UX when using SAML2 authentication in Fiori Client
What's the user experience when using SAML2 authentication in the Fiori Client? We have Microsoft ADFS as our IdP. We created a Hybrid/Kapsel app using a custom Fiori Client (both for iOS and Android). We're also using SAP SMP SP08.
Can we use the standard Logon UI during registration when SAML2 authentication is used? Or do we have to register using the IdP login screen? For a consistent user experience, we prefer that the registration will be done using the Logon UI and the SAML2 processing will happen in the background. I'm not sure if this is possible.
are you using FioriClient in combination with SMP?
I assume yes...
Then a typical SAML flow would look like this
1. User is starting the App
2. App is contacting SMP
3. SMP is redirecting user to IDP login page
4. IDP login page is displayed to the user (in a separate webview)
5. After user logged in, IDP is redirecting user back to SMP
Each time the SMP session is not valid anymore the redirect to IDP loginpage will be executed again. If there is still a valid IDP session (maybe because there is a high session timeout), then SAML ticket is issued directly, if not, then IDP loginpage is displayed again.
The user experience when using SAML is in fact sometimes not the best one...If you would use user certificates for IDP authentication you might be able to skip any IDP screen, otherwise you should always see the IDP login screen. This is because in SAML many different auth methods can be realized, the Kapsel logon plugin does not know what authentication method is required by IDP. Thus the IDP is sending a form which is displayed in a web view to the user. As far as I know there is no way of prefilling values or avoiding this mechanism (except with using user certificates as mentioned).
The best you can do is providing a IDP login page which is optimized for mobile usage so that the user can at least perform a fast login operation.