OpenSAP Fiori1 Week 04 Securing SAP Fiori UX

Week 4 Unit 1:
Introduction to SAP Fiori UX

Security & Single Sign-On
Introduction to SAP Fiori UX Security & Single Sign-On
SAP Fiori Architecture from a Security & Authentication Perspective
Mobile Desktop
HTTPS
http(s)
(HTML/ODATA/INA)
DMZ
http(s) Initial Authentication
Front-End Server  X.509

 SAML 2.0
trusted rfc
 Logon Tickets
SAP  Kerberos / SPNEGO

HANA Back-End Server  ABAP Security
XS Session
© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 2

So You Thought There Was One Guide That Rules All?
All the guides for the security topic are collected in the help pages.
Note that the ABAP stack, the SAP HANA stack, and SAP HANA extended
application services all have specific nodes

SAP Fiori Supports Authentication Based On…
Kerberos / SPNEGO
X.509 Certificates
SAML 2.0
Logon Tickets

Re-Cap
Security Overview
Security Architecture
Information & Guides
In the next unit we will look at the security aspects of the front-end server

Thank you
Contact information:
open@sap.com
© 2014 SAP SE or an SAP affiliate company.
All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional
trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,
and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated
companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,
promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties
that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking
statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

Week 4 Unit 2:
Understanding Security on the
SAP Front-End Server
Understanding Security on the SAP Front-End Server
Connecting the Dots
Secure the connection and

communication between the
device and the front-end server.
Secure the communication

between the front-end server and
the back-end server.

Setting Up SSO
Application Server ABAP supports

the following user authentication and
single sign-on mechanisms:
 User ID and password
 Secure Network Communications
(SNC)
 Logon tickets
 SSL and X.509 client certificates

Setting Up HTTPS for a Service
SAP Cryptographic Library
Set up trust
Create the appropriate Personal

Security Environment

Setting Up Secure Network Connection
Enabling SNC for the ABAP system
Securing an RFC connection with

SNC

Re-Cap
Front-end related security topics
SSL & HTTPS
Communication security
In the next unit we will look at the security aspects of the back-end server

Thank you
open@sap.com

Week 4 Unit 3:
Understanding Security on the
SAP Back-End Server
Understanding Security on the SAP Back-End Server
Connecting the Dots
Requests to the ABAP back-end

server Mobile Desktop
(transactional apps and fact sheets)
http(s)
Requests to SAP HANA extended DMZ

application services
http(s)
(analytical apps)
Front-End Server
trusted rfc
SAP
HANA Back-End Server
XS

Securing the ABAP Back End
The SAP NetWeaver Security

Guide
 User Administration and

Authentication
 Network and Communication

Security
 Operating System and Database

Platforms

Securing SAP HANA (& the HANA XS engine with regards to Fiori)
The SAP HANA Security Guide
 SAP HANA Network and

Communication Security
 SAP HANA User and Role

Management
 SAP HANA Authentication and

Single Sign-On
 SAP HANA Authorization
 Data Storage Security in SAP HANA

Re-Cap
Back-end related security

topics
Different types of calls and

routes to the back-end
Guides and information
In the next unit we will review the single sign-on options in SAP Fiori in
some detail

Thank you
open@sap.com

Week 4 Unit 4:
Review the Single Sign-On
Options
Review the Single Sign-On Options
An Overview
SSO with
 SAML 2.0
 SSO2 tokens
 X.509
 Kerberos / SPNEGO

SSO with SAML 2.0
Requires a SAML Identity Provider
 Federation capabilities
 User mapping capabilities based on

identity attributes
 Enables single logout (SLO)
 Protects authentication information

with encryption or with opaque IDs

SSO with SSO2
In our case, the front-end

server can connect to:
• SAP ERP
• SAP Business Suite
powered by SAP HANA
• SAP HANA XS
Ticket-based authentication
is supported natively
The cookie is called

mysapsso2
Digitally signed by the

issuing server

SSO with X.509
Transactional apps
 Set up the X.509 certificate

authentication for the front-end server
Fact sheet apps

and back-end server
SAP Smart Business apps

and SAP HANA extended application
services

Re-Cap
SSO overview
Various SSO options
Capabilities and characteristics
In the next unit you will work with me on an exercise covering these topics

Thank you
open@sap.com

Week 4 Unit 5: Exercise -
Instructor-Led Walkthrough of
SAML2 Configuration
Exercise - Instructor-Led Walkthrough of SAML2
Configuration
Content
What you will do

 Enter the transactions required
for SSL & SAML 2.0
configuration
All the information required for

this exercise can be found in the
how-to guide

Thank you
open@sap.com

OpenSAP Fiori1 Week 04 Securing SAP Fiori UX

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OpenSAP Fiori1 Week 04 Securing SAP Fiori UX

Uploaded by

Copyright:

Available Formats

Week 4 Unit 1:

Introduction to SAP Fiori UX

http(s) Initial Authentication

Front-End Server  X.509

SAP  Kerberos / SPNEGO

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 2

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 3

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 4

Information & Guides

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 5

National product specifications may vary.

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 7

Secure the connection and

Secure the communication

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 2

Application Server ABAP supports

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 3

SAP Cryptographic Library

Create the appropriate Personal

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 4

Enabling SNC for the ABAP system

Securing an RFC connection with

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 5

Front-end related security topics

SSL & HTTPS

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 6

National product specifications may vary.

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 8

Requests to the ABAP back-end

Requests to SAP HANA extended DMZ

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 2

The SAP NetWeaver Security

 User Administration and

 Network and Communication

 Operating System and Database

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 3

The SAP HANA Security Guide

 SAP HANA Network and

 SAP HANA User and Role

 SAP HANA Authentication and

 SAP HANA Authorization

 Data Storage Security in SAP HANA

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 4

Back-end related security

Different types of calls and

Guides and information

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 5

National product specifications may vary.

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 7

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 2

Requires a SAML Identity Provider

 User mapping capabilities based on

 Enables single logout (SLO)

 Protects authentication information

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 3

In our case, the front-end

The cookie is called

Digitally signed by the

© 2014 SAP SE or an SAP affiliate company. All rights reserved Public 4

 Set up the X.509 certificate

Fact sheet apps

 Set up the X.509 certificate

SAP Smart Business apps

 Set up the X.509 certificate