A Single Sign-On (SSO) implementation brings simplicity for your end-users and more security for your company. There are also other benefits out of an SSO implementation, like cost savings due to reduced number of password related IT tickets for example, but the most important goal is always to make your corporate environment more secure and to simplify the processes for the end-users.
With the latest support package (SP04) for SAP Single Sign-On 2.0, released on Nov. 03, 2014, you can extend your SSO solution even further and offer your end users “Mobile Single Sign-On” – a straightforward authentication mechanism to favorite applications and trusted websites on their mobile devices.
The benefits for your employees and your company:
Your mobile users will have only one password to remember, less typing of complicated UserIDs/Passwords and more time for actual work!
Your company will have stronger security and more simplicity for all business processes enabled for mobile access!
How it is possible to be so easy and still so secure?
The Mobile SSO solution we offer is based on Time-based One Time Password (TOTP) Algorithm of the open standard RFC 6238. This algorithm computes a one-time passcode from a shared secret key and a current time. The secret key is generated by the server and it is transferred on the mobile device only once, during the device registration process. The device registration process is possible only within the corporate network in order to minimize the risk. The secret key is stored encrypted on the mobile device.
SAP Authenticator offers password protection. The password is defined during the installation of the application, it is used only for the encryption/decryption of the secret key, and it is not stored on the device. The password offers additional level of security, that is not available with the other similar OTP generator applications existing on the market.
Mobile SSO implementation with TOTP is easier to setup and support compared to, for example, a Mobile SSO implementation based on client certificates, where a Public Key Infrastructure is necessary. Mobile SSO with TOTP could be enabled easily also for scenarios that allow a “Bring Your Own Device” (BYOD) policy, where the transfer and the storage of client certificates is difficult or impossible.
How to enable Mobile SSO:
The enablement of Mobile SSO requires implementation of One-Time Password Authentication on the company side with installation of the SSO AUTHENTICATION LIBRARY 2.0 and relevant policy configuration with enablement of the TOTPLoginModule for the respective system, see Implementation guide for more details.
Once the Mobile SSO is enabled for the company, end-users will be able to activate their device(s) for Mobile SSO in two simple steps: First, they need to install SAP Authenticator on their device (available for iOS, Android and Windows platforms), selecting “Advanced mode” and then activate SAP Authenticator for their corporate UserID. Once the device is activated, users will be able to add their favorite applications and trusted web sites as bookmarks in the SAP Authenticator, and start using them easily and securely with only one click on the respective bookmark.
To simplify the bookmark setup process, corporate administrators could generate QR codes for all Mobile SSO activated web applications and to provide these QR codes to the interested end-users.
Going back to the security topic, let’s see what happens behind the scene once the user clicks on a bookmark:
We assume that the user already started the SAP Authenticator application earlier in same day and now he wants to start using one of his bookmarked web applications, for example SAP Mobile Portal.
When the user clicks on the Mobile Portal bookmark, the SAP Authenticator generates a new passcode and creates a URL (for example https://portal_host/irj/portal?j_username=[username]&j_passcode=[passcode]), providing in the URL the UserName and the Passcode necessary for authentication. Then SAP Authenticator sends the URL to the browser and the browser opens the requested resource. The user sees only the authentication result when the requested resource appears.
Mobile SSO with SAP Single Sign-On is a simple and secure solution for mobile access to your corporate business processes – give it a try and make your company even more competitive on the market!