Hello,
we have currently an authentification scenario, which i want to discuss and verify.
We want to deliver fiori Applications on a Gateway Hub, which is located in our DMZ. To use the SAP delivered two-factor authentification (OTP), we use our Identity Management on a Java Stack, which is located in our internal network.
The Gateway Hub works as an Service-Provider, the Identity Management as Identity-Provider - which asserts SAML 2.0 certificates for the Gateway Users. Both systems should communicate with a back-channel communication, as described here. So we don't need to put our Identity Management System in the DMZ.
I'm not sure if the validation of the One Time Password (created and delivered by the internal AS Java) can be done by the Gateway Frontend AS ABAP, via the backend-channel communication.
Best Regards
Julian Branahl