User Authentication and Single Sign-On

Different user authentication and single sign-on mechanisms are supported, depending on whether SAP Fiori Client connects to the front-end server directly, or through SAP Mobile Platform Server or SAP HCP, mobile service for development and operations.

For information on how to configure SAP Fiori Client, see Configuration and Deployment Information and Configuration Examples.

For examples of the application configuration in SAP Mobile Platform, see Application Configuration in SAP Mobile Platform.

Method	Supported For	Description
One-Time Password (OTP) and SAP SSO	Direct connection to front-end server	SAP Fiori Client supports OTP-based authentication, using SAML IdP-initiated authentication and the SAP Authenticator app. For more information, see Configuring Single Sign-On with One-Time Password (OTP) and SAP SSO.
SAML 2.0	Direct connection to front-end server Connection through SAP Mobile Platform Server or SAP HCP, mobile service for development and operations	SAML assertions are a modern standard for web-based and cross-domain SSO. You need an identity provider to issue SAML assertions for your users. Identity federation is a part of SAP Single Sign-On.
X.509 client certificates	Direct connection to front-end server Connection through SAP Mobile Platform Server or SAP HCP, mobile service for development and operations Note SAP Fiori Client for Windows 10 does not currently support X.509 client certificates. For more information, see SAP Note 2158220 .	If you use the SAP Fiori Client mobile app from the public app stores, client certificates must be provisioned with SAP Mobile Secure or SAP Afaria. If you build a custom SAP Fiori client (SAP Mobile Platform SDK 3.0 SP08 or later), you can use a third party mobile device management (MDM) solution to provision certificates. For more information, see Using the X.509 Certificate Provider Interface to Integrate with Third-Party Certificate Providers. Certificate federation is supported for a custom SAP Fiori client built using SAP Mobile Platform SDK 3.0 SP12 or later. See SAP Note 2301340 before configuring certificate federation. The Federation Provider Plugin contains a certificate provider implementation that adds support for sharing X.509 client certificates across multiple applications. The implementation provides a way to set a federated certificate provider. This can be any certificate provider delivered by SAP or a third-party. For more information, see FederationProvider Plugin.
SAP Logon Tickets	Direct connection to front-end server Connection through SAP Mobile Platform Server or SAP HCP, mobile service for development and operations	Logon tickets are an SAP proprietary mechanism. They offer authentication and SSO in the form of a digitally-signed cookie.
User ID and password	Direct connection to front-end server Connection through SAP Mobile Platform Server or SAP HCP, mobile service for development and operations	As a fallback option, initial authentication can be based on the users' passwords on the front-end server. SAP provides a dedicated logon handler for form-based logon. This is the easiest mechanism to implement, but the least secure. In this case, you must offer password reset and recovery functionality for your end-users. Encryption of the communication path (HTTPS) is essential.