Skip to Content

Mobile SSO for ABAP Service Provider using SAP Authenticator with two factor authentication

Feb 10, 2017 at 04:59 PM


avatar image


my aim is to provide SSO to ABAP web services using SAP Authenticator on a mobile device. Authentication against the IdP has to be done using two factors. The first factor has to be a X.509 certificate and the second must be the passcode generated by the SAP Authenticator. So far I am only able to configure this scenario with passcode only (one factor) or via PC using a browser with X.509 certificate installed and manually typing in the passcode for the second factor.


  • AS Java with SAP IdP + SSO Authentication Library (SSO 3.0 SP1) installed
  • AS ABAP SP (providing WDA application)
  • iOS 10.x
  • SAP Authenticator (latest)
  • Client PC with a browser and certificate to test the setup without SAP Authenticator


  • TOTPLoginModule configured for two factor authentication
  • ClientCertLoginModule is intended as a first factor module
  • TOTP passcode from SAP Authenticator is the second factor
  • … once this is done, issue SAML assertion --> SSO!!!

Tasks completed:

  • SAP IdP setup incl. SSO Auth Lib installation
  • TOTPLoginModule integration as authentication context for HTTPS
  • Configuration of the TOTPLoginModule and its first and second factors
  • ClientCertLoginModule configured for correct user mapping (Rule1.xxxx)
  • SP setup (AS ABAP)
  • Trust setup and metadata export/import on each sides
  • Relay-State Mapping configuration for my AS ABAP web application
  • Name ID mappings
  • OTP settings and roles
  • iOS device registration via OTP_ONLINE_USER

Test via Client PC and Browser:

  • User Certificate available in the browser
  • SAP Authenticator enrolled (OTP_USER) thus only a OTP generator at this stage
  • Testing with SP initiated SSO
  1. AS ABAP application URL
  2. SAMLAuthnRequest + Redirect to IdP
  3. First factor authentication (prompt for certificate selection) - works
  4. second factor (enter OTP generated by SAP Authenticator) on the logon screen
  5. SAMLResponse issued by IdP and sent via Post-Binding to the AS ABAP SP
  6. Authentication successfully --> nearly SSO :-)


As I said before, now I am trying to achieve the same using the SAP Authenticator. The user should be able to perform Mobile Single Sign-On after starting the SAP Authenticator App, entering the App password and tip on the provided bookmark for accessing the ABAP web application available in the SAP Authenticator.

Example bookmark: https://<host>:<port>/saml2/idp/sso?saml2sp=<SP-Name>ℜlayState=<Name>&j_username=[username]&j_passcode=[passcode]

Of course the target is, to use two factor authentication against SAP IdP in order to obtain a SAML assertion for the ABAP SP.

As we now open the application bookmark, we are working with IDP-initated SSO, thus the first request goes directly to IdP, but authentication methods should be the same, right? Well it doesn't work.... end up at the IdP logon screen in the Safari.

It works with passcode (one factor) only - if the TOTPLoginModule is configured with option „mode = otp“ when starting the application bookmark from SAP Authenticator, the logon via passcode against the IdP happens automatically via the safari browser and after issuing the assertion the ABAP application is presented successfully.

It does not work, if I setup the same scenario for two factor authentication, similar to what I have already tested via PC using the browser and a X.509 certificate (SP initiated).

Now the first factor should be a X.509 certificate.

1) I have installed one in the iOS device (profile) to make it available in Safari. Didn't help. To make sure it really works, i just modified the ticket stack of my AS JAVA and opened the /irj/portal Url from Safari --> SSO via ClientCertLoginModule works!!!

2) I have configured Secure Login Server in combination with the SSO Auth Lib to provide certificate via the SAP Authenticator (RESTful Client). The certificate is available in the SAP Authenticator. But it is the same situation, doesn't work.

Is it possible to use the X.509 certificate enrolled via Secure Login Server for authentication against the IdP via SAP Authenticator triggering this process? (see also

As this does not seem to work, is it required to have the certificate available in the iOS safari (browser app)?

Does the SAP Authenticator App use the Safari Browser for SAML message exchange and so on... or does it include a kind of browser engine with SAML support?

BTW: I know the document „MOBILE SINGLE SIGN-ON FOR SAP FIORI USING SAP AUTHENTICATOR“ but it doesn’t help at this stage.

Would it be possible to setup a call with an solution expert?

Thanks so much.


10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

4 Answers

Carsten Olt Feb 22, 2017 at 08:26 AM

Update: in the meantime it is very clear the certificate provided by SAP Authenticator (via SLS) can't be used for Safari, just to make that clear ;) In the meantime our customer switched to the passcode only approach, having the SAP Authenticator password as a first factor and possession of the mobile device as the second factor...

10 |10000 characters needed characters left characters exceeded
Dimitar Mihaylov
Feb 27, 2017 at 01:33 PM

Hi Carsten,

If the request is still valid then you can contact me via email: Due to security constraints on iOS certificates provisioned via SAP Authenticator can be used only by apps from the same vendor (SAP).



10 |10000 characters needed characters left characters exceeded
BASIS TIVIT Sep 26, 2017 at 02:56 PM

Hi Carsten, how are you?

Were you able to implement the above scenario? I'm handling a scenario like yours.

I'm dealing to enable our CRM AS ABAP system to run on iOS and Android mobile devices which the network userID/password need to be validated against an LDAP server, a X509 certificate be provided and the SAP authenticator to provide the passcode... after validation make an SSO to the CRM system.

Thanks in advance!

Kind Regards,

Rinaldo Zonzini

10 |10000 characters needed characters left characters exceeded
Carsten Olt Sep 27, 2017 at 11:56 AM

Hi Rinaldo,

question is, how do you access your CRM application from your mobile devices? Is that done using a mobile App (mobile application runtime container) or via built-in browser? The first will be supported soon AFAIK, at least for iOS and for Fiori. The SAP Authenticator app can obtain an X.509 certificate from the SLS and make it available in an SAP defined key chain on iOS. The SAP Fiori Client will be enhanced to access the SAP key chain and reuse the certificate for single sign-on.

I am not aware how to achieve a real two factor authentication with the authenticator and via mobile device browser (triggered by authenticator app) while taking X.509 certificates into account. I mean to use the X.509 certificate as one authentication factor and the one time passcode as the second. AFAIK this is only possible if you enroll certficates to your device via MDM beforehand.

Core question is still unanswered: Is it possible to use the X.509 certificate enrolled via SAP Authenticator / SLS for authentication against the SAP IDP while SAP Authenticator is triggering this process?

I would love to hear some feedback.


10 |10000 characters needed characters left characters exceeded