Show TOC

User Authentication and Single Sign-OnLocate this document in the navigation structure

Different user authentication and single sign-on mechanisms are supported, depending on whether SAP Fiori Client connects to the front-end server directly, or through SAP Mobile Platform Server or SAP HANA Cloud Platform mobile services.

For information on how to configure SAP Fiori Client, see Configuration and Deployment Information and Configuration Examples.

For examples of the application configuration in SAP Mobile Platform, see Application Configuration in SAP Mobile Platform.

Method

Supported For

Description

One-Time Password (OTP) and SAP SSO

  • Direct connection to front-end server

SAP Fiori Client supports OTP-based authentication, using SAML IdP-initiated authentication and the SAP Authenticator app.

For more information, see Configuring Single Sign-On with One-Time Password (OTP) and SAP SSO.

SAML 2.0

  • Direct connection to front-end server

  • Connection through SAP Mobile Platform Server or SAP HANA Cloud Platform mobile services

SAML assertions are a modern standard for web-based and cross-domain SSO. You need an identity provider to issue SAML assertions for your users.

Identity federation is a part of SAP Single Sign-On.

X.509 client certificates

  • Direct connection to front-end server

  • Connection through SAP Mobile Platform Server or SAP HANA Cloud Platform mobile services

Note

SAP Fiori Client for Windows 10 does not currently support X.509 client certificates. For more information, see SAP Note 2158220 Information published on SAP site.

If you use the SAP Fiori Client mobile app from the public app stores, client certificates must be provisioned with SAP Mobile Secure or SAP Afaria.

If you build a custom SAP Fiori client (SMP SDK 3.0 SP08 or later), you can use a third party mobile device management (MDM) solution to provision certificates. For more information, see Using the X.509 Certificate Provider Interface to Integrate with Third-Party Certificate Providers.

Certificate federation is supported for a custom SAP Fiori client built using SAP Mobile Platform SDK 3.0 SP12 or later. See SAP Note 2301340 Information published on SAP site before configuring certificate federation.

The Federation Provider Plugin contains a certificate provider implementation that adds support for sharing X.509 client certificates across multiple applications. The implementation provides a way to set a federated certificate provider. This can be any certificate provider delivered by SAP or a third-party. For more information, see FederationProvider Plugin.

SAP Logon Tickets

  • Direct connection to front-end server

  • Connection through SAP Mobile Platform Server or SAP HANA Cloud Platform mobile services

Logon tickets are an SAP proprietary mechanism. They offer authentication and SSO in the form of a digitally-signed cookie.

User ID and password

  • Direct connection to front-end server

  • Connection through SAP Mobile Platform Server or SAP HANA Cloud Platform mobile services

As a fallback option, initial authentication can be based on the users' passwords on the front-end server. SAP provides a dedicated logon handler for form-based logon.

This is the easiest mechanism to implement, but the least secure. In this case, you must offer password reset and recovery functionality for your end-users. Encryption of the communication path (HTTPS) is essential.