SAP Fiori Client Guide

Configuring Single Sign-On with One-Time Password (OTP) and SAP SSO

SAP Fiori Client supports OTP-based authentication, using SAP SSO identity provider-initiated authentication and the SAP Authenticator app.

SAP Authenticator is a mobile app that generates passcodes for systems that require OTP authentication. Passcodes are time-based and valid for one logon attempt, meaning they are more secure than common static passwords.

Landscape Requirements



SAP Fiori Client

  • iOS and Android SAP Fiori Client 1.5 or later

  • Custom SAP Fiori client for iOS and Android built with SDK 3.0 SP10 or later

SAP Fiori front-end server

  • The front-end server must be configured with a SAML2 trusted identity provider that points to the SAP Single Sign-On identity provider (SAP SSO IdP).

  • The location URL of the trusted provider's single sign-on endpoint (HTTP Redirect binding) must include the query parameter:


SAP Single Sign-On Identity Provider

  • SAP Single Sign-On 2.0 SP06 or later.

  • The SAP SSO IdP must contain a service provider definition for the SAP Fiori launchpad URL, with redirect behavior.

  • The SAP SSO IdP must contain an application definition with a logon URL that follows the pattern:[username]&passcode_paramname=j_passcode&passcode_paramvalue=[passcode]

SAP Authenticator

  • SAP Authenticator 1.2.0 or higher.

  • The SAP Authenticator end user must have onboarded their user for OTP generation. This procedure typically includes navigating to an authenticated onboarding portal on a desktop browser, and using the SAP Authenticator mobile app to scan a generated QR code displayed on the onboarding portal page.

Configuring SAP Fiori Client for OTP Authentication

To allow the SAP Fiori Client app to authenticate to the SAP SSO IdP using code generated by SAP Authenticator app, the SAP Fiori Client administrator must provide end users with the location of the IdP in the idplogonurl parameter. The location of the IdP should include the name of the service provider mapped to the SAP Fiori launchpad location in the IdP as the saml2sp query parameter.


This value can be set in one of the following ways:

  • Add the query parameter to the Fiori launchpad URL provided to end users.

  • If you build a custom SAP Fiori client, you can define the idplogonurl parameter in appConfig.js.

  • Add idplogonurl parameter to the JSON structure in SAP Mobile Secure Configuration Discovery Service
  • Add idplogonurl parameter to the JSON structure in SAP Mobile Device Management (SAP Afaria)

Callback URL Scheme

The callback URL scheme is exposed by SAP Fiori Client so that SAP Authenticator can use it to communicate with SAP Fiori Client. Ensure that SAP Fiori Client, SAP Authenticator, SAP Fiori front-end server, and single sign-on IDP all use the same callback scheme.

The examples given in this document assume that you are using the app store version of SAP Fiori Client, which has the callback URL scheme of

If you are using a custom SAP Fiori client, by default, the exposed callback URL scheme has the format [applicationId].xcallbackurl. Where applicationId is the identifier used when application is created using SAP Mobile Platform Server Management Cockpit or HANA Cloud Platform Mobile Services Cockpit, or any unique identifier if SAP Mobile Platform Server or mobile service for development and operations are not used. The applicationId should be used as iOS Bundle Identifier and Android Package Identifier.

In a custom SAP Fiori client project, the URL scheme can be changed from the project's app Info.plist file for an iOS client, or AndroidManifest.xml file for Android client.

Supported Flows

  • The user opens SAP Fiori Client and is redirected to the IdP logon page. The user chooses Logon with SAP Authenticator, and is then redirected to the SAP Authenticator app. The user selects the user and app, and is then redirected to the SAP Fiori Client app. The user authenticates against the IdP logon page, and then is finally redirected to the SAP Fiori launchpad.

  • The user opens the SAP Authenticator app and selects the user and app. The user is redirected to the SAP Fiori Client app, authenticates against the IdP logon page, and then is redirected to the SAP Fiori launchpad.