You are on page 1of 23

MOBILE SINGLE SIGN-ON

FOR SAP FIORI USING


SAP AUTHENTICATOR

TABLE OF CONTENTS
MOBILE SINGLE SIGN-ON FOR SAP FIORI ................................................................................ 2
HOW THE MOBILE SINGLE SIGN-ON FOR SAP FIORI WORKS ................................................... 2
STEP-BY-STEP IMPLEMENTATION OF THE MOBILE SINGLE SIGN-ON FOR FIORI ...................... 3
1.

SAML2.0 IDENTITY PROVIDER SETUP .............................................................................. 3

2.

ONE-TIME PASSWORD AUTHENTICATION SETUP FOR SAML2.0 IDENTITY PROVIDER ...... 7

3.

ADD TRUSTED SERVICE PROVIDER FOR THE SAML 2.0 IDENTITY PROVIDER .................. 11

4.

SAP AUTHENTICATOR SETUP ON THE MOBILE DEVICE .................................................. 16

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

MOBILE SINGLE SIGN-ON FOR SAP FIORI


Mobile Single Sign-On for Fiori is available with latest support package (SP04) for SAP Single SignOn 2.0, released on November 03, 2014.
In this document you will be able to find step-by-step approach how to enable Mobile Single
Sign-On for Fiori Using SAP Authenticator at your company.
Mobile SSO solution is based on the Time-based One-Time Password (TOTP) Algorithm of the
open standard RFC 6238. This algorithm computes a one-time passcode from a shared secret key
and a current time.
The server side of the TOTP implementation is an add-on module for SAP NetWeaver Application
Server (AS) Java and it is part of the SAP Single Sign-On 2.0 product. The TOTP Server is taking
care about the mobile devices activation and deactivation on user level and the administration of the
TOTPLoginModule per application.
SAP Authenticator is the mobile application for the TOTP Client and it is available for IOS and
ANDROID platforms.
The solution requires a SAML 2.0 Identity Provider, configured to accept authentication with TimeBased One-Time Passwords. The authentication to the Identity Provider, with the respective
username and passcode, triggers IDP INITIATED SINGLE SIGN-ON mechanism.

HOW THE MOBILE SINGLE SIGN-ON FOR SAP FIORI WORKS


Once the solution is implemented, Fiori users will be able to use Fiori applications on their devices
after a single click on a bookmark.
When the user clicks on the respective Fiori application bookmark, the SAP Authenticator generates
a passcode and creates a URL with respective parameters (service provider, RelayState, username
and passcode) similar to this example:
https://idp_host/saml2/idp/sso?saml2sp=fiori_sp&RelayState=fiori&j_username=[username]&j
_passcode=[passcode]
SAP Authenticator sends this URL to the browser and then the browser opens the URL, triggering
IDP initiated single sign-on. The Identity Provider, on his side, checks the credentials provided, and
if the check is successful, issues a SAML 2.0 assertion for this user and for the respective service
provider (SAP Fiori in our example). On the next step based on the HTTP-POST binding response
the SAP Fiori application is securely opened on the mobile device of the user. See Figure1 below:

Figure 1

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

STEP-BY-STEP IMPLEMENTATION OF THE MOBILE SINGLE SIGN-ON


FOR FIORI
1. SAML2.0 IDENTITY PROVIDER SETUP
If you have SAML 2.0 Identity Provider (IdP) enabled on your SAP NetWeaver AS Java you can
jump directly to ONE-TIME PASSWORD AUTHENTICATION SETUP FOR SAML2.0 IDENTITY PROVIDER and
start with creation of a custom authentication context for your IdP
Explanation

Screenshot

1. Log on to SAP
NetWeaver Administrator
at http://< host > : < port >/nwa

2. Navigate to Configuration >


Authentication and Single SignOn: SAML 2.0 > SAML 2.0 and
click Enable SAML 2.0
Support

3. Configure the new SAML 2.0


Local
Provider as Identity
Provider. Provide a name for the
new identity provider and select
Identity
Provider
as
operational mode from the dropdown menu. Click Next.

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

4. Make sure the Keystore View is


SAML2 (If not, select it from
the drop-down menu). Click
Browse for the Signing Key
Pair

5. Click Create for the Keystore


Entry.

6. Provide Entry Name, check


Store Certificate and click
Next.

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

7. Provide value for the mandatory


field commonName and click
Next.

8. Only click Next on this step.

9. Click Finish to confirm the


configuration.

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

10. Click OK to select the new


Signing Key Pair.

11. Click Next on the SAML 2.0


Local Provider Configuration.

12. Click Finish to finalize the


configuration.

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

2. ONE-TIME PASSWORD AUTHENTICATION SETUP FOR SAML2.0


IDENTITY PROVIDER
Prerequisites: You have SSO AUTHENTICATION LIBRARY 2.0 installed on SAP NetWeaver
Application Server (AS) Java. For more details on the installation, see

ONE-TIME PASSWORD AUTHENTICATION ADMINISTRATORS GUIDE > INSTALLATION


Explanation

Screenshot

Step 1: Set otp|pwd mode for the TOTPLoginModule


13. Navigate to Authentication tab>
Login Modules > Search for
TOTPLoginModule, select the
login module and go to Details of
the
login
module
TOTPLoginModule and click
Edit.
14. Set the mode value to otp|pwd
and click Save.
(In the otp|pwd mode the
TOTPLoginModule requires a
single factor for authentication
and it could be a passcode
(TOTP) or password.)

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

Step 2: Create a new authentication context and map it to the TOTPLoginModule


15. Navigate to SAML 2.0
Configuration > Local Provider
and click Edit.
16. Navigate to Authentication
Contexts tab and click Add.
17. Create a new Authentication
Context by typing an Alias and a
Name for it and click OK

18. Click on the check-box to select


the HTTPS setting for the newly
created Authentication Context
and then click Save for the
Local Provider settings.

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

Step 3: Configure your Identity Provider to use the new authentication context by
default for HTTPS Authentication
19. Navigate to Local Provider and
click Edit.
20. Go to tab Identity Provider
Settings > Supported
Authentication Contexts and click
Add.
21. Select your new authentication
context from the drop-down
menu with the alias values (the
one created on step 17).
22. Select the Login Module from the
drop-down menu to be the
TOTPLoginModule and click
OK.

Set the new authentication


context to be the default HTTPS
authentication context
23. Go to section Supported
Authentication Context and select
the new authentication context.
Click on Copy to and select
Default HTTPS Authentication
Contexts value.
24. Your new Supported
Authentication Context will
appear on the right side, in the
list with Default HTTPS
Authentication Contexts (see
the screenshot).

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

25. Click Save to finalize the


configuration for your new
Identity Provider.

10

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

3. ADD TRUSTED SERVICE PROVIDER FOR THE SAML 2.0 IDENTITY


PROVIDER
Explanation

Screenshot

Step 1: Download Service Provider Metadata


Prerequisite: Make sure you have a Local Provider created and enabled on your SAP ABAP system. This
identifies your server as a system that can accept SAML assertions. Add SAML 2.0 Identity Provider, created
in the first section, as Trusted Identity Provider for your Service Provider (SAP ABAP system - Fiori). For
more details how to setup, see USING SAML 2.0 AUTHENTICATION TO ACCESS FIORI APPS FROM THE PUBLIC INTERNET
In our example the SAML 2.0 Service Provider of the SAP ABAP system is gw_fiori_sp.
The Identity Provider Metadata, necessary for the setup of the Trusted Identity Provider on the SAP ABAP
system, is available here:
Start SAP NetWeaver Administrator at http://< host > : < port >/nwa.
Navigate to Configuration > Authentication and Single Sign-On: SAML 2.0 > SAML 2.0 select
Local Provider and click Download Metadata

26. Log on to SAP ABAP > TCode


SAML2 for SAML 2.0
Configuration. Navigate to Local
Provider and click Metadata.

27. Leave all checkboxes selected


(as it is by default) and click
Download Metadata. Save the
metadata.xml file provided by
the system in a custom folder.
If you want later to recognize it
easier, you can rename it to
SP_metadata.xml.

11

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

Step 2: Setup a RelayState on your SAP ABAP Service Provider for SAP Fiori
Launchpad
The RelayState is a parameter in the URL, used by the browser to open the application. The RelayState
parameter provides information about the path to the application. In our example this path will be to the SAP
FIORI LAUNCHPAD. If no RelayState parameter is provided in the URL, the Default Application Path from the
IDP settings is used.
28. Click on Edit on the Local
provider to add a new RelayState
Mapping.

29. Go to the tab Service provider


Settings > RelayState Mapping
and click on Add for a new
RelayState.
30. Provide the name for the
RelayState and provide the Path
to the RelayState. (In our case
this is the path to the SAP Fiori
Launchpad).

31. Click on Save for the new


settings of the Local Provider.

12

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

Step 3: Add Trusted Service Provider for Your SAML 2.0 Identity Provider
32. Go back to the SAP
NetWeaver Administrator
at http://<host>:<port>/nwa

33. Navigate to Configuration >


Authentication and Single SignOn: SAML 2.0 > SAML
2.0 select Trusted Providers,
click Add and select to
Upload Metadata File from
the drop-down list.

34. Click Choose File and select


the SP metadata
(SP_metadata.xml) file stored in
the custom folder on Step 27.

35. Once the file is selected, click


Next.

13

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

36. The system will display the name


of your Service Provider. On this
step just click Next.

37. Leave the default settings for the


settings on this step and click
Next.

38. Leave the default settings for the


Assertion Consumer Endpoints
and click Next. Location URLs
here will be displayed with your
<host> and <port>.

39. Leave the default settings for the


Single Logout Endpoints and
click Next. Location URLs here
will be displayed with your <host>
and <port>.

40. Leave the default settings for the


Artifact Endpoints and click
Next. Location URL here will
be displayed with your <host>
and <port>.

14

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

41. Leave the default settings for the


NameID Endpoints and click
Finish to complete the Trusted
Service Provider configuration.

You have to activate the Trusted


Service Provider you have first to add
a supported NameID format.
42. Select your new Trusted Service
Provider and click Edit.

43. Go to the Details of the trusted


provider name of your trusted
provider > Identity Federation
tab > click Add for a new
Supported Name ID Format.
44. Select from the drop-down menu
the Format Name you plan to
provide for the federation (in our
case Unspecified).
45. Select from the drop-down menu
the respective Source Name for
the selected by you Format
Name (in our case User
Attribute).
46. Click OK to confirm the select
the Name ID Format.
47. Click Save to record changes
for this Trusted Service Provider.

15

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

4.

SAP AUTHENTICATOR SETUP ON THE MOBILE DEVICE

Explanation

Screenshot

Set Up SAP Authenticator for iOS


48. Log on to SAP Authenticator
Setup at http://< host > : < port
>/otp

49. Click on Scan QR Code to find


the installation. You have also a
variant to Install via iTunes.

If you want to install SAP


Authenticator for Android devices
follow up the links under Install
Android Version.

50. Scan the QR code with a QR


Code Scanner on your iOS
device and click Close.

16

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

51. Click on Open URL when the


Scanner will show you the
Actions.
52. Click Install when the SAP
Authenticator application will be
displayed.

53. Once the SAP Authenticator is


successfully installed click
Open.
54. Once the SAP Authenticator is
started click Start Setup.

55. Provide a password to protect


from unauthorized access to the
application.
56. Click Go to proceed.

17

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

Now you can activate your device.


57. Click Activate Device.

58. A QR Code for activation will be


displayed.

59. Tap the Scan QR Code button


on the SAP Authenticator
application
60. Scan the QR code displayed on
Step 58

18

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

61. After the QR Code Scan the


Account name will be displayed
(in our example FIORIUSER).
Click Done.
62. Your device will start generating
passcodes

63. Click Finish.


64. Click Yes to confirm that you
scanned successfully the QR
Code.

65. You will receive a message


Activation of device
completed.

19

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

Enable Mobile Single Sign-On on


the iOS deice.
66. Navigate to Device Settings
(iPhone Settings) > Authenticator
and tap to select Mobile Single
Sign-On.
67. This will enable the section with
Applications and Trusted Sites
for the SAP Authenticator. To
add an Application click on
Applications.

68. To add an Application click on


Applications and click the +
sign. You have to provide the
URL to the application with the
respective IDP host and
RelayState, following this
example:

https://<idp_host>/saml2/idp/sso
?saml2sp=fiori_sp&RelayState=fiori
&j_username=[username]&j_passc
ode=[passcode]

There are two options to provide


the URL: Option 1: Type the
URL Option 2: Scan application
QR Code. QR code could be
generated by corporate IT
department and to be provided to
users, for example, via the email, via the corporate portal,
other.
69. If you choose to scan the QR
code the URL will appear
automatically. (You can still click
on it and change something if
necessary.)
70. Go to Application Name and
type a name for your application
bookmark. Once you are ready
click Done.

20

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

71. You get your first application


bookmark. When you click on it,
you will be requested to confirm
the UserID. Click on your UserID.

72. On this step the SAP


Authenticator first generates the
passcode, then generates the
URL with providing the UserID
and passcode, and then will pass
this URL to the browser. The
browser opens the URL and the
user is automatically
authenticated and sees the Fiori
Launchpad.

Optional steps
Select a default user for the login to an application
73. Go to Applications > Click on the
info icon on the right side of the
application name to open the
details of the application.
74. In the Sign-in accounts section
your UserID is displayed. Click
on the UserID to mark it as
selected. Click Done to save
the change.

21

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

75. When you are back on the


screen with applications your
UserID will be visible as default
UserID for log-in to this
application.
If you want to remove these
settings, you have to go back to
the application bookmark settings
and to uncheck your UserID.

2014 SAP SE or an SAP affiliate company. All rights reserved.


No part of this publication may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services
mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or
an SAP affiliate company) in Germany and other countries.
Please see
for additional trademark information and

22

www.sap.com

2014 SAP SE. All rights reserved.


SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP
products and services mentioned herein as well as their respective
logos are trademarks or registered trademarks of SAP SE in Germany
and other countries.
Business Objects and the Business Objects logo, BusinessObjects,
Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as
well as their respective logos are trademarks or registered trademarks
of Business Objects Software Ltd. Business Objects is an SAP
company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL
Anywhere, and other Sybase products and services mentioned herein
as well as their respective logos are trademarks or registered
trademarks of Sybase Inc. Sybase is an SAP company.
Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are
registered trademarks of Crossgate AG in Germany and other
countries. Crossgate is an SAP company.
All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves
informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials
are provided by SAP SE and its affiliated companies ("SAP Group")
for informational purposes only, without representation or warranty of
any kind, and SAP Group shall not be liable for errors or omissions
with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express
warranty statements accompanying such products and services, if
any. Nothing herein should be construed as constituting an additional
warranty.