Mobile SSO for SAP Fiori - Step-by-Step Guidedocshare01.docshare.tips/files/24647/246476961.pdfMobile Single Sign-On For SAP Fiori Using SAP Authenticator 3 STEP-BY-STEP IMPLEMENTATION

MOBILE SINGLE SIGN-ONFOR SAP FIORI USINGSAP AUTHENTICATOR

TABLE OF CONTENTSMOBILE SINGLE SIGN-ON FOR SAP FIORI ................................................................................ 2HOW THE MOBILE SINGLE SIGN-ON FOR SAP FIORI WORKS ................................................... 2STEP-BY-STEP IMPLEMENTATION OF THE MOBILE SINGLE SIGN-ON FOR FIORI ...................... 31. SAML2.0 IDENTITY PROVIDER SETUP .............................................................................. 32. ONE-TIME PASSWORD AUTHENTICATION SETUP FOR SAML2.0 IDENTITY PROVIDER ...... 73. ADD TRUSTED SERVICE PROVIDER FOR THE SAML 2.0 IDENTITY PROVIDER .................. 114. SAP AUTHENTICATOR SETUP ON THE MOBILE DEVICE .................................................. 16

Mobile Single Sign-On For SAP Fiori Using SAP Authenticator

2

MOBILE SINGLE SIGN-ON FOR SAP FIORI

Mobile Single Sign-On for Fiori is available with latest support package (SP04) for SAP Single Sign-On 2.0, released on November 03, 2014.

In this document you will be able to find step-by-step approach how to enable Mobile SingleSign-On for Fiori Using SAP Authenticator at your company.

Mobile SSO solution is based on the Time-based One-Time Password (TOTP) Algorithm of theopen standard RFC 6238. This algorithm computes a one-time passcode from a shared secret keyand a current time.The server side of the TOTP implementation is an add-on module for SAP NetWeaver ApplicationServer (AS) Java and it is part of the SAP Single Sign-On 2.0 product. The TOTP Server is takingcare about the mobile devices activation and deactivation on user level and the administration of theTOTPLoginModule per application.SAP Authenticator is the mobile application for the TOTP Client and it is available for IOS andANDROID platforms.The solution requires a SAML 2.0 Identity Provider, configured to accept authentication with Time-Based One-Time Passwords. The authentication to the Identity Provider, with the respectiveusername and passcode, triggers IDP INITIATED SINGLE SIGN-ON mechanism.

HOW THE MOBILE SINGLE SIGN-ON FOR SAP FIORI WORKS

Once the solution is implemented, Fiori users will be able to use Fiori applications on their devicesafter a single click on a bookmark.

When the user clicks on the respective Fiori application bookmark, the SAP Authenticator generatesa passcode and creates a URL with respective parameters (service provider, RelayState, usernameand passcode) similar to this example:https://idp_host/saml2/idp/sso?saml2sp=fiori_sp&RelayState=fiori&j_username=[username]&j_passcode=[passcode]SAP Authenticator sends this URL to the browser and then the browser opens the URL, triggeringIDP initiated single sign-on. The Identity Provider, on his side, checks the credentials provided, andif the check is successful, issues a SAML 2.0 assertion for this user and for the respective serviceprovider (SAP Fiori in our example). On the next step based on the HTTP-POST binding responsethe SAP Fiori application is securely opened on the mobile device of the user. See Figure1 below:

Figure 1

http://tools.ietf.org/html/rfc6238

https://itunes.apple.com/us/app/sap-authenticator/id868171828?mt=8

https://play.google.com/store/apps/details?id=com.sap.csi.authenticator

http://saml.xml.org/wiki/idp-initiated-single-sign-on-post-binding


3

STEP-BY-STEP IMPLEMENTATION OF THE MOBILE SINGLE SIGN-ONFOR FIORI

1. SAML2.0 IDENTITY PROVIDER SETUP

If you have SAML 2.0 Identity Provider (IdP) enabled on your SAP NetWeaver AS Java you canjump directly to ONE-TIME PASSWORD AUTHENTICATION SETUP FOR SAML2.0 IDENTITY PROVIDER andstart with creation of a custom authentication context for your IdP

Explanation Screenshot

1. Log on to SAPNetWeaver Administratorat http://< host > : < port >/nwa

2. Navigate to Configuration >Authentication and Single Sign-On: SAML 2.0 > SAML 2.0 andclick “Enable SAML 2.0Support”

3. Configure the new SAML 2.0Local Provider as IdentityProvider. Provide a name for thenew identity provider and select“Identity Provider” asoperational mode from the drop-down menu. Click “Next”.


4

4. Make sure the Keystore View is“SAML2” (If not, select it fromthe drop-down menu). Click“Browse” for the Signing KeyPair

5. Click “Create” for the KeystoreEntry.

6. Provide Entry Name, check“Store Certificate” and click“Next”.


5

7. Provide value for the mandatoryfield “commonName” and click“Next”.

8. Only click “Next” on this step.

9. Click “Finish” to confirm theconfiguration.


6

10. Click “OK” to select the newSigning Key Pair.

11. Click “Next” on the SAML 2.0Local Provider Configuration.

12. Click “Finish” to finalize theconfiguration.


7

2. ONE-TIME PASSWORD AUTHENTICATION SETUP FOR SAML2.0IDENTITY PROVIDER

Prerequisites: You have SSO AUTHENTICATION LIBRARY 2.0 installed on SAP NetWeaverApplication Server (AS) Java. For more details on the installation, seeONE-TIME PASSWORD AUTHENTICATION ADMINISTRATOR’S GUIDE > INSTALLATION


Step 1: Set “otp|pwd” mode for the TOTPLoginModule

13. Navigate to Authentication tab>Login Modules > Search forTOTPLoginModule, select thelogin module and go to “Details ofthe login module“TOTPLoginModule”” and click“Edit”.

14. Set the mode value to “otp|pwd”and click “Save”.(In the “otp|pwd” mode theTOTPLoginModule requires asingle factor for authenticationand it could be a passcode(TOTP) or password.)

http://help.sap.com/saphelp_nwsso20/helpdata/en/0a/64966a69dc4750821e22473a22dc3d/content.htm?frameset=/en/0a/64966a69dc4750821e22473a22dc3d/frameset.htm&current_toc=/en/f1/993b18f8e0425d864c3f79c14dbce3/plain.htm&node_id=4&show_children=false


8

Step 2: Create a new authentication context and map it to the TOTPLoginModule

15. Navigate to SAML 2.0Configuration > Local Providerand click “Edit”.

16. Navigate to AuthenticationContexts tab and click “Add”.

17. Create a new AuthenticationContext by typing an Alias and aName for it and click “OK”

18. Click on the check-box to selectthe HTTPS setting for the newlycreated Authentication Contextand then click “Save” for theLocal Provider settings.


9

Step 3: Configure your Identity Provider to use the new authentication context bydefault for HTTPS Authentication

19. Navigate to Local Provider andclick “Edit”.

20. Go to tab Identity ProviderSettings > SupportedAuthentication Contexts and click“Add”.

21. Select your new authenticationcontext from the drop-downmenu with the alias values (theone created on step 17).

22. Select the Login Module from thedrop-down menu to be the“TOTPLoginModule” and click“OK”.

Set the new authenticationcontext to be the default HTTPSauthentication context

23. Go to section SupportedAuthentication Context and selectthe new authentication context.Click on “Copy to” and select“Default HTTPS AuthenticationContexts” value.

24. Your new SupportedAuthentication Context willappear on the right side, in thelist with Default HTTPSAuthentication Contexts (seethe screenshot).


10

25. Click “Save” to finalize theconfiguration for your newIdentity Provider.


11

3. ADD TRUSTED SERVICE PROVIDER FOR THE SAML 2.0 IDENTITYPROVIDER


Step 1: Download Service Provider Metadata

Prerequisite: Make sure you have a Local Provider created and enabled on your SAP ABAP system. Thisidentifies your server as a system that can accept SAML assertions. Add SAML 2.0 Identity Provider, createdin the first section, as Trusted Identity Provider for your Service Provider (SAP ABAP system - Fiori). Formore details how to setup, see USING SAML 2.0 AUTHENTICATION TO ACCESS FIORI APPS FROM THE PUBLIC INTERNET

In our example the SAML 2.0 Service Provider of the SAP ABAP system is “gw_fiori_sp”.

The Identity Provider Metadata, necessary for the setup of the Trusted Identity Provider on the SAP ABAPsystem, is available here:

Start SAP NetWeaver Administrator at http://< host > : < port >/nwa.Navigate to Configuration > Authentication and Single Sign-On: SAML 2.0 > SAML 2.0 select“Local Provider” and click “Download Metadata”

26. Log on to SAP ABAP > TCodeSAML2 for SAML 2.0Configuration. Navigate to LocalProvider and click “Metadata”.

27. Leave all checkboxes selected(as it is by default) and click“Download Metadata”. Save themetadata.xml file provided bythe system in a custom folder.If you want later to recognize iteasier, you can rename it toSP_metadata.xml.

http://scn.sap.com/docs/DOC-42915


12

Step 2: Setup a RelayState on your SAP ABAP Service Provider for SAP FioriLaunchpad

The RelayState is a parameter in the URL, used by the browser to open the application. The RelayStateparameter provides information about the path to the application. In our example this path will be to the SAPFIORI LAUNCHPAD. If no RelayState parameter is provided in the URL, the “Default Application Path” from theIDP settings is used.

28. Click on “Edit” on the Localprovider to add a new RelayStateMapping.

29. Go to the tab “Service providerSettings” > RelayState Mappingand click on “Add” for a newRelayState.

30. Provide the name for theRelayState and provide the Pathto the RelayState. (In our casethis is the path to the “SAP FioriLaunchpad”).

31. Click on “Save” for the newsettings of the Local Provider.

http://help.sap.com/saphelp_uiaddon10/helpdata/en/f9/51b50a07ce41deb08ced62711fe8b5/content.htm

http://help.sap.com/saphelp_uiaddon10/helpdata/en/f9/51b50a07ce41deb08ced62711fe8b5/content.htm


13

Step 3: Add Trusted Service Provider for Your SAML 2.0 Identity Provider

32. Go back to the SAPNetWeaver Administratorat http://<host>:<port>/nwa

33. Navigate to Configuration >Authentication and Single Sign-On: SAML 2.0 > SAML2.0 select “Trusted Providers”,click “Add” and select to“Upload Metadata File” fromthe drop-down list.

34. Click “Choose File” and selectthe SP metadata(SP_metadata.xml) file stored inthe custom folder on Step 27.

35. Once the file is selected, click“Next”.


14

36. The system will display the nameof your Service Provider. On thisstep just click “Next”.

37. Leave the default settings for thesettings on this step and click“Next”.

38. Leave the default settings for theAssertion Consumer Endpointsand click “Next”. Location URLshere will be displayed with your<host> and <port>.

39. Leave the default settings for theSingle Logout Endpoints andclick “Next”. Location URLs herewill be displayed with your <host>and <port>.

40. Leave the default settings for theArtifact Endpoints and click“Next”. Location URL here willbe displayed with your <host>and <port>.


15

41. Leave the default settings for theNameID Endpoints and click“Finish” to complete the TrustedService Provider configuration.

You have to activate the TrustedService Provider you have first to adda supported NameID format.42. Select your new Trusted Service

Provider and click “Edit”.

43. Go to the “Details of the trustedprovider name of your trustedprovider” > Identity Federationtab > click “Add” for a newSupported Name ID Format.

44. Select from the drop-down menuthe Format Name you plan toprovide for the federation (in ourcase “Unspecified”).

45. Select from the drop-down menuthe respective Source Name forthe selected by you FormatName (in our case “UserAttribute”).

46. Click “OK” to confirm the selectthe Name ID Format.

47. Click “Save” to record changesfor this Trusted Service Provider.


16

4. SAP AUTHENTICATOR SETUP ON THE MOBILE DEVICE


Set Up SAP Authenticator for iOS

48. Log on to SAP AuthenticatorSetup at http://< host > : < port>/otp

49. Click on “Scan QR Code” to findthe installation. You have also avariant to “Install via iTunes”.

If you want to install SAPAuthenticator for Android devicesfollow up the links under “InstallAndroid Version”.

50. Scan the QR code with a QRCode Scanner on your iOSdevice and click Close.


17

51. Click on “Open URL” when theScanner will show you theActions.

52. Click Install when the SAPAuthenticator application will bedisplayed.

53. Once the SAP Authenticator issuccessfully installed click“Open”.

54. Once the SAP Authenticator isstarted click “Start Setup”.

55. Provide a password to protectfrom unauthorized access to theapplication.

56. Click “Go” to proceed.


18

Now you can activate your device.57. Click “Activate Device”.

58. A QR Code for activation will bedisplayed.

59. Tap the “Scan QR Code” buttonon the SAP Authenticatorapplication

60. Scan the QR code displayed onStep 58


19

61. After the QR Code Scan theAccount name will be displayed(in our example “FIORIUSER”).Click” Done”.

62. Your device will start generatingpasscodes

63. Click “Finish”.64. Click “Yes” to confirm that you

scanned successfully the QRCode.

65. You will receive a message“Activation of devicecompleted”.


20

Enable “Mobile Single Sign-On” onthe iOS deice.66. Navigate to Device Settings

(iPhone Settings) > Authenticatorand tap to select “Mobile SingleSign-On”.

67. This will enable the section withApplications and Trusted Sitesfor the SAP Authenticator. Toadd an Application click on“Applications”.

68. To add an Application click on“Applications” and click the “+”sign. You have to provide theURL to the application with therespective IDP host andRelayState, following thisexample:https://<idp_host>/saml2/idp/sso?saml2sp=fiori_sp&RelayState=fiori&j_username=[username]&j_passcode=[passcode]There are two options to providethe URL: Option 1: Type theURL Option 2: Scan applicationQR Code. QR code could begenerated by corporate ITdepartment and to be provided tousers, for example, via the e-mail, via the corporate portal,other.

69. If you choose to scan the QRcode the URL will appearautomatically. (You can still clickon it and change something ifnecessary.)

70. Go to Application Name andtype a name for your applicationbookmark. Once you are readyclick “Done”.


21

71. You get your first applicationbookmark. When you click on it,you will be requested to confirmthe UserID. Click on your UserID.

72. On this step the SAPAuthenticator first generates thepasscode, then generates theURL with providing the UserIDand passcode, and then will passthis URL to the browser. Thebrowser opens the URL and theuser is automaticallyauthenticated and sees the FioriLaunchpad.

Optional stepsSelect a default user for the log-in to an application

73. Go to Applications > Click on theinfo icon on the right side of theapplication name to open thedetails of the application.

74. In the “Sign-in accounts” sectionyour UserID is displayed. ”Click”on the UserID to mark it asselected. Click “Done” to savethe change.


22

75. When you are back on thescreen with applications yourUserID will be visible as defaultUserID for log-in to thisapplication.If you want to remove thesesettings, you have to go back tothe application bookmark settingsand to uncheck your UserID.

© 2014 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without theexpress permission of SAP SE or an SAP affiliate company. SAP and other SAP products and servicesmentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (oran SAP affiliate company) in Germany and other countries.Please see for additional trademark information and

http://www.sap.com/corporate-en/legal/copyright/index.epx%23trademark

© 2014 SAP SE. All rights reserved.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAPBusinessObjects Explorer, StreamWork, SAP HANA, and other SAPproducts and services mentioned herein as well as their respectivelogos are trademarks or registered trademarks of SAP SE in Germanyand other countries.

Business Objects and the Business Objects logo, BusinessObjects,Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, andother Business Objects products and services mentioned herein aswell as their respective logos are trademarks or registered trademarksof Business Objects Software Ltd. Business Objects is an SAPcompany.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQLAnywhere, and other Sybase products and services mentioned hereinas well as their respective logos are trademarks or registeredtrademarks of Sybase Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services areregistered trademarks of Crossgate AG in Germany and othercountries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks oftheir respective companies. Data contained in this document servesinformational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materialsare provided by SAP SE and its affiliated companies ("SAP Group")for informational purposes only, without representation or warranty ofany kind, and SAP Group shall not be liable for errors or omissionswith respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the expresswarranty statements accompanying such products and services, ifany. Nothing herein should be construed as constituting an additionalwarranty.

www.sap.com

Documents

Mobile SSO for SAP Fiori - Step-by-Step Guidedocshare01.docshare.tips/files/24647/246476961.pdfMobile Single Sign-On For SAP Fiori Using SAP Authenticator 3 STEP-BY-STEP IMPLEMENTATION