Show TOC

User Authentication and Single Sign-OnLocate this document in the navigation structure

Different user authentication and single sign-on mechanisms are supported, depending on whether SAP Fiori Client connects to the front-end server directly, or through SAP Mobile Platform Server or SAP HANA Cloud Platform mobile services.

For authentication configuration examples, see Configuring Authentication.

For examples of the application configuration in SAP Mobile Platform, see Application Configuration in SAP Mobile Platform.

Method

Description

Supported For

One-Time Password (OTP) and SAP SSO

SAP Fiori Client supports OTP-based authentication, using SAML IdP-initiated authentication and the SAP Authenticator app.

For more information, see Client Configuration for Single Sign-On with One-Time Password (OTP) and SAP SSO.

  • Direct connection to front-end server

SAML 2.0

SAML assertions are a modern standard for web-based and cross-domain SSO. You need an identity provider to issue SAML assertions for your users.

Identity federation is a part of SAP Single Sign-On.

  • Direct connection to front-end server

  • Connection through SAP Mobile Platform Server or SAP HANA Cloud Platform mobile services

X.509 client certificates

If you use the SAP Fiori Client mobile app from the public app stores, client certificates must be provisioned with SAP Mobile Secure or SAP Afaria.

If you build a custom SAP Fiori client (SMP SDK 3.0 SP08 or later), you can use a third party mobile device management (MDM) solution to provision certificates.

  • Direct connection to front-end server

  • Connection through SAP Mobile Platform Server or SAP HANA Cloud Platform mobile services

SAP Logon Tickets

(Not recommended)

Logon tickets are an SAP proprietary mechanism. They offer authentication and SSO in the form of a digitally-signed cookie.

  • Direct connection to front-end server

  • Connection through SAP Mobile Platform Server or SAP HANA Cloud Platform mobile services

User ID and password

(Not recommended)

As a fallback option, initial authentication can be based on the users' passwords on the front-end server. SAP provides a dedicated logon handler for form-based logon.

This is the easiest mechanism to implement, but the least secure. In this case, you must offer password reset and recovery functionality for your end-users. Encryption of the communication path (HTTPS) is essential.

  • Direct connection to front-end server

  • Connection through SAP Mobile Platform Server or SAP HANA Cloud Platform mobile services