In this blog post, I share how you can leverage passkeys in your mobile applications built with SAP BTP SDK for iOS and SAP Mobile Services.

To use passkeys on the iPhone, iOS 16 (or later) is required. Also, iCloud Keychain and two-factor authentication must be turned on.

I will also show you how to leverage SAP Cloud Identity Services (IAS) and its underlying Identity Authentication (IAS) as an Identity Provider supporting WebAuthn, the open standard behind Apple’s passkeys.

This blog post is an end-to-end guide on bringing those SAP products together to create a powerful user experience.

First, I will describe the necessary configuration to be performed by an administrator in:

• BTP subaccount
• IAS

Second, I will describe what the mobile app developer has to ensure.

Last, I will explain and illustrate the user’s experience creating a passkey from the IAS user profile web page on their Mac and then using the passkey for mobile app authentication on their iPhone.

You can follow along by using a free trial of the SAP Business Technology Platform (BTP).

Admin – Configuration in SAP BTP

Create a subscription for (1) SAP Mobile Services and (2) SAP Cloud Identity Service.

Then, establish trust between your BTP subaccount and SAP Cloud Identity Services. It only requires a few clicks.

Voila, you configured a custom identity provider for applications.

Admin – Configuration in SAP Cloud Identity Services

Enable Biometric Authentication for the XSUAA app used by SAP Mobile Services.

Please also enable Biometric Authentication for the User Profile self-service offered by IAS.

App Developer – Use OAuth2 with FioriASWebAuthenticationSessionPresenter

Use the SAP BTP SDK Assistant for iOS to create a sample app resulting in a local Xcode project and a remote app definition in SAP Mobile Services.

Make sure that the Redirect URL uses the format: <customURLScheme>://<hostURL> in both places:

(1) in the security configuration of SAP Mobile Services

(2) and in the Xcode project.

You need to use OAuth2AuthenticationStep provided by the SAPFioriFlows framework with the FioriASWebAuthenticationSessionPresenter.

 OAuth2AuthenticationStep(presenter: FioriASWebAuthenticationSessionPresenter())

The underlying ASWebAuthentionSession API from Apple will ensure that the passkey can be read from the iCloud keychain and sent to the IdP automatically. No matter if you use SAP Cloud Identity Services or a different product.

User – Create a passkey

The user can create a passkey by adding biometric authentication to their user profile.

The user created a passkey stored in Apple’s iCloud Keychain and available on all the user’s devices, including their iPhone.

User – Use passkey for passwordless authentication on their iOS app

Now, this is the part you probably waited for the most. How does this work in the iOS application? Once the user moves away from the Welcome Screen…

… the user must confirm the alert presented by the ASWebAuthenticationSession.

The user will choose the custom identity provider. Note: This step can be avoided by removing the default identity provider in the BTP subaccount.

The IdP website from IAS is presented. The user can choose biometric authentication because the admin allowed this form of authentication for the XSUAA.

The following dialogs to obtain the passkey from the iCloud keychain and send it to IAS are handled by the ASWebAuthenticationSession.

That’s it. The OAuth2AuthenticationStep got completed and the rest of the mobile app’s onboarding steps will be executed until onboarding is completed, and the user will see the app’s business content.