This article demonstrates how to implement Passkey-based authentication in SAP BTP SDK for Windows applications, integrated with SAP Cloud Identity Services.
First, I will describe the necessary configuration to be performed by an administrator in:
BTP subaccountIASWindows OS
Admin – Configuration in SAP BTP
Create a subscription for (1) SAP Mobile Services and (2) SAP Cloud Identity Service.
Then, establish trust between your BTP subaccount and SAP Cloud Identity Services and configured a custom identity provider for applications.
Admin – Configuration in SAP Cloud Identity Services
Enable Biometric Authentication for the XSUAA app used by SAP Mobile Services.
Please also enable Biometric Authentication for the User Profile self-service offered by IAS.
Create a Passkey on Windows
Prerequisites for Creating a Windows Passkey
Operating System: Windows 10 (version 1903 or later) or Windows 11Hardware Requirements:TPM 2.0 (Trusted Platform Module) supportBiometric device (fingerprint reader or IR camera for facial recognition) or PIN supportWindows Hello Enabled: At least one of PIN, fingerprint, or facial recognition must be set up
Create Passkey via Windows Settings
Step 1: Open Sign-in Options
Click Start Menu → Settings (or use shortcut Win + I)Select Accounts → Sign-in options
Step 2: Set Up Windows Hello
If you haven’t set up Windows Hello yet, complete one of the following options first:
Table
Verification Method
Setup Steps
PIN
Click “PIN (Windows Hello)” → “Add” → Enter and confirm your PIN
Fingerprint
Click “Fingerprint recognition” → “Set up” → Follow prompts to touch fingerprint sensor multiple times
Facial Recognition
Click “Facial recognition” → “Set up” → Face the camera to complete scanning
Step3:Activate a device for Biometric Authentication
On the windows device where you tested on, access “Profile Management ” page in web browser and https address is like “https://<host url of this custom IDP>/ui/protected/profilemanagement”, focus on “Biometric Authentication” section, click Add button to register current device and use biometric to create passkey for this custom IDP. Then this passkey will be saved
Use saved passkey to do authentication via the custom Identity Provider
Create or use an existing application which security type is OAuth on SAP Mobile Services(Cloud Foundry) cockpit. Then, in authconfig.json client project, set correct options as below.
Also please set correct public API Key in App.xaml
Please make sure that the authentication page opened in OS browser, as biometric authentication didn’t work in webview2. You can find details in this wiki: Auth Extension & Customization – SAP BTP Windows SDK – Wiki@SAP
Finally when the user launch Windows BTP SDK application and move to choose the custom identity provider. The IdP website from IAS is presented. The user can choose biometric authentication because the admin allowed this form of authentication for the XSUAA. The rest of the mobile app’s onboarding steps will be executed until onboarding is completed, and the user will see the business content.
This article demonstrates how to implement Passkey-based authentication in SAP BTP SDK for Windows applications, integrated with SAP Cloud Identity Services.First, I will describe the necessary configuration to be performed by an administrator in:BTP subaccountIASWindows OSAdmin – Configuration in SAP BTPCreate a subscription for (1) SAP Mobile Services and (2) SAP Cloud Identity Service.Then, establish trust between your BTP subaccount and SAP Cloud Identity Services and configured a custom identity provider for applications.Admin – Configuration in SAP Cloud Identity ServicesEnable Biometric Authentication for the XSUAA app used by SAP Mobile Services.Please also enable Biometric Authentication for the User Profile self-service offered by IAS.Create a Passkey on Windows Prerequisites for Creating a Windows PasskeyOperating System: Windows 10 (version 1903 or later) or Windows 11Hardware Requirements:TPM 2.0 (Trusted Platform Module) supportBiometric device (fingerprint reader or IR camera for facial recognition) or PIN supportWindows Hello Enabled: At least one of PIN, fingerprint, or facial recognition must be set upCreate Passkey via Windows SettingsStep 1: Open Sign-in OptionsClick Start Menu → Settings (or use shortcut Win + I)Select Accounts → Sign-in optionsStep 2: Set Up Windows HelloIf you haven’t set up Windows Hello yet, complete one of the following options first:TableVerification MethodSetup StepsPINClick “PIN (Windows Hello)” → “Add” → Enter and confirm your PINFingerprintClick “Fingerprint recognition” → “Set up” → Follow prompts to touch fingerprint sensor multiple timesFacial RecognitionClick “Facial recognition” → “Set up” → Face the camera to complete scanningStep3:Activate a device for Biometric AuthenticationOn the windows device where you tested on, access “Profile Management ” page in web browser and https address is like “https://<host url of this custom IDP>/ui/protected/profilemanagement”, focus on “Biometric Authentication” section, click Add button to register current device and use biometric to create passkey for this custom IDP. Then this passkey will be savedUse saved passkey to do authentication via the custom Identity ProviderCreate or use an existing application which security type is OAuth on SAP Mobile Services(Cloud Foundry) cockpit. Then, in authconfig.json client project, set correct options as below.Also please set correct public API Key in App.xamlPlease make sure that the authentication page opened in OS browser, as biometric authentication didn’t work in webview2. You can find details in this wiki: Auth Extension & Customization – SAP BTP Windows SDK – Wiki@SAPFinally when the user launch Windows BTP SDK application and move to choose the custom identity provider. The IdP website from IAS is presented. The user can choose biometric authentication because the admin allowed this form of authentication for the XSUAA. The rest of the mobile app’s onboarding steps will be executed until onboarding is completed, and the user will see the business content. Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
