Skip to Content

Fiori SSO with SAML2 with Touch ID support for Authentication

Jan 27, 2017 at 03:11 PM


avatar image


We recently implemented standard Fiori Apps with SSO with MS ADFS ( 3.0 ) using SAML2 which works seamlessly. We are on SQL DB with NW 7.4 This is how they use it using their SAP FIORI Client

1. Users login to FIORI Client, set up the launchpad URL , set their passcode and enable their Touch ID( On iOS devices) .

2. Once they login they see a ADFS landing page where they enter their AD credentials and they are authenticated right through to the Fiori Launchpad .

Now if they either chose to logoff from the Fiori launchpad or close the app ( upswipe the app) the session is killed and they need to relogin at the ADFS screen.

In this case since they want to relogin just using their touch ID instead of having to revalidate again at the ADFS screen just like the behaviour of any typical banking apps supporting touch ID.

I know this is the standard behaviour and the standard SAP FIORI client is not robust enough to handle the biometrics i would like to know how can we achieve this requirement. As i know we need to build a custom client to achieve this but it would be great if someone can give me a complete flow of how this can be achieved.

Any suggestions or comments are highly appreciated.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Best Answer
Carsten Olt Feb 19, 2017 at 09:41 AM

Hi Santosh,

as far a i know, the touch Id integration doesn't have the possibility to save the IdP logon credentials. The only way to implement a real SSO against Fiori Client App is to use the SAP IdP with TOTPLoginModule or a custom Fiori app leveraging the new RESTful API of the SLS 3.0 in order to obtain a certificate used for X.509 mutual authentication against Fiori from within the App. However the latter requires some kind of "authentication" against the Secure Login Server, which isn't very clear to me too, at the moment. So hopefully SAP experts could help to outline the possible options in that case. Using ADFS i don't see any chance for real SSO using Fiori Client App. Of course easy from the mobile device web browser using certificates, but hard from within the App.



Show 1 Share
10 |10000 characters needed characters left characters exceeded

I basically have the same question. Does the Fiori Mobile App not have the ability to store an access token (or something similar) so that we don't have to re-authenticate every time a user closes the app? Other apps have this capability and use tokens to keep the session active even if the app is closed and must be relaunched (Salesforce1 app for example).

Subbu Nutakki May 25, 2017 at 01:34 AM

Hi Santosh,

I have started trying with SAML config to get SSO and still waiting on ADFS metadata from hosting partner, having some questions on certificates and hoping you can share your experience..

Do I have to get IIS certificate from ADFS along with metadata file or will just metadata file alone works?

would you be able to share document?



10 |10000 characters needed characters left characters exceeded
Jens Schwendemann Jul 19, 2017 at 11:40 AM

Please be aware that (AFAIK) the Fiori Client on iOS uses a View Controller that does not support accessing the native part of the iOS Device's key storage As of iOS 9 there is an Safari View Controller which CAN do this, however using that view controller would probably result in the need of deploying your own Fiori Client and would be a rather drastic approach which must be heavily testet.

So you probably would be better off to get the certificate in the keychain slice that is accessible via the app, then this certificate could e.g. be used to authenticate against ADFS. If you're in a corporate network or have means of "per-app-vpn" then authenticating via kerberos to adfs might also be viable.

Please take my inputs with a grain of salt. I did not implement either of this, just tossing in some thoughts / concerns.



10 |10000 characters needed characters left characters exceeded