cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

question about mobile SSO

Go to solution
former_member201756
Explorer

on ‎09-17-2015 11:26 AM

0 Kudos

Hi SSO Experts,

I have some fundamental questions about the mobile SSO. I am aware of the functionality of the SAP authenticator and know that we can configure SAP authenticator together with SAML IDP to achieve IDP initiated SSO. In this case end user can store the SP urls as favorite in SAP authenticator. By click the favorite, the user gets automatically authenticated to IDP and redirect to SP page. It works all fine. But (in my opinion) the limitation here is that one has to start everything from the SAP authenticator. My questions are:

1. How does it work in a SP initiated Mobile SSO scenario?

- For example, the user opens browser and enter the url directly in the mobile device.

- Or another example, in SP A some operations might need to access SP B. While performing those operations the user need to authenticate to SP B.

On a desktop PC once the user is authenticated to IDP, the user will receive a IDP cookie (if configured). Next time if the user calls another SP, the user does not has to login to IDP again. How does it look like in the mobile device? Assume that the user has previously logged in to IDP with SAP authenticator (TOTP login module). Does it work in the same way as in desktop PC, meaning the cookie is cached somewhere in mobile device, and user does not need to login to IDP again? If not, how can we achieve SSO in this scenario?

2. How does it look like if using mobile apps instead of typing url in browser? Will it make any difference comparing to the scenario 1? We assume in both scenarios we are visiting the same SP.

The questions are coming from my current project where the customer has a internet facing portal for their agent users and the functions in portal might need to access backed ERP, HANA XS servers. And the customer also has plenty of enterprise mobile apps, which they don't know how to integrate them into SAP authenticator.

Thanks a million in advance and best regards

Xuan

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

donka_dimitrova
Contributor
‎09-17-2015 12:03 PM
0 Kudos

Dear Xuan,

Mobile SSO solution is based on the Time-based One-Time Password (TOTP) Algorithm of the open standard RFC 6238.

For example the Mobile SSO flow for SAP Fiori via the browser is the following:

When the user clicks on the respective Fiori bookmark, the SAP Authenticator generates a passcode and creates a URL with respective parameters (service provider, RelayState, username and passcode) similar to this example:

https://idp_host/saml2/idp/sso?saml2sp=fiori_sp&RelayState=fiori&j_username=[username]&j_passcode=[p...

SAP Authenticator sends this URL to the browser and then the browser opens the URL, triggering IDP initiated single sign-on. The Identity Provider, on his side, checks the credentials provided, and if the check is successful, issues a SAML 2.0 assertion for this user and for the respective service

provider (SAP Fiori in our example). On the next step based on the HTTP-POST binding response the SAP Fiori application is securely opened on the mobile device of the user.

More details you will be able to find in this document:

Mobile SSO for SAP Fiori - Step-by-Step Guide

At the moment for SAP Fiori Client we have a solution described in these two blogs:

Configuring SAP Fiori Client for Single Sign-On with iOS SAP Authenticator

Configuring SAP Fiori Client for Single Sign-On with Android SAP Authenticator

There is a plan to release soon a version of the SAP Fiori Client where the integration with SAP Authenticator will be available out-of-the-box and such re-build will not be necessary.


I hope this answers your questions.


Best regards,

Donka Dimitrova

Show replies
Show replies
former_member201756
Explorer
‎09-17-2015 12:28 PM
0 Kudos

Dear Donka,

thanks a lot for the reply. Let's stick to the Fiori application cause it is a perfect example here. I know we could bookmark the Fiori URL in SAP Authenticator and using IDP initiated SAML SSO we could SSO to Fiori Lauchpad in browser. Till this point we are all good.

My question is more on the user's follow-up activities in the Fiori Lauchpad. Quite ofter user needs to do some operations in Fiori Launchpad, e.g. perform an InA search, which requires the user to authenticate to the backend ABAP server. At this time the back-end ABAP server will ask the user to provide a valid SAML token again (assume we configured the SAML for the backend ABAP server) because the user is accessing a different server now. As shown in this example, the user is logged in to the Fiori Launchpad and has already finished once the authentication to the IDP.

Will the browser pup-up a login form to IDP again for the login to the back-end ABAP server?

If yes,  will the SAP authenticator be called automatically and pass through the OTP code automatically to IDP?

Or the user has to enter the passcode manually in the authentication form?

In the desktop world the above steps are not needed since the IDP generate a cookie once the user is authenticated and the clients stores the cookie and will use this cookie for the follow-up activities as long as the cookie is still valid. But I am not sure if in the mobile world it is the same, especially in case the initial authentication to IDP is done through the SAP authenticator.

Could you please share me more experience on the scenarios above?

Thanks and regards

Xuan

donka_dimitrova
Contributor
‎09-17-2015 12:52 PM
0 Kudos

Dear Xuan,

There will be SSO and the browser will not pop-up for authentication if the service providers, requested by the user, will be trusted by the SAP SAML IDP configured for Fiori. A new passcode will not be necessary for the SAML IDP to issue a SAML assertion for another service provider (trusted by the IDP) when the user already has a active session on the IDP.

So, it is similar to the "desktop world".


Regards,

Donka Dimitrova

former_member201756
Explorer
‎09-17-2015 1:03 PM
0 Kudos

Hi Donka,

thanks for the confirmation. That sounds good. I understand that for the whole SSO scenario to work we need to initially starts the Fiori from the SAP Authenticator bookmark. If I open the Fiori directly in browser, it will probably pop me up for authentication to IDP and I have to enter the passcode manually in the login form because the browser "does not know" that there is an app in my mobile phone called "SAP Authenticator", which can automatically sign me into the IDP.  Is my understanding correct?

Cheers

Xuan

donka_dimitrova
Contributor
‎09-17-2015 3:39 PM
0 Kudos

Hi Xuan,

If the user will call the service provider directly via the browser using a link, the the authentication will be redirected to the Identity Provider and the user will be prompted by the Identity Provider to authenticate with his UserID and password and also to provide as a second authentication step a valid passcode (generated by the SAP Authenticator).

If there is a proper configuration on the logon page (there is an OTP Custom UI available to configure), the user will be provided with a link to the SAP Authenticator (only on mobile devices) and will be able to click on it and will get the same authentication experience as if he would have started via the SAP Authenticator from the very beginning.

See the attached screenshot from my mobile device:


Best regards,

Donka Dimitrova

former_member201756
Explorer
‎09-18-2015 9:47 AM
0 Kudos

Hi Donka,

that looks great! Thanks for the information. Maybe could you please hint me where I can find the document for the mentioned OTP custom UI?

Thanks and regards

Xuan

donka_dimitrova
Contributor
‎09-18-2015 9:58 AM
0 Kudos

Dear Xuan,

Please, find the documentation that includes also the procedure how-to configure the logon application:

Configuring an OTP-Related Logon Application - One-Time Password Authentication - SAP Library

Best regards,

Donka Dimitrova

former_member201756
Explorer
‎09-21-2015 12:35 AM
0 Kudos

Hi Donka,

just one more question about the SSO for Fiori client. From the document you provided I understand that all the steps performed there is to use Apache Cordova to install a plugin in order to register and properly handle the custom scheme "sapfioriclient". Will the same approach work for other mobile apps? Or another question: if there is another mobile app, which has a custom scheme already, e.g. myiosapp, do we still need to perform this "workaround" and do the re-build?

Thanks and regards

Xuan

former_member182254
Active Participant
‎09-26-2015 4:16 PM
0 Kudos

Hello Xuan,

It will work for other apps as well. We have customers who are using SAP Authenticator for their custom mobile apps which are not related to Fiori.

Best regards,

Dimitar Mihaylov

Answers (0)

Ask a Question