User Authentication and Single Sign-On
Different user authentication and single sign-on mechanisms are supported, depending on whether SAP Fiori Client connects to the front-end server directly, or through SAP Mobile Platform Server or SAP HANA Cloud Platform mobile services.
For authentication configuration examples, see Configuring Authentication.
For examples of the application configuration in SAP Mobile Platform, see Application Configuration in SAP Mobile Platform.
|
Method |
Description |
Supported For |
|---|---|---|
|
One-Time Password (OTP) and SAP SSO |
SAP Fiori Client supports OTP-based authentication, using SAML IdP-initiated authentication and the SAP Authenticator app. For more information, see Client Configuration for Single Sign-On with One-Time Password (OTP) and SAP SSO. |
|
|
SAML 2.0 |
SAML assertions are a modern standard for web-based and cross-domain SSO. You need an identity provider to issue SAML assertions for your users. Identity federation is a part of SAP Single Sign-On. |
|
|
X.509 client certificates |
If you use the SAP Fiori Client mobile app from the public app stores, client certificates must be provisioned with SAP Mobile Secure or SAP Afaria. If you build a custom SAP Fiori client (SMP SDK 3.0 SP08 or later), you can use a third party mobile device management (MDM) solution to provision certificates. |
|
|
SAP Logon Tickets (Not recommended) |
Logon tickets are an SAP proprietary mechanism. They offer authentication and SSO in the form of a digitally-signed cookie. |
|
|
User ID and password (Not recommended) |
As a fallback option, initial authentication can be based on the users' passwords on the front-end server. SAP provides a dedicated logon handler for form-based logon. This is the easiest mechanism to implement, but the least secure. In this case, you must offer password reset and recovery functionality for your end-users. Encryption of the communication path (HTTPS) is essential. |
|