Week 4 Unit 1:

Introduction to SAP Fiori UX

Security & Single Sign-On

Introduction to SAP Fiori UX Security & Single Sign-On

SAP Fiori Architecture from a Security & Authentication Perspective

Mobile

Desktop
http(s)

HTTPS
(HTML/ODATA/INA)

DMZ
http(s)

Front-End Server

Initial Authentication
X.509
SAML 2.0

trusted rfc

SAP
HANA
XS

Logon Tickets
Kerberos / SPNEGO

Back-End Server

2014 SAP SE or an SAP affiliate company. All rights reserved

ABAP Security
Session
Public

Introduction to SAP Fiori UX Security & Single Sign-On

So You Thought There Was One Guide That Rules All?

All the guides for security topics are collected in the help pages.
Note that the ABAP stack, the SAP HANA stack, and SAP HANA extended
application services all have specific nodes

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Introduction to SAP Fiori UX Security & Single Sign-On

SAP Fiori Supports Authentication Based On

Kerberos / SPNEGO
X.509 Certificates
SAML 2.0
Logon Tickets

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Introduction to SAP Fiori UX Security & Single Sign-On

Re-Cap

Security Overview
Security Architecture
Information & Guides

In the next unit we will look at the security aspects of the front-end server

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Thank you

Contact information:
open@sap.com

 2014 SAP SE or an SAP affiliate company.

All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional
trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,
and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated
companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,
promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties
that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking
statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Week 4 Unit 2:
Understanding Security on the
SAP Front-End Server

Understanding Security on the SAP Front-End Server

Connecting the Dots

Secure the connection and

communication between the
device and the front-end server.
Secure the communication
between the front-end server and
the back-end server.

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Understanding Security on the SAP Front-End Server

Setting Up SSO

Application Server ABAP supports

the following user authentication and
single sign-on mechanisms:
User ID and password
Secure Network Communications
(SNC)
Logon tickets
SSL and X.509 client certificates

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Understanding Security on the SAP Front-End Server

Setting Up HTTPS for a Service

SAP Cryptographic Library

Set up trust
Create the appropriate Personal
Security Environment

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Understanding Security on the SAP Front-End Server

Setting Up Secure Network Connection

Enabling SNC for the ABAP system

Securing an RFC connection with
SNC

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Understanding Security on the SAP Front-End Server

Re-Cap

Front-end related security topics

SSL & HTTPS
Communication security

In the next unit we will look at the security aspects of the back-end server

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Thank you

Contact information:
open@sap.com

 2014 SAP SE or an SAP affiliate company.

All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional
trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,
and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated
companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,
promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties
that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking
statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Week 4 Unit 3:
Understanding Security on the
SAP Back-End Server

Understanding Security on the SAP Back-End Server

Connecting the Dots

Requests to the ABAP back-end

server
(transactional apps and fact sheets)

Mobile

Desktop
http(s)
DMZ

Requests to SAP HANA extended

application services
(analytical apps)

http(s)
Front-End Server
trusted rfc
SAP
HANA
XS

2014 SAP SE or an SAP affiliate company. All rights reserved

Back-End Server

Public

Understanding Security on the SAP Back-End Server

Securing the ABAP Back End

The SAP NetWeaver Security

Guide
User Administration and
Authentication
Network and Communication
Security
Operating System and Database
Platforms

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Understanding Security on the SAP Back-End Server

Securing SAP HANA (& the HANA XS engine with regards to Fiori)

The SAP HANA Security Guide

SAP HANA Network and
Communication Security
SAP HANA User and Role
Management
SAP HANA Authentication and
Single Sign-On
SAP HANA Authorization
Data Storage Security in SAP HANA

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Understanding Security on the SAP Back-End Server

Re-Cap

Back-end related security

topics
Different types of calls and
routes to the back-end
Guides and information

In the next unit we will review the single sign-on options in SAP Fiori in
some detail

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Thank you

Contact information:
open@sap.com

 2014 SAP SE or an SAP affiliate company.

All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional
trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,
and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated
companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,
promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties
that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking
statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Week 4 Unit 4:
Review the Single Sign-On
Options

Review the Single Sign-On Options

An Overview

SSO with
SAML 2.0
SSO2 tokens
X.509
Kerberos / SPNEGO

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Review the Single Sign-On Options

SSO with SAML 2.0

Requires a SAML Identity Provider

Federation capabilities
User mapping capabilities based on
identity attributes
Enables single logout (SLO)
Protects authentication information
with encryption or with opaque IDs

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Review the Single Sign-On Options

SSO with SSO2

In our case, the front-end

server can connect to:

SAP ERP

SAP Business Suite

powered by SAP HANA

SAP HANA XS

Ticket-based authentication
is supported natively
The cookie is called
mysapsso2
Digitally signed by the
issuing server
2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Review the Single Sign-On Options

SSO with X.509

Transactional apps
Set up the X.509 certificate
authentication for the front-end server
Fact sheet apps
Set up the X.509 certificate
authentication for the front-end server
and back-end server
SAP Smart Business apps
Set up the X.509 certificate
authentication for the front-end server
and SAP HANA extended application
services

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Review the Single Sign-On Options

Re-Cap

SSO overview
Various SSO options
Capabilities and characteristics

In the next unit you will work with me on an exercise covering these topics

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Thank you

Contact information:
open@sap.com

 2014 SAP SE or an SAP affiliate company.

All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional
trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,
and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated
companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,
promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties
that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking
statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Week 4 Unit 5: Exercise Instructor-Led Walkthrough of

SAML2 Configuration

Exercise - Instructor-Led Walkthrough of SAML2

Configuration
Content
What you will do
Enter the transactions required
for SSL & SAML 2.0
configuration

All the information required for

this exercise can be found in the
how-to guide

2014 SAP SE or an SAP affiliate company. All rights reserved

Public

Thank you

Contact information:
open@sap.com

 2014 SAP SE or an SAP affiliate company.

All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional
trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,
and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated
companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,
promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties
that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking
statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

2014 SAP SE or an SAP affiliate company. All rights reserved

Public