/scripts/ahub.form.attachments.js
0

Fiori iOS tutorials - SAML and OUATH - how to force logon dialog again?

Apr 05, 2017 at 12:59 AM

98

avatar image

I've run through all the new Fiori iOS tutorials and specifically the security ones to showcase logon via basic, auth, saml and oauth.

What I am wondering is - once you logon with saml and tick the "remember me" checkbox. How do you ever get to show the logon popup again. For example if you wanted to change the password.

Or how does an administrator force it to NOT remember so the user must logon again. I cannot find anywhere in SAP Cloud mobile services where you can do this. Maybe it is a feature of the SAP Identity Provider which is used by default here?!?

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Best Answer
Andreas Schlosser Apr 06, 2017 at 05:23 AM
0

Got it; SAP ID service has self-service for users who forgot their password or want to change it: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/d4c3811a58c44982bce09e9fdcbb5c64.html. I presume there's also admin/operator functionality to enforce a password reset, maybe here: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/045cb01bd2034b05a69e1a626e46570f.html, but I couldn't validate this right now.

There is nothing in the SDK / mobile services for that, but we rely either on SAP ID service or a custom IdP to provide this functionality.

Andreas

Share
10 |10000 characters needed characters left characters exceeded
Andreas Schlosser Apr 05, 2017 at 04:55 AM
0

Jason,

You're right here; the SAML authentication is happening in a WebView and what happens inside is effectively outside of the control of the SDK. Even though I have to say that when you actually checked that 'remember me' box, you get what you've asked for. And hoping for the logon screen to show up so you can change your password is maybe not the right expectation either?

You can configure SAP CP to use a custom IdP - you'll experience the same here. Whatever that custom IdP might offer, the logic is something the SDK cannot control by design of how SAML flows work.

The interaction point of the SDK is the fact that we need to realize when the authentication flow is over (by configuration the respective 'done' URL in the SAMLAuthenticationParameters) and then we can extract a valid session cookie from the web view, but that is about it.

Thanks
Andreas

Share
10 |10000 characters needed characters left characters exceeded
Jason Scott Apr 06, 2017 at 01:46 AM
0

Thanks Andreas... I guess I was more thinking from the perspective of: what if the user loses their device... They call up IT Support and let them know - how does IT support block access. In this example of using the SAP Identity Provider - is there somewhere we you can block the login?

Share
10 |10000 characters needed characters left characters exceeded
Skip to Content