Configuring Single Sign-On with One-Time Password (OTP) and SAP SSO

SAP Fiori Client supports OTP-based authentication, using SAP SSO identity provider-initiated authentication and the SAP Authenticator app.

SAP Authenticator is a mobile app that generates passcodes for systems that require OTP authentication. Passcodes are time-based and valid for one logon attempt, meaning they are more secure than common static passwords.

Landscape Requirements

Component	Requirement
SAP Fiori Client	iOS and Android SAP Fiori Client 1.5 or later Custom SAP Fiori client for iOS and Android built with SDK 3.0 SP10 or later
SAP Fiori front-end server	The front-end server must be configured with a SAML2 trusted identity provider that points to the SAP Single Sign-On identity provider (SAP SSO IdP). The location URL of the trusted provider's single sign-on endpoint (HTTP Redirect binding) must include the query parameter: `x-callback-scheme=com.sap.fiori.client.xcallbackurl` Example: `https://myidp.abc.com/saml2/idp/sso?x-callback-scheme=com.sap.fiori.client.xcallbackurl`
SAP Single Sign-On Identity Provider	SAP Single Sign-On 2.0 SP06 or later. The SAP SSO IdP must contain a service provider definition for the SAP Fiori launchpad URL, with redirect behavior. The SAP SSO IdP must contain an application definition with a logon URL that follows the pattern: `com.sap.fiori.client.xcallbackurl://x-callback-url/setCredential?x-source=com.sap.authenticator&username_paramname=j_username&username_paramvalue=[username]&passcode_paramname=j_passcode&passcode_paramvalue=[passcode]`
SAP Authenticator	SAP Authenticator 1.2.0 or higher. The SAP Authenticator end user must have onboarded their user for OTP generation. This procedure typically includes navigating to an authenticated onboarding portal on a desktop browser, and using the SAP Authenticator mobile app to scan a generated QR code displayed on the onboarding portal page.

Configuring SAP Fiori Client for OTP Authentication

To allow the SAP Fiori Client app to authenticate to the SAP SSO IdP using code generated by SAP Authenticator app, the SAP Fiori Client administrator must provide end users with the location of the IdP in the idplogonurl parameter. The location of the IdP should include the name of the service provider mapped to the SAP Fiori launchpad location in the IdP as the saml2sp query parameter.

Example:

idplogonurl=https://myidp.abc.com/saml2/idp/sso?saml2sp=gw_fiori_sp

This value can be set in one of the following ways:

Add the query parameter to the Fiori launchpad URL provided to end users.

Note
The value must be double URL-encoded if this approach is used. For example:

https://myfes.abc.com/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?sap-client=001&saml2idp=terra-inc&idplogonurl=https%253A%252F%252Fmyidp.abc.com%252Fsaml2%252Fidp%252Fsso%252Fterra-inc%253Fsaml2sp%253Dgw_fiori_sp
If you build a custom SAP Fiori client, you can define the idplogonurl parameter in appConfig.js.
Add idplogonurl parameter to the JSON structure in SAP Mobile Secure Configuration Discovery Service
Add idplogonurl parameter to the JSON structure in SAP Mobile Device Management (SAP Afaria)

Callback URL Scheme

The callback URL scheme is exposed by SAP Fiori Client so that SAP Authenticator can use it to communicate with SAP Fiori Client. Ensure that SAP Fiori Client, SAP Authenticator, SAP Fiori front-end server, and single sign-on IDP all use the same callback scheme.

The examples given in this document assume that you are using the app store version of SAP Fiori Client, which has the callback URL scheme of com.sap.fiori.client.xcallbackurl.

If you are using a custom SAP Fiori client, by default, the exposed callback URL scheme has the format [applicationId].xcallbackurl. Where applicationId is the identifier used when application is created using SAP Mobile Platform Server Management Cockpit or HANA Cloud Platform Mobile Services Cockpit, or any unique identifier if SAP Mobile Platform Server or mobile service for development and operations are not used. The applicationId should be used as iOS Bundle Identifier and Android Package Identifier.

In a custom SAP Fiori client project, the URL scheme can be changed from the project's app Info.plist file for an iOS client, or AndroidManifest.xml file for Android client.

Supported Flows

The user opens SAP Fiori Client and is redirected to the IdP logon page. The user chooses Logon with SAP Authenticator, and is then redirected to the SAP Authenticator app. The user selects the user and app, and is then redirected to the SAP Fiori Client app. The user authenticates against the IdP logon page, and then is finally redirected to the SAP Fiori launchpad.
The user opens the SAP Authenticator app and selects the user and app. The user is redirected to the SAP Fiori Client app, authenticates against the IdP logon page, and then is redirected to the SAP Fiori launchpad.

Note

In unusual situations, particularly when the user starts in the SAP Authenticator app and the SAP Fiori Client is not yet in memory, the SAP Fiori Client app may not handle the deep link with the passcode coming from SAP Authenticator app. Instead, the user will be directed to the IdP logon page, where the user may choose the Logon with SAP Authenticator link to successfully complete the authentication process.