The scenario I am describing is where a single device (e.g. an iPad) is shared between a number of people and each needs to have their own individual logon. Perhaps each could have a different logon/pass code to the app?

    Thanks,

    Simon

    (0) 
    1. Donka Dimitrova Post author

      Hello Simon,

      We are currently working on a PoC project with such scope Mobile SSO via shared mobile devices. If you want to get more details you can send me an e-mail on donka.dimitrova at sap.com and we can discuss further the scenario that you are interested in.

      Regards,
      Donka Dimitrova

      (0) 
  4. Ben Peak

    Donka,

    Thanks for the info.   I’m running through the SSO mobile FIORI guide and stuck on config.  I do not see the Identity Provider Settings tab from page 8.  When I activated SAML 2.0, I created a provider name, but there was not a 2nd box for operational mode.  So when I created my authentication context for MobileTOTP, I also did not see a checkbox for HTTPS or anything past the yes/no column.

    I deployed the SSO authenticator SP06 .SCA package and re-started Java system already.  Do we also need to deploy secure logon server .SCA?  I’m running NW 7.5 AS Java, basic install.

    Ben

    (0) 
    1. Dimitar Mihaylov

      Hi Ben,

      You need to install also the IDMFEDERATION.SCA. After that you should be able to change the provider type to IDP and see the corresponding settings.

      Regards,

      Dimitar

      (0) 
  5. Ben Peak

    Dimitar or Donka,

    I’ve gone through all the steps and now stuck on setting up a device/user.  We have following setup:

    ECC BACK-END ABAP SYSTEM<——–>FIORI NW Gateway ABAP<—trust—>DMZ<——>AS Java w/ Mobile Authenticator installed and SAML 2.0 IDP setup  Web dispatcher is also installed and we are routing Fiori launchpad through WD over public name/IP to reach outside the network.

    I’m working on getting a public IP for the IDP server as it also serves as a Portal for another application we are hosting which customers log into.  On step 36 after importing the metadata.xml file for Fiori, I noticed the URL’s that pop in are http and not https as shown in the examples.  We have https enabled and working on the Fiori server; we do not have a signed certificate, so not sure if that matters in this config.

    When I try to scan the QR code on iPhone, I’m using VPN for testing and also substituting IP address while I’m waiting on the public IP/name for the IDP server.  It does not work.  If I use the key, I tried both the long URL and only the token ID. Not sure whicih one is needed and both do not work.  If I call the long URL in browser, it says {“code”:405,”message”:”GET Method not allowed”,”version”:1}.  If I manually use the SAP Fiori (Web) URL which I added under applications on the OTP admin page which is https, it does call the IDP ok on the AS Java server and relays to the Fiori server, then brings up a logon page for Fiori launchpad.  In what context is this used?  On the client desktop, I have SPNEGO/SNC installed and can launch the Fiori launchpad using http ok and SSO works.  HTTPS on browser call just brings up a logon box.

    Any ideas?  Also have few questions..

    Can they populate the UME store where IDP is located from AD for users for a specifc group?

    How does the iPhone use the QR code?  Assuming the URL is embedded with token?  How will iPhone know the server name, even if on same network, it does not have a hosts file.  In my case, once we have public IP/name for the IDP, then it will not matter as we can make the call.

    I have installed Mobile Authenticator on the AS Java server where I setup SAML 2.0 IDP.  Do I also need secure login server installed, or is that only for additional SSO such as x.509?

    We have a client who is in the evaluation process of SAP SSO, so we are trying to implement the product not only for Fiori Mobile, but 3rd party applications as well using SAML 2.0.  For now, I would like  to complete/validate this Fiori mobile solution.

    Ben

    (0) 
    1. Dimitar Mihaylov

      Hi Ben,

      Regarding the wrong scheme “http” vs “https” please check the following wiki pages:

      Using Proxies – Business Server Pages [Read-only] – SCN Wiki

      SAML 2.0 Service Provider for AS ABAP and Web Dispatcher or Proxy – Security and Identity Management – SCN Wiki

      Most probably there is a protocol switch done in the Web Dispatcher but header ClientProtocol is not set.

      QR code – if you use the new online activation of SAP Authenticator then the code represents a one-time URL which corresponds to the current user. The URL is used by SAP Authenticator to connect to the system (IDP) and retrieve the OTP configuration. Thus it is essential that the device has access to the IDP system.

      For the SAML 2.0 flow afterwards IDP system and Fiori system never talk directly with each other. All SAML 2.0 messages between them are transferred via the browser.

      For all other questions I would propose to open a support ticket and we discuss them there.

      Regards,

      Dimitar

      (0) 
  6. Ashok Kumar

    Hello Donka Dimitrova,

    Thanks for sharing the wonderful information. We are planning to do the 2FA in our place. can u please send me the full document for configuring or implementing the 2FA ??? it will be more useful. my mail id is: balakiddo@yahoo.com

     

    Thanks & Regards

    Bala

    (0) 
  7. Suvrangshu Ghosh

    Hello Donka ,

    Thanks for the blog . I have set up multi-factor authentication in one of our SAP systems. I open the SAP authenticator and it gives me a key , I type the key and I’m able to sign in. the question is

    from network security how  is the SAP authenticator synchronizing with my SAP logon ?

    Is there a connection between the outside world (SAP Authenticator) with my SAP system – where it knows my System, ID etc..

     

     

    Thanks

    Suv

     

    (0) 

Leave a Reply