cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Mobile SSO for ABAP Service Provider using SAP Authenticator with two factor authentication

Colt
Active Contributor

on ‎2017 Feb 10 4:59 PM

0 Kudos
1,236

Hi,

my aim is to provide SSO to ABAP web services using SAP Authenticator on a mobile device. Authentication against the IdP has to be done using two factors. The first factor has to be a X.509 certificate and the second must be the passcode generated by the SAP Authenticator. So far I am only able to configure this scenario with passcode only (one factor) or via PC using a browser with X.509 certificate installed and manually typing in the passcode for the second factor.

Environment:

  • AS Java with SAP IdP + SSO Authentication Library (SSO 3.0 SP1) installed
  • AS ABAP SP (providing WDA application)
  • iOS 10.x
  • SAP Authenticator (latest)
  • Client PC with a browser and certificate to test the setup without SAP Authenticator

Setup:

  • TOTPLoginModule configured for two factor authentication
  • ClientCertLoginModule is intended as a first factor module
  • TOTP passcode from SAP Authenticator is the second factor
  • … once this is done, issue SAML assertion --> SSO!!!

Tasks completed:

  • SAP IdP setup incl. SSO Auth Lib installation
  • TOTPLoginModule integration as authentication context for HTTPS
  • Configuration of the TOTPLoginModule and its first and second factors
  • ClientCertLoginModule configured for correct user mapping (Rule1.xxxx)
  • SP setup (AS ABAP)
  • Trust setup and metadata export/import on each sides
  • Relay-State Mapping configuration for my AS ABAP web application
  • Name ID mappings
  • OTP settings and roles
  • iOS device registration via OTP_ONLINE_USER

Test via Client PC and Browser:

  • User Certificate available in the browser
  • SAP Authenticator enrolled (OTP_USER) thus only a OTP generator at this stage
  • Testing with SP initiated SSO
  1. ...open AS ABAP application URL
  2. SAMLAuthnRequest + Redirect to IdP
  3. First factor authentication (prompt for certificate selection) - works
  4. second factor (enter OTP generated by SAP Authenticator) on the logon screen
  5. SAMLResponse issued by IdP and sent via Post-Binding to the AS ABAP SP
  6. Authentication successfully --> nearly SSO 🙂

Target:

As I said before, now I am trying to achieve the same using the SAP Authenticator. The user should be able to perform Mobile Single Sign-On after starting the SAP Authenticator App, entering the App password and tip on the provided bookmark for accessing the ABAP web application available in the SAP Authenticator.

Example bookmark: https://<host>:<port>/saml2/idp/sso?saml2sp=<SP-Name>&RelayState=<Name>&j_username=[username]&j_passcode=[passcode]

Of course the target is, to use two factor authentication against SAP IdP in order to obtain a SAML assertion for the ABAP SP.

As we now open the application bookmark, we are working with IDP-initated SSO, thus the first request goes directly to IdP, but authentication methods should be the same, right? Well it doesn't work.... end up at the IdP logon screen in the Safari.

It works with passcode (one factor) only - if the TOTPLoginModule is configured with option „mode = otp“ when starting the application bookmark from SAP Authenticator, the logon via passcode against the IdP happens automatically via the safari browser and after issuing the assertion the ABAP application is presented successfully.

It does not work, if I setup the same scenario for two factor authentication, similar to what I have already tested via PC using the browser and a X.509 certificate (SP initiated).

Now the first factor should be a X.509 certificate.

1) I have installed one in the iOS device (profile) to make it available in Safari. Didn't help. To make sure it really works, i just modified the ticket stack of my AS JAVA and opened the /irj/portal Url from Safari --> SSO via ClientCertLoginModule works!!!

2) I have configured Secure Login Server in combination with the SSO Auth Lib to provide certificate via the SAP Authenticator (RESTful Client). The certificate is available in the SAP Authenticator. But it is the same situation, doesn't work.

Is it possible to use the X.509 certificate enrolled via Secure Login Server for authentication against the IdP via SAP Authenticator triggering this process? (see also https://archive.sap.com/discussions/thread/3957779)

As this does not seem to work, is it required to have the certificate available in the iOS safari (browser app)?

Does the SAP Authenticator App use the Safari Browser for SAML message exchange and so on... or does it include a kind of browser engine with SAML support?

BTW: I know the document „MOBILE SINGLE SIGN-ON FOR SAP FIORI USING SAP AUTHENTICATOR“ but it doesn’t help at this stage.

Would it be possible to setup a call with an solution expert?

Thanks so much.

Carsten

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
former_member182254
Active Participant
‎2017 Feb 27 1:33 PM
0 Kudos

Hi Carsten,

If the request is still valid then you can contact me via email: firstname.lastname@sap.com. Due to security constraints on iOS certificates provisioned via SAP Authenticator can be used only by apps from the same vendor (SAP).

Regards,

Dimitar

Show replies
Show replies
Ask a Question