logo

Are you need IT Support Engineer? Free Consultant

Why SAP Warehouse Logistics Moved Away from WKWebV…

  • By Sanjay
  • 30/04/2026
  • 6 Views


If you manage SAP Warehouse Logistics in an enterprise environment, or if you're just curious about what goes on under the hood of mobile authentication on iOS, maybe this little look behind the scenes is of interest. We recently published SAP Note 3747394 about a change to the browser technology used for authentication in SAP Warehouse Logistics on iOS – and I want to explain not just what changed, but why it was necessary and what it means in practice.

Why authentication on iOS is more nuanced than it looks

Enterprise identity providers like Microsoft Entra ID support Conditional Access (CA) policies – rules that enforce requirements before granting access to an application. Common examples include:

  • Device compliance – is the device enrolled and meeting your organisation's security baseline?
  • Approved app controls – is the user authenticating through a Microsoft-approved application?
  • App protection policies – is Intune actively managing this app?

For Conditional Access to work correctly on iOS, the authentication flow must happen inside a browser context that the operating system recognises and can inspect. The key mechanism here is the Microsoft Enterprise SSO plug-in – a system-level extension provided by Microsoft Authenticator or the Intune Company Portal which intercepts authentication requests and enriches them with device compliance signals and app identity information. This only works if the authentication flow runs through the system browser stack. Not all iOS browser technologies qualify and that distinction matters more than most people realise.

From WKWebView to ASWebAuthenticationSession: what changed and why it matters

SAP Warehouse Logistics was previously using WKWebView for the OAuth onboarding flow. WKWebView is an embedded web view that runs entirely inside the app process. It is fast and customisable, but completely isolated from the system browser – no shared cookies, no single sign-on, and the Microsoft Enterprise SSO plug-in cannot intercept anything happening inside it. Microsoft explicitly does not support WKWebView for Entra ID sign-in under strict Conditional Access. When an organisation's policies enforce device compliance or app protection requirements, the authentication flow fails with error AADSTS53003.

If your users are already hitting AADSTS53003 when trying to onboard, this is exactly why – and the migration described here resolves it.

The solution is ASWebAuthenticationSession, Apple's dedicated API for OAuth and OIDC flows, available since iOS 12. Unlike WKWebView, it runs as a system-level authentication session – the same browser stack used by Safari. The Microsoft Enterprise SSO plug-in can intercept and enrich the flow, surfacing device compliance and app identity signals that Conditional Access policies evaluate. The app itself never has access to the session cookies; the OS handles the token exchange and returns only the result. (This is also why Apple his recommending this API for authentication flows – it is a deliberate privacy boundary, not just a technical convenience.)

Microsoft's own authentication library, MSAL, selects ASWebAuthenticationSession by default on iOS 12 and above. SAP Warehouse Logistics now does the same.

What triggered this change

A real customer deployment surfaced the incompatibility. Users in an organisation with strict Conditional Access policies – device compliance enforcement combined with app protection requirements – were unable to complete onboarding. The authentication flow failed with AADSTS53003, leaving users locked out with no actionable error in the app.

That incident made it clear that WKWebView would not hold up across the range of enterprise configurations customers are deploying. The migration to ASWebAuthenticationSession addresses the root cause directly, not just the symptom.

Why your existing QR codes will stop working

The migration to ASWebAuthenticationSession requires a server-side configuration update in SAP Mobile Services. The OAuth redirect URI changes from an https-based URL to a custom app URL scheme. Any QR codes generated before this update encode the old redirect URI and will no longer be valid after the change is applied.

This is a one-time change. The server-side update will be applied to all productive systems on May 4, 2026, between 9:00 and 10:00 CEST. Once your organisation is using the new QR code, future onboardings will work without any further intervention. (If a user has already successfully onboarded after May 4, no action is needed – the new configuration is already in place for their device.)

One thing to expect: a new system consent dialog

When users onboard with the new configuration, iOS will display a system-level consent dialog asking permission to sign in using the shared browser session. This dialog is shown by the operating system – it is not part of the app UI and cannot be customised. It appears once per authentication and is a normal part of how ASWebAuthenticationSession works. Users should simply confirm it to proceed.

What you need to do

Once the server-side update has been applied on May 4, 2026:

  1. Generate a new onboarding QR code from SAP Mobile Services.
  2. If you use an MDM solution such as Intune or Jamf, distribute the new AppConfig for the updated onboarding values to your users through your existing rollout process.
  3. Each user must uninstall SAP Warehouse Logistics, reinstall it, and complete onboarding using the new QR code.

This applies to both iOS and Android users – the server-side change affects all platforms equally.

Summary

The move from WKWebView to ASWebAuthenticationSession is a meaningful step for enterprise deployments. WKWebView's isolation from the system browser was the root cause of Conditional Access failures in tenants with strict Microsoft Entra ID policies – it simply cannot surface the device and app identity signals that Conditional Access needs to evaluate. ASWebAuthenticationSession runs in Apple's system browser stack, integrates with the Microsoft Enterprise SSO plug-in, and is the modern and recommended iOS browser technology that fully supports all Conditional Access controls. The QR code re-onboarding is a one-time effort, and the result is an authentication flow that works reliably across the full range of enterprise configurations.

Further reading

Full details and step-by-step instructions are available in SAP Note 3747394 on the SAP Support Portal.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

SAP HANA NEWS
SAP Work Clearance Management (Permit to Work): M…
1777531061 Hqdefault
SAP HANA NEWS
SAP Integrated Business Planning (SAP IBP) 2605 -…
SAP HANA NEWS
What’s new: SAP Best Practices for SAP Integrated …
Large.jpeg;Charset=Utf 8
SAP HANA NEWS
Setting Your SAP TM and SAP EWM Project Up for Success – Join Our Continuous Quality Check Pilots!
//
Our customer support team is here to answer your questions. Ask us anything!
👋 Hi, how can I help?
Hi, how can I help?