cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO solutions for SAP Fiori for multiple scenarios

Former Member

on ‎05-27-2016 4:47 PM

0 Kudos

Hi All,

We are looking for SSO solution for SAP Fiori application running on our NWGW system connected to backend ECC systems.


Here are the scenarios where we are looking for end to end SSO (which means users don’t need to enter user/password anytime)..


1. Laptops/Desktops 

    1. Company owned laptops/desktops
      • Connected from company network (within office or connected via VPN) - pre-authenticated based on windows user/password
      • Connected outside company network - no windows pre-authentication happened.
    2.     3rd Party or Bring Your Own Laptops/Desktops


2. Mobile Devices (iOS, Android, Windows based)

    1. Company Owned
    2. Bring your own Device

3. Factory RF Terminals


Based on what i have read so far, i am not able to find out a single solution which can cover all the scenarios mentioned above.


We have tested SAML2 (ADFS as IDP and NWGW as SP), SSO works fine for Laptops/Desktops based on windows user/password as these are pre-authenticated.


But how about machines which are connected via internet, mobile devices and RF terminals.


Appreciate your help.


Thanks

Davinder

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

donka_dimitrova
Contributor
‎06-20-2016 10:25 AM
0 Kudos

Hello Davinderpal,

The SAP Fiori SSO scenario, described by you, could be easily implemented using the SAP Single Sign-On product (license required).

You can simply implement our risk-based authentication solution and this way to offer different authentication mechanisms for your users, depending on the type of the device they use and where they are coming from (inside/outside corporate network). You can also offer Mobile SSO to your users with this SAP product and the solution will support also "Bring your own Device" scenario.

Regards,

Donka Dimitrova

Show replies
Show replies
former_member202592
Participant
‎06-20-2016 9:58 AM
0 Kudos

Hi Davinder,

SAML 2.0 supports Multi-domain Web Single Sign-On, therefore even though you will have users accessing resources through different domains, this can be achieved with SAML 2.0.

In the Mobile layer, SAML 2.0 alongside an OTP (Mobile Authenticator) solution will probably be the best approach.


Please refer to the OASIS SAML 2.0 Technical Overview:

https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf

In the document above you will be able to find all the technical information required to analyze if SAML 2.0 suites for your scenario.

Cheers,

Filipe Santos

Show replies
Show replies
LutzR
Active Contributor
‎06-02-2016 8:06 AM
0 Kudos

Hi Davinder, in case you are wondering why you are not beeing answered:

This question is much too generic.

And yes, there is no single solution that covers everything. SSO typically is heterogenious and the choice of technology oportunistic.

So an overall solution will most probably contain MYSAPSSO2-Ticket, Kerberos, SAML, X.509 and some Multi Factor and or OTP solution and including some MDM and VPN technology. This needs to be supported by real life processes like e.g. how to hand out Smart Cards or securely manage mobile phone numbers for a mobile TAN.

The "art" is how to glue this together without hurting the users too much or sacrificing necessary security levels. This is especially true for mobile devices and unmanaged external hardware.

So: no easy answer. The answer would also be very use case and company specific.

What you are asking for would be the result of quite an interesting project.

Regards,

Lutz Rottmann

Show replies
Show replies
Ask a Question