Dear Donka,
thanks a lot for the reply. Let's stick to the Fiori application cause it is a perfect example here. I know we could bookmark the Fiori URL in SAP Authenticator and using IDP initiated SAML SSO we could SSO to Fiori Lauchpad in browser. Till this point we are all good.
My question is more on the user's follow-up activities in the Fiori Lauchpad. Quite ofter user needs to do some operations in Fiori Launchpad, e.g. perform an InA search, which requires the user to authenticate to the backend ABAP server. At this time the back-end ABAP server will ask the user to provide a valid SAML token again (assume we configured the SAML for the backend ABAP server) because the user is accessing a different server now. As shown in this example, the user is logged in to the Fiori Launchpad and has already finished once the authentication to the IDP.
Will the browser pup-up a login form to IDP again for the login to the back-end ABAP server?
If yes, will the SAP authenticator be called automatically and pass through the OTP code automatically to IDP?
Or the user has to enter the passcode manually in the authentication form?
In the desktop world the above steps are not needed since the IDP generate a cookie once the user is authenticated and the clients stores the cookie and will use this cookie for the follow-up activities as long as the cookie is still valid. But I am not sure if in the mobile world it is the same, especially in case the initial authentication to IDP is done through the SAP authenticator.
Could you please share me more experience on the scenarios above?
Thanks and regards
Xuan