on 02-10-2017 4:59 PM
Hi,
my aim is to provide SSO to ABAP web services using SAP Authenticator on a mobile device. Authentication against the IdP has to be done using two factors. The first factor has to be a X.509 certificate and the second must be the passcode generated by the SAP Authenticator. So far I am only able to configure this scenario with passcode only (one factor) or via PC using a browser with X.509 certificate installed and manually typing in the passcode for the second factor.
Environment:
Setup:
Tasks completed:
Test via Client PC and Browser:
Target:
As I said before, now I am trying to achieve the same using the SAP Authenticator. The user should be able to perform Mobile Single Sign-On after starting the SAP Authenticator App, entering the App password and tip on the provided bookmark for accessing the ABAP web application available in the SAP Authenticator.
Example bookmark: https://<host>:<port>/saml2/idp/sso?saml2sp=<SP-Name>&RelayState=<Name>&j_username=[username]&j_passcode=[passcode]
Of course the target is, to use two factor authentication against SAP IdP in order to obtain a SAML assertion for the ABAP SP.
As we now open the application bookmark, we are working with IDP-initated SSO, thus the first request goes directly to IdP, but authentication methods should be the same, right? Well it doesn't work.... end up at the IdP logon screen in the Safari.
It works with passcode (one factor) only - if the TOTPLoginModule is configured with option „mode = otp“ when starting the application bookmark from SAP Authenticator, the logon via passcode against the IdP happens automatically via the safari browser and after issuing the assertion the ABAP application is presented successfully.
It does not work, if I setup the same scenario for two factor authentication, similar to what I have already tested via PC using the browser and a X.509 certificate (SP initiated).
Now the first factor should be a X.509 certificate.
1) I have installed one in the iOS device (profile) to make it available in Safari. Didn't help. To make sure it really works, i just modified the ticket stack of my AS JAVA and opened the /irj/portal Url from Safari --> SSO via ClientCertLoginModule works!!!
2) I have configured Secure Login Server in combination with the SSO Auth Lib to provide certificate via the SAP Authenticator (RESTful Client). The certificate is available in the SAP Authenticator. But it is the same situation, doesn't work.
Is it possible to use the X.509 certificate enrolled via Secure Login Server for authentication against the IdP via SAP Authenticator triggering this process? (see also https://archive.sap.com/discussions/thread/3957779)
As this does not seem to work, is it required to have the certificate available in the iOS safari (browser app)?
Does the SAP Authenticator App use the Safari Browser for SAML message exchange and so on... or does it include a kind of browser engine with SAML support?
BTW: I know the document „MOBILE SINGLE SIGN-ON FOR SAP FIORI USING SAP AUTHENTICATOR“ but it doesn’t help at this stage.
Would it be possible to setup a call with an solution expert?
Thanks so much.
Carsten
Hi Rinaldo,
question is, how do you access your CRM application from your mobile devices? Is that done using a mobile App (mobile application runtime container) or via built-in browser? The first will be supported soon AFAIK, at least for iOS and for Fiori. The SAP Authenticator app can obtain an X.509 certificate from the SLS and make it available in an SAP defined key chain on iOS. The SAP Fiori Client will be enhanced to access the SAP key chain and reuse the certificate for single sign-on.
I am not aware how to achieve a real two factor authentication with the authenticator and via mobile device browser (triggered by authenticator app) while taking X.509 certificates into account. I mean to use the X.509 certificate as one authentication factor and the one time passcode as the second. AFAIK this is only possible if you enroll certficates to your device via MDM beforehand.
Core question is still unanswered: Is it possible to use the X.509 certificate enrolled via SAP Authenticator / SLS for authentication against the SAP IDP while SAP Authenticator is triggering this process?
I would love to hear some feedback.
Carsten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Carsten, how are you?
Were you able to implement the above scenario? I'm handling a scenario like yours.
I'm dealing to enable our CRM AS ABAP system to run on iOS and Android mobile devices which the network userID/password need to be validated against an LDAP server, a X509 certificate be provided and the SAP authenticator to provide the passcode... after validation make an SSO to the CRM system.
Thanks in advance!
Kind Regards,
Rinaldo Zonzini
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Carsten,
If the request is still valid then you can contact me via email: firstname.lastname@sap.com. Due to security constraints on iOS certificates provisioned via SAP Authenticator can be used only by apps from the same vendor (SAP).
Regards,
Dimitar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Update: in the meantime it is very clear the certificate provided by SAP Authenticator (via SLS) can't be used for Safari, just to make that clear 😉 In the meantime our customer switched to the passcode only approach, having the SAP Authenticator password as a first factor and possession of the mobile device as the second factor...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.