cancel
Showing results for 
Search instead for 
Did you mean: 

Fiori SSO with SAML2 with Touch ID support for Authentication

Former Member
1,891

Hello,

We recently implemented standard Fiori Apps with SSO with MS ADFS ( 3.0 ) using SAML2 which works seamlessly. We are on SQL DB with NW 7.4 This is how they use it using their SAP FIORI Client

1. Users login to FIORI Client, set up the launchpad URL , set their passcode and enable their Touch ID( On iOS devices) .

2. Once they login they see a ADFS landing page where they enter their AD credentials and they are authenticated right through to the Fiori Launchpad .

Now if they either chose to logoff from the Fiori launchpad or close the app ( upswipe the app) the session is killed and they need to relogin at the ADFS screen.

In this case since they want to relogin just using their touch ID instead of having to revalidate again at the ADFS screen just like the behaviour of any typical banking apps supporting touch ID.

I know this is the standard behaviour and the standard SAP FIORI client is not robust enough to handle the biometrics i would like to know how can we achieve this requirement. As i know we need to build a custom client to achieve this but it would be great if someone can give me a complete flow of how this can be achieved.

Any suggestions or comments are highly appreciated.

Accepted Solutions (1)

Accepted Solutions (1)

Colt
Active Contributor

Hi Santosh,

as far a i know, the touch Id integration doesn't have the possibility to save the IdP logon credentials. The only way to implement a real SSO against Fiori Client App is to use the SAP IdP with TOTPLoginModule or a custom Fiori app leveraging the new RESTful API of the SLS 3.0 in order to obtain a certificate used for X.509 mutual authentication against Fiori from within the App. However the latter requires some kind of "authentication" against the Secure Login Server, which isn't very clear to me too, at the moment. So hopefully SAP experts could help to outline the possible options in that case. Using ADFS i don't see any chance for real SSO using Fiori Client App. Of course easy from the mobile device web browser using certificates, but hard from within the App.

Regards,

Carsten

the1kel1
Explorer
0 Kudos

I basically have the same question. Does the Fiori Mobile App not have the ability to store an access token (or something similar) so that we don't have to re-authenticate every time a user closes the app? Other apps have this capability and use tokens to keep the session active even if the app is closed and must be relaunched (Salesforce1 app for example).

0 Kudos

I had the same question and I have not been able to find a way to make the SAML ticket persistent inside the Fiori Client.

Did you have any luck with it?

Answers (4)

Answers (4)

former_member612241
Discoverer
0 Kudos

HI ,I am having the same issue. Do you guys have got any solution for this ?

Former Member
0 Kudos

Hi i'm having the same not good user experience regarding to SAP Fiori and SSO (using SAML2.0).

Do you guys have any update on this case?

JaySchwendemann
Active Contributor
0 Kudos

Please be aware that (AFAIK) the Fiori Client on iOS uses a View Controller that does not support accessing the native part of the iOS Device's key storage https://developer.apple.com/library/content/qa/qa1745/_index.html. As of iOS 9 there is an Safari View Controller which CAN do this, however using that view controller would probably result in the need of deploying your own Fiori Client and would be a rather drastic approach which must be heavily testet.

So you probably would be better off to get the certificate in the keychain slice that is accessible via the app, then this certificate could e.g. be used to authenticate against ADFS. If you're in a corporate network or have means of "per-app-vpn" then authenticating via kerberos to adfs might also be viable.

Please take my inputs with a grain of salt. I did not implement either of this, just tossing in some thoughts / concerns.

Cheers

Jens

Former Member
0 Kudos

Hi Santosh,

I have started trying with SAML config to get SSO and still waiting on ADFS metadata from hosting partner, having some questions on certificates and hoping you can share your experience..

Do I have to get IIS certificate from ADFS along with metadata file or will just metadata file alone works?

would you be able to share document?

Thanks

Subbu