Hi SSO Experts,
I have some fundamental questions about the mobile SSO. I am aware of the functionality of the SAP authenticator and know that we can configure SAP authenticator together with SAML IDP to achieve IDP initiated SSO. In this case end user can store the SP urls as favorite in SAP authenticator. By click the favorite, the user gets automatically authenticated to IDP and redirect to SP page. It works all fine. But (in my opinion) the limitation here is that one has to start everything from the SAP authenticator. My questions are:
1. How does it work in a SP initiated Mobile SSO scenario?
- For example, the user opens browser and enter the url directly in the mobile device.
- Or another example, in SP A some operations might need to access SP B. While performing those operations the user need to authenticate to SP B.
On a desktop PC once the user is authenticated to IDP, the user will receive a IDP cookie (if configured). Next time if the user calls another SP, the user does not has to login to IDP again. How does it look like in the mobile device? Assume that the user has previously logged in to IDP with SAP authenticator (TOTP login module). Does it work in the same way as in desktop PC, meaning the cookie is cached somewhere in mobile device, and user does not need to login to IDP again? If not, how can we achieve SSO in this scenario?
2. How does it look like if using mobile apps instead of typing url in browser? Will it make any difference comparing to the scenario 1? We assume in both scenarios we are visiting the same SP.
The questions are coming from my current project where the customer has a internet facing portal for their agent users and the functions in portal might need to access backed ERP, HANA XS servers. And the customer also has plenty of enterprise mobile apps, which they don't know how to integrate them into SAP authenticator.
Thanks a million in advance and best regards
Xuan