Transcription
MOBILE SINGLE SIGN-ONFOR SAP FIORI USINGSAP AUTHENTICATORTABLE OF CONTENTSMOBILE SINGLE SIGN-ON FOR SAP FIORI . 2HOW THE MOBILE SINGLE SIGN-ON FOR SAP FIORI WORKS . 2STEP-BY-STEP IMPLEMENTATION OF THE MOBILE SINGLE SIGN-ON FOR FIORI . 31.SAML2.0 IDENTITY PROVIDER SETUP . 32.ONE-TIME PASSWORD AUTHENTICATION SETUP FOR SAML2.0 IDENTITY PROVIDER . 73.ADD TRUSTED SERVICE PROVIDER FOR THE SAML 2.0 IDENTITY PROVIDER . 114.SAP AUTHENTICATOR SETUP ON THE MOBILE DEVICE . 16
Mobile Single Sign-On For SAP Fiori Using SAP AuthenticatorMOBILE SINGLE SIGN-ON FOR SAP FIORIMobile Single Sign-On for Fiori is available with latest support package (SP04) for SAP Single SignOn 2.0, released on November 03, 2014.In this document you will be able to find step-by-step approach how to enable Mobile SingleSign-On for Fiori Using SAP Authenticator at your company.Mobile SSO solution is based on the Time-based One-Time Password (TOTP) Algorithm of theopen standard RFC 6238. This algorithm computes a one-time passcode from a shared secret keyand a current time.The server side of the TOTP implementation is an add-on module for SAP NetWeaver ApplicationServer (AS) Java and it is part of the SAP Single Sign-On 2.0 product. The TOTP Server is takingcare about the mobile devices activation and deactivation on user level and the administration of theTOTPLoginModule per application.SAP Authenticator is the mobile application for the TOTP Client and it is available for IOS andANDROID platforms.The solution requires a SAML 2.0 Identity Provider, configured to accept authentication with TimeBased One-Time Passwords. The authentication to the Identity Provider, with the respectiveusername and passcode, triggers IDP INITIATED SINGLE SIGN-ON mechanism.HOW THE MOBILE SINGLE SIGN-ON FOR SAP FIORI WORKSOnce the solution is implemented, Fiori users will be able to use Fiori applications on their devicesafter a single click on a bookmark.When the user clicks on the respective Fiori application bookmark, the SAP Authenticator generatesa passcode and creates a URL with respective parameters (service provider, RelayState, usernameand passcode) similar to this example:https://idp host/saml2/idp/sso?saml2sp fiori sp&RelayState fiori&j username [username]&jpasscode [passcode]SAP Authenticator sends this URL to the browser and then the browser opens the URL, triggeringIDP initiated single sign-on. The Identity Provider, on his side, checks the credentials provided, andif the check is successful, issues a SAML 2.0 assertion for this user and for the respective serviceprovider (SAP Fiori in our example). On the next step based on the HTTP-POST binding responsethe SAP Fiori application is securely opened on the mobile device of the user. See Figure1 below:Figure 12
Mobile Single Sign-On For SAP Fiori Using SAP AuthenticatorSTEP-BY-STEP IMPLEMENTATION OF THE MOBILE SINGLE SIGN-ONFOR FIORI1. SAML2.0 IDENTITY PROVIDER SETUPIf you have SAML 2.0 Identity Provider (IdP) enabled on your SAP NetWeaver AS Java you canjump directly to ONE-TIME PASSWORD AUTHENTICATION SETUP FOR SAML2.0 IDENTITY PROVIDER andstart with creation of a custom authentication context for your IdPExplanationScreenshot1. Log on to SAPNetWeaver Administratorat http:// host : port /nwa2. Navigate to Configuration Authentication and Single SignOn: SAML 2.0 SAML 2.0 andclick “Enable SAML 2.0Support”3. Configure the new SAML 2.0LocalProvider as IdentityProvider. Provide a name for thenew identity provider and select“IdentityProvider”asoperational mode from the dropdown menu. Click “Next”.3
Mobile Single Sign-On For SAP Fiori Using SAP Authenticator4. Make sure the Keystore View is“SAML2” (If not, select it fromthe drop-down menu). Click“Browse” for the Signing KeyPair5. Click “Create” for the KeystoreEntry.6. Provide Entry Name, check“Store Certificate” and click“Next”.4
Mobile Single Sign-On For SAP Fiori Using SAP Authenticator7. Provide value for the mandatoryfield “commonName” and click“Next”.8. Only click “Next” on this step.9. Click “Finish” to confirm theconfiguration.5
Mobile Single Sign-On For SAP Fiori Using SAP Authenticator10. Click “OK” to select the newSigning Key Pair.11. Click “Next” on the SAML 2.0Local Provider Configuration.12. Click “Finish” to finalize theconfiguration.6
Mobile Single Sign-On For SAP Fiori Using SAP Authenticator2. ONE-TIME PASSWORD AUTHENTICATION SETUP FOR SAML2.0IDENTITY PROVIDERPrerequisites: You have SSO AUTHENTICATION LIBRARY 2.0 installed on SAP NetWeaverApplication Server (AS) Java. For more details on the installation, seeONE-TIME PASSWORD AUTHENTICATION ADMINISTRATOR’S GUIDE INSTALLATIONExplanationScreenshotStep 1: Set “otp pwd” mode for the TOTPLoginModule13. Navigate to Authentication tab Login Modules Search forTOTPLoginModule, select thelogin module and go to “Details oftheloginmodule“TOTPLoginModule”” and click“Edit”.14. Set the mode value to “otp pwd”and click “Save”.(In the “otp pwd” mode theTOTPLoginModule requires asingle factor for authenticationand it could be a passcode(TOTP) or password.)7
Mobile Single Sign-On For SAP Fiori Using SAP AuthenticatorStep 2: Create a new authentication context and map it to the TOTPLoginModule15. Navigate to SAML 2.0Configuration Local Providerand click “Edit”.16. Navigate to AuthenticationContexts tab and click “Add”.17. Create a new AuthenticationContext by typing an Alias and aName for it and click “OK”18. Click on the check-box to selectthe HTTPS setting for the newlycreated Authentication Contextand then click “Save” for theLocal Provider settings.8
Mobile Single Sign-On For SAP Fiori Using SAP AuthenticatorStep 3: Configure your Identity Provider to use the new authentication context bydefault for HTTPS Authentication19. Navigate to Local Provider andclick “Edit”.20. Go to tab Identity ProviderSettings SupportedAuthentication Contexts and click“Add”.21. Select your new authenticationcontext from the drop-downmenu with the alias values (theone created on step 17).22. Select the Login Module from thedrop-down menu to be the“TOTPLoginModule” and click“OK”.Set the new authenticationcontext to be the default HTTPSauthentication context23. Go to section SupportedAuthentication Context and selectthe new authentication context.Click on “Copy to” and select“Default HTTPS AuthenticationContexts” value.24. Your new SupportedAuthentication Context willappear on the right side, in thelist with Default HTTPSAuthentication Contexts (seethe screenshot).9
Mobile Single Sign-On For SAP Fiori Using SAP Authenticator25. Click “Save” to finalize theconfiguration for your newIdentity Provider.10
Mobile Single Sign-On For SAP Fiori Using SAP Authenticator3. ADD TRUSTED SERVICE PROVIDER FOR THE SAML 2.0 IDENTITYPROVIDERExplanationScreenshotStep 1: Download Service Provider MetadataPrerequisite: Make sure you have a Local Provider created and enabled on your SAP ABAP system. Thisidentifies your server as a system that can accept SAML assertions. Add SAML 2.0 Identity Provider, createdin the first section, as Trusted Identity Provider for your Service Provider (SAP ABAP system - Fiori). Formore details how to setup, see USING SAML 2.0 AUTHENTICATION TO ACCESS FIORI APPS FROM THE PUBLIC INTERNETIn our example the SAML 2.0 Service Provider of the SAP ABAP system is “gw fiori sp”.The Identity Provider Metadata, necessary for the setup of the Trusted Identity Provider on the SAP ABAPsystem, is available here:Start SAP NetWeaver Administrator at http:// host : port /nwa.Navigate to Configuration Authentication and Single Sign-On: SAML 2.0 SAML 2.0 select“Local Provider” and click “Download Metadata”26. Log on to SAP ABAP TCodeSAML2 for SAML 2.0Configuration. Navigate to LocalProvider and click “Metadata”.27. Leave all checkboxes selected(as it is by default) and click“Download Metadata”. Save themetadata.xml file provided bythe system in a custom folder.If you want later to recognize iteasier, you can rename it toSP metadata.xml.11
Mobile Single Sign-On For SAP Fiori Using SAP AuthenticatorStep 2: Setup a RelayState on your SAP ABAP Service Provider for SAP FioriLaunchpadThe RelayState is a parameter in the URL, used by the browser to open the application. The RelayStateparameter provides information about the path to the application. In our example this path will be to the SAPFIORI LAUNCHPAD. If no RelayState parameter is provided in the URL, the “Default Application Path” from theIDP settings is used.28. Click on “Edit” on the Localprovider to add a new RelayStateMapping.29. Go to the tab “Service providerSettings” RelayState Mappingand click on “Add” for a newRelayState.30. Provide the name for theRelayState and provide the Pathto the RelayState. (In our casethis is the path to the “SAP FioriLaunchpad”).31. Click on “Save” for the newsettings of the Local Provider.12
Mobile Single Sign-On For SAP Fiori Using SAP AuthenticatorStep 3: Add Trusted Service Provider for Your SAML 2.0 Identity Provider32. Go back to the SAPNetWeaver Administratorat http:// host : port /nwa33. Navigate to Configuration Authentication and Single SignOn: SAML 2.0 SAML2.0 select “Trusted Providers”,click “Add” and select to“Upload Metadata File” fromthe drop-down list.34. Click “Choose File” and selectthe SP metadata(SP metadata.xml) file stored inthe custom folder on Step 27.35. Once the file is selected, click“Next”.13
Mobile Single Sign-On For SAP Fiori Using SAP Authenticator36. The system will display the nameof your Service Provider. On thisstep just click “Next”.37. Leave the default settings for thesettings on this step and click“Next”.38. Leave the default settings for theAssertion Consumer Endpointsand click “Next”. Location URLshere will be displayed with your host and port .39. Leave the default settings for theSingle Logout Endpoints andclick “Next”. Location URLs herewill be displayed with your host and port .40. Leave the default settings for theArtifact Endpoints and click“Next”. Location URL here willbe displayed with your host and port .14
Mobile Single Sign-On For SAP Fiori Using SAP Authenticator41. Leave the default settings for theNameID Endpoints and click“Finish” to complete the TrustedService Provider configuration.You have to activate the TrustedService Provider you have first to adda supported NameID format.42. Select your new Trusted ServiceProvider and click “Edit”.43. Go to the “Details of the trustedprovider name of your trustedprovider” Identity Federationtab click “Add” for a newSupported Name ID Format.44. Select from the drop-down menuthe Format Name you plan toprovide for the federation (in ourcase “Unspecified”).45. Select from the drop-down menuthe respective Source Name forthe selected by you FormatName (in our case “UserAttribute”).46. Click “OK” to confirm the selectthe Name ID Format.47. Click “Save” to record changesfor this Trusted Service Provider.15
Mobile Single Sign-On For SAP Fiori Using SAP Authenticator4.SAP AUTHENTICATOR SETUP ON THE MOBILE DEVICEExplanationScreenshotSet Up SAP Authenticator for iOS48. Log on to SAP AuthenticatorSetup at http:// host : port /otp49. Click on “Scan QR Code” to findthe installation. You have also avariant to “Install via iTunes”.If you want to install SAPAuthenticator for Android devicesfollow up the links under “InstallAndroid Version”.50. Scan the QR code with a QRCode Scanner on your iOSdevice and click Close.16
Mobile Single Sign-On For SAP Fiori Using SAP Authenticator51. Click on “Open URL” when theScanner will show you theActions.52. Click Install when the SAPAuthenticator application will bedisplayed.53. Once the SAP Authenticator issuccessfully installed click“Open”.54. Once the SAP Authenticator isstarted click “Start Setup”.55. Provide a password to protectfrom unauthorized access to theapplication.56. Click “Go” to proceed.17
Mobile Single Sign-On For SAP Fiori Using SAP AuthenticatorNow you can activate your device.57. Click “Activate Device”.58. A QR Code for activation will bedisplayed.59. Tap the “Scan QR Code” buttonon the SAP Authenticatorapplication60. Scan the QR code displayed onStep 5818
Mobile Single Sign-On For SAP Fiori Using SAP Authenticator61. After the QR Code Scan theAccount name will be displayed(in our example “FIORIUSER”).Click” Done”.62. Your device will start generatingpasscodes63. Click “Finish”.64. Click “Yes” to confirm that youscanned successfully the QRCode.65. You will receive a message“Activation of devicecompleted”.19
Mobile Single Sign-On For SAP Fiori Using SAP AuthenticatorEnable “Mobile Single Sign-On” onthe iOS deice.66. Navigate to Device Settings(iPhone Settings) Authenticatorand tap to select “Mobile SingleSign-On”.67. This will enable the section withApplications and Trusted Sitesfor the SAP Authenticator. Toadd an Application click on“Applications”.68. To add an Application click on“Applications” and click the “ ”sign. You have to provide theURL to the application with therespective IDP host andRelayState, following thisexample:https:// idp host /saml2/idp/sso?saml2sp fiori sp&RelayState fiori&j username [username]&j passcode [passcode]There are two options to providethe URL: Option 1: Type theURL Option 2: Scan applicationQR Code. QR code could begenerated by corporate ITdepartment and to be provided tousers, for example, via the email, via the corporate portal,other.69. If you choose to scan the QRcode the URL will appearautomatically. (You can still clickon it and change something ifnecessary.)70. Go to Application Name andtype a name for your applicationbookmark. Once you are readyclick “Done”.20
Mobile Single Sign-On For SAP Fiori Using SAP Authenticator71. You get your first applicationbookmark. When you click on it,you will be requested to confirmthe UserID. Click on your UserID.72. On this step the SAPAuthenticator first generates thepasscode, then generates theURL with providing the UserIDand passcode, and then will passthis URL to the browser. Thebrowser opens the URL and theuser is automaticallyauthenticated and sees the FioriLaunchpad.Optional stepsSelect a default user for the login to an application73. Go to Applications Click on theinfo icon on the right side of theapplication name to open thedetails of the application.74. In the “Sign-in accounts” sectionyour UserID is displayed. ”Click”on the UserID to mark it asselected. Click “Done” to savethe change.21
Mobile Single Sign-On For SAP Fiori Using SAP Authenticator75. When you are back on thescreen with applications yourUserID will be visible as defaultUserID for log-in to thisapplication.If you want to remove thesesettings, you have to go back tothe application bookmark settingsand to uncheck your UserID. 2014 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without theexpress permission of SAP SE or an SAP affiliate company. SAP and other SAP products and servicesmentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (oran SAP affiliate company) in Germany and other countries.Please seefor additional trademark information and22
www.sap.com 2014 SAP SE. All rights reserved.SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAPBusinessObjects Explorer, StreamWork, SAP HANA, and other SAPproducts and services mentioned herein as well as their respectivelogos are trademarks or registered trademarks of SAP SE in Germanyand other countries.Business Objects and the Business Objects logo, BusinessObjects,Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, andother Business Objects products and services mentioned herein aswell as their respective logos are trademarks or registered trademarksof Business Objects Software Ltd. Business Objects is an SAPcompany.Sybase and Adaptive Server, iAnywhere, Sybase 365, SQLAnywhere, and other Sybase products and services mentioned hereinas well as their respective logos are trademarks or registeredtrademarks of Sybase Inc. Sybase is an SAP company.Crossgate, m@gic EDDY, B2B 360 , and B2B 360 Services areregistered trademarks of Crossgate AG in Germany and othercountries. Crossgate is an SAP company.All other product and service names mentioned are the trademarks oftheir respective companies. Data contained in this document servesinformational purposes only. National product specifications may vary.These materials are subject to change without notice. These materialsare provided by SAP SE and its affiliated companies ("SAP Group")for informational purposes only, without representation or warranty ofany kind, and SAP Group shall not be liable for errors or omissionswith respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the expresswarranty statements accompanying such products and services, ifany. Nothing herein should be construed as constituting an additionalwarranty.
FOR SAP FIORI USING SAP AUTHENTICATOR TABLE OF CONTENTS . SAP Authenticator is the mobile application for the TOTP Client and it is available forIOSand ANDROIDplatforms. The solution requires a SAML 2.0 Identity
