To use passkeys on the iPhone, iOS 16 (or later) is required. Also, iCloud Keychain and two-factor authentication must be turned on.

I will also show you how to leverage SAP Cloud Identity Services (IAS) and its underlying Identity Authentication (IAS) as an Identity Provider supporting WebAuthn, the open standard behind Apple’s passkeys.

This blog post is an end-to-end guide on bringing those SAP products together to create a powerful user experience.

First, I will describe the necessary configuration to be performed by an administrator in:

• BTP subaccount
  
• IAS

Second, I will describe what the mobile app developer has to ensure.

Last, I will explain and illustrate the user’s experience creating a passkey from the IAS user profile web page on their Mac and then using the passkey for mobile app authentication on their iPhone.

You can follow along by using a free trial of the SAP Business Technology Platform (BTP).

Admin – Configuration in SAP BTP

Create a subscription for (1) SAP Mobile Services and (2) SAP Cloud Identity Service.

Then, establish trust between your BTP subaccount and SAP Cloud Identity Services. It only requires a few clicks.

Voila, you configured a custom identity provider for applications.

Admin – Configuration in SAP Cloud Identity Services

Enable Biometric Authentication for the XSUAA app used by SAP Mobile Services.

Please also enable Biometric Authentication for the User Profile self-service offered by IAS.

App Developer – Use OAuth2 with FioriASWebAuthenticationSessionPresenter

Use the SAP BTP SDK Assistant for iOS to create a sample app resulting in a local Xcode project and a remote app definition in SAP Mobile Services.

Make sure that the Redirect URL uses the format:<customURLScheme>:// <hostURL>in both places:

(1) in the security configuration of SAP Mobile Services

(2) and in the Xcode project.

You need to use OAuth2AuthenticationStep provided by the SAPFioriFlows framework with the FioriASWebAuthenticationSessionPresenter.

OAuth2AuthenticationStep(presenter: FioriASWebAuthenticationSessionPresenter())

The underlying ASWebAuthentionSession API from Apple will ensure that the passkey can be read from the iCloud keychain and sent to the IdP automatically. No matter if you use SAP Cloud Identity Services or a different product.

User – Create a passkey

The user can create a passkey by adding biometric authentication to their user profile.

The user created a passkey stored in Apple’s iCloud Keychain and available on all the user’s devices, including their iPhone.

User – Use passkey for passwordless authentication on their iOS app

Now, this is the part you probably waited for the most. How does this work in the iOS application? Once the user moves away from the Welcome Screen…

… the user must confirm the alert presented by the ASWebAuthenticationSession.

The user will choose the custom identity provider. Note: This step can be avoided by removing the default identity provider in the BTP subaccount.

The IdP website from IAS is presented. The user can choose biometric authentication because the admin allowed this form of authentication for the XSUAA.

The following dialogs to obtain the passkey from the iCloud keychain and send it to IAS are handled by the ASWebAuthenticationSession.

That’s it. The OAuth2AuthenticationStep got completed and the rest of the mobile app’s onboarding steps will be executed until onboarding is completed, and the user will see the app’s business content.

The post Passwordless Authentication (Passkeys) with SAP BTP SDK for iOS and SAP Cloud Identity Services first appeared on ERP Q&A.

Agenda:

Single Sign-on Authentication Types:

Single Sign-on based on Principal Propagation for SAP Asset Manager (BTP)

Principal Propagation -process Flow

Principal Propagation: Architecture Overview

technical landscape

Principle Propagation Compatibility

In the context of the SAP Mobile Add-On, the authorization expectation is for the SAP Cloud Connector to pass the cloud user identity through principal propagation in a subject pattern that is matched to a matched alias in the back end system.

SAP uses Rule based certificate mapping

Backend user names

Set the Principal propagation.

Step 1.

SAP Cloud platform authentication setup using IAS with Azure AD

Connection to Corporate Active Directory need to establish.

Prerequisite: Cloud connector is installed and connected to SCP subaccount

Step 2.

Check the BTP

click on Local Service Provider and edit & click on Get Metadata and upload in the IAS.

Step 3.

Go to IAS tenant.

Application & Add new Application.

Give the name to the Application.

Application Display Name:

Application Home URL: keep empty.

Application Type:

Step 4.

Go to SAP BTP Cockpit

On Trust, create a Trust Management

Add identity Authentication Tenant (we have two tenant one is used for development & quality and other is used for production.

Select the trail and confirmation popup will appear.

download the metadata.

Step 5.

Go to IAS –> Application –> Bundled Applications –> where you have created the Asset manager DEV.

Define from Metadata (upload the metadata which you have downloaded.

check the SAML 2.0 Configuration and signing Certificates.

check SHA-256 and Sign assertions is oN and sign single logout message is on and require signed single logout messages.

Save

Step 6.

Steps for IAS -Azure AD

SAML 2.0 Configuration –>go to Tenant settings and under the Assertion consumer service end point you see the metadata where you can download the metadata.

Step 7:

Upload the metadata into Azure AD

To configure the integration of SAP cloud platform Identity Authentication into Azure AD, you need to add SAP Cloud Platform Identity Authentication from the gallery to your list of managed SaaS apps.

Sign into the Azure portal using either a work or school account to Microsoft account.

in the left navigation pane, select the Azure Active Directory service.

navigate to Enterprise Applications and then select App applications.

to Add new application, select New Application

in the Add from the gallery section, type SAP Cloud Platform Identity Authentication in the search box. select SAP cloud Platform Identity Authentication from results panel and then add the app.

wait a few second s while the ap is added to your tenant.

download the metadata.

Login to IAS and upload the metadata in IAS.

Go to Identity Authentication Service –> Corporate Identity Providers –> create –> Add identity Provider & define the Metadata.

select the Microsoft ADFS/Azure AD as the Identity Provider Type

Enable the Single Sign on button & go to conditional Authentication and select the Default identity provider.

Enable Single Sign-on

Set conditional Authentication.

Save

Go to BTP

Security a Trust à Add – Identity Authentication Tenant / Trusted Identity Provider

& Add-Trusted identity Provider & upload the IAS metadata which you have downloaded

Click on the Add-Trusted identity Provider & upload the IAS metadata which you have downloaded.

Identity Authentication Service Account Configuration

Create a group in IAS tenant for “Administrators” of Cloud Platform mobile services

Login to IAS

Go to Applications and Budled Applications (Assertion Attribuites)

Cloud Platform Account Configuration

Now, the Cloud Platform account needs to be configured to map the IAS_CPms_Admin group to a group that is granted the desired roles.

Navigate to the “Authorization Management” screen in Cloud Platform cockpit. Go to the “Groups” tab and click on “New Group”. Create a new group called “MobileServiceAdmin

Similarly create Group “MobileServiceUser” and assign the roles mentioned. This is required for Mobile app users.

SCP/BTP – Navigate to Trust Management screen, click on “Application Identity Provider” tab and click on the trusted IdP setting that represents the IAS tenant account

Login to BTP

Similarly add the Group for Mobile App user

Now, navigate to “Configure development & Operations Cockpit” (refer to the screen in step 5) and click on “Roles”. Create a new role “MobileServicesCockpitAdministrator” and assign it to the group “MobileServiceAdmin”.

Click on “Destinations & Permissions”. Edit the application permissions and select the role “MobileServicesCockpitAdministrator” and save.

Flow chart for Troubleshooting the issue.

The post SSO Configuration on Asset Management steps involved first appeared on ERP Q&A.