Skip to Content
avatar image
Former Member

UX when using SAML2 authentication in Fiori Client


What's the user experience when using SAML2 authentication in the Fiori Client? We have Microsoft ADFS as our IdP. We created a Hybrid/Kapsel app using a custom Fiori Client (both for iOS and Android). We're also using SAP SMP SP08.

Can we use the standard Logon UI during registration when SAML2 authentication is used? Or do we have to register using the IdP login screen? For a consistent user experience, we prefer that the registration will be done using the Logon UI and the SAML2 processing will happen in the background. I'm not sure if this is possible.


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    Nov 08, 2015 at 09:42 AM


    are you using FioriClient in combination with SMP?

    I assume yes...

    Then a typical SAML flow would look like this

    1. User is starting the App

    2. App is contacting SMP

    3. SMP is redirecting user to IDP login page

    4. IDP login page is displayed to the user (in a separate webview)

    5. After user logged in, IDP is redirecting user back to SMP

    Each time the SMP session is not valid anymore the redirect to IDP loginpage will be executed again. If there is still a valid IDP session (maybe because there is a high session timeout), then SAML ticket is issued directly, if not, then IDP loginpage is displayed again.

    The user experience when using SAML is in fact sometimes not the best one...If you would use user certificates for IDP authentication you might be able to skip any IDP screen, otherwise you should always see the IDP login screen. This is because in SAML many different auth methods can be realized, the Kapsel logon plugin does not know what authentication method is required by IDP. Thus the IDP is sending a form which is displayed in a web view to the user. As far as I know there is no way of prefilling values or avoiding this mechanism (except with using user certificates as mentioned).

    The best you can do is providing a IDP login page which is optimized for mobile usage so that the user can at least perform a fast login operation.



    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Marvin Hoffmann

      Hi Marvin,

      We initially identified LDAP as our auth provider. However, MS Active Directory is being handled by another team in our organization. We were advised to use SAML instead since the app will be accessed externally (from the internet).

      Currently, we have setup SAML + SAPSSO2 in our development environment. This is working right now. We're just assessing the user experience when using SAML as auth provider. I'll create a separate discussion on the session handling of Fiori/UI5 apps running on a custom Fiori Client. Session validity has an effect on authentication which impacts user experience.

      Thanks again for your inputs.