Dear Xuan,
Mobile SSO solution is based on the Time-based One-Time Password (TOTP) Algorithm of the open standardRFC 6238.
For example the Mobile SSO flow for SAP Fiori via the browser is the following:
When the user clicks on the respective Fiori bookmark, the SAP Authenticator generates a passcode and creates a URL with respective parameters (service provider, RelayState, username and passcode) similar to this example:
SAP Authenticator sends this URL to the browser and then the browser opens the URL, triggering IDP initiated single sign-on. The Identity Provider, on his side, checks the credentials provided, and if the check is successful, issues a SAML 2.0 assertion for this user and for the respective service
provider (SAP Fiori in our example). On the next step based on the HTTP-POST binding response the SAP Fiori application is securely opened on the mobile device of the user.
More details you will be able to find in this document:
Mobile SSO for SAP Fiori - Step-by-Step Guide
At the moment for SAP Fiori Client we have a solution described in these two blogs:
Configuring SAP Fiori Client for Single Sign-On with iOS SAP Authenticator
Configuring SAP Fiori Client for Single Sign-On with Android SAP Authenticator
There is a plan to release soon a version of the SAP Fiori Client where the integration with SAP Authenticator will be available out-of-the-box and such re-build will not be necessary.
I hope this answers your questions.
Best regards,
Donka Dimitrova