Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
hai-yan_zhao
Advisor
Advisor
This documentation will introduce how to utilize saved passkey for biometric authentication via SAP Identity Provider Services (IAS) during onboarding of client app built with SAP BTP SDK for Android. To create a passkey for SAP Identity Provider Services, two things as below need to be followed.

  • Turn on "Biometric Authentication" option on the admin console of custom Identity Provider.

  • Activate a device for "Biometric Authentication" on Android device.


Then I will show how to use saved passkey for authentication via SAP Identity Provider Services during onboarding.

Turn on Biometric Authentication option on Admin Cockpit of custom Identity Provider


Please make sure the administrator right of admin console of the SAP Identity Provider Services tenant is granted, and this IAS tenant has been configured and added as a custom Identity Provider (IDP) to the subaccount of SAP BTP cockpit. Also, SAP Mobile Services (Cloud Foundry) are configured well in this subaccount. Open a web browser and navigate to the administrator console of this custom Identity Provider and https address looks like “https://<host url of this custom IDP>/admin/”.

  • Focus on “Applications & Resources”, choose Applications, select the application created for the subaccount of SAP BTP cockpit.

  • On Application detail page, navigate to “Authentication and Access” tab, enable “Biometric Authentication” option.



For related information, please refer to this documentation.

Activate a device for Biometric Authentication on Android device


On an Android device where a google account has signed in, access “Profile Management ” page in web browser and https address is like “https://<host url of this custom IDP>/ui/protected/profilemanagement”, focus on "Biometric Authentication" section, click Add button to register current device and use biometric to create passkey for this custom IDP. Then this passkey will be saved into password manager of the google account, and this passkey will be also available on other android devices where the same google account is signed in. For more information, please refer to this google documentation.



Use saved passkey to do authentication via the custom Identity Provider


Firstly, launch SAP BTP SDK Wizard for Android to generate a client app. In this wizard, create a server connection for SAP Mobile Services (Cloud Foundry) on the first page, and use an existing application which security type is OAuth on the second page. Then, in WelcomeActivity class of client project, set authentication option to CCT as below.




  • Jetpack compose-based client app

  • View-based client app


Also please take care that redirect url defined in cockpit of Mobile Service (Cloud Foundry) should be like <schema>://<host>/<pathPattern>. Then, in client project’s AndroidManifest.xml file, add intent filter for this redirect url to make sure that the page opened in custom chrome tab (CCT) when authenticating can be redirected to client app’s screen.
        <activity
android:name="com.sap.cloud.mobile.foundation.authentication.OAuth2RedirectActivity"
android:exported="true"
android:excludeFromRecents="true"
android:autoRemoveFromRecents="true"
tools:node="replace">
<intent-filter android:autoVerify="false">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:host="19b678d6trial-dev-ciat-sample-oauth.cfapps.ap21.hana.ondemand.com"/>
<data android:scheme="demo1"/>
<data android:pathPattern="/demos" />
</intent-filter>
</activity>

Secondly, prepare a second Android device where the same google account is signed in, and the passkey created before has been synced into this second device. Install app into this second device, do onboarding, on authentication screen of the IAS tenant, choose Biometric. Then in biometric screen, click Continue button, give fingerprint or passcode of device, and client app uses saved passkey to do IDP authentication.


Finally, app can go to next screen. Absolutely, install app into the same device where the passkey is created, saved passkey can be also used to do authentication.

For the customers, if google account is signed in on Android device, passkey providers a way to do authentication without username and password.