Skip to Content
avatar image
Former Member

Fiori SSO with SAML2 with Touch ID support for Authentication


We recently implemented standard Fiori Apps with SSO with MS ADFS ( 3.0 ) using SAML2 which works seamlessly. We are on SQL DB with NW 7.4 This is how they use it using their SAP FIORI Client

1. Users login to FIORI Client, set up the launchpad URL , set their passcode and enable their Touch ID( On iOS devices) .

2. Once they login they see a ADFS landing page where they enter their AD credentials and they are authenticated right through to the Fiori Launchpad .

Now if they either chose to logoff from the Fiori launchpad or close the app ( upswipe the app) the session is killed and they need to relogin at the ADFS screen.

In this case since they want to relogin just using their touch ID instead of having to revalidate again at the ADFS screen just like the behaviour of any typical banking apps supporting touch ID.

I know this is the standard behaviour and the standard SAP FIORI client is not robust enough to handle the biometrics i would like to know how can we achieve this requirement. As i know we need to build a custom client to achieve this but it would be great if someone can give me a complete flow of how this can be achieved.

Any suggestions or comments are highly appreciated.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    Feb 19, 2017 at 09:41 AM

    Hi Santosh,

    as far a i know, the touch Id integration doesn't have the possibility to save the IdP logon credentials. The only way to implement a real SSO against Fiori Client App is to use the SAP IdP with TOTPLoginModule or a custom Fiori app leveraging the new RESTful API of the SLS 3.0 in order to obtain a certificate used for X.509 mutual authentication against Fiori from within the App. However the latter requires some kind of "authentication" against the Secure Login Server, which isn't very clear to me too, at the moment. So hopefully SAP experts could help to outline the possible options in that case. Using ADFS i don't see any chance for real SSO using Fiori Client App. Of course easy from the mobile device web browser using certificates, but hard from within the App.



    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    May 25, 2017 at 01:34 AM

    Hi Santosh,

    I have started trying with SAML config to get SSO and still waiting on ADFS metadata from hosting partner, having some questions on certificates and hoping you can share your experience..

    Do I have to get IIS certificate from ADFS along with metadata file or will just metadata file alone works?

    would you be able to share document?



    Add comment
    10|10000 characters needed characters exceeded

  • Jul 19, 2017 at 11:40 AM

    Please be aware that (AFAIK) the Fiori Client on iOS uses a View Controller that does not support accessing the native part of the iOS Device's key storage As of iOS 9 there is an Safari View Controller which CAN do this, however using that view controller would probably result in the need of deploying your own Fiori Client and would be a rather drastic approach which must be heavily testet.

    So you probably would be better off to get the certificate in the keychain slice that is accessible via the app, then this certificate could e.g. be used to authenticate against ADFS. If you're in a corporate network or have means of "per-app-vpn" then authenticating via kerberos to adfs might also be viable.

    Please take my inputs with a grain of salt. I did not implement either of this, just tossing in some thoughts / concerns.



    Add comment
    10|10000 characters needed characters exceeded

  • Jul 16, 2018 at 12:44 PM

    Hi i'm having the same not good user experience regarding to SAP Fiori and SSO (using SAML2.0).

    Do you guys have any update on this case?

    Add comment
    10|10000 characters needed characters exceeded