Setup of SAP Fiori System Landscape with ABAP EnvironmentPDF download from SAP Help Portal:http://help.sap.com/fiori_bs2013/helpdata/en/ba/f61f533f86ef28e10000000a4450e5/frameset.htm

Created on October 16, 2015

The documentation may have changed since you downloaded the PDF. You can always find the latest information on SAP HelpPortal.

Note

This PDF document contains the selected topic and its subtopics (max. 150) in the selected structure. Subtopics from other structures are not included.

© 2015 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAPSE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials areprovided by SAP SE and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAPGroup shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are setforth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additionalwarranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE inGermany and other countries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

Table of content

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 1 of 18

Table of content1 Setup of SAP Fiori System Landscape with ABAP Environment1.1 Deployment Options1.2 Pre-Installation1.2.1 Entities Relevant for Installation1.3 Installation1.3.1 Installation Requirements (Transactional Apps)1.3.2 Setup of Front-End Server1.3.2.1 Specify Language Settings1.3.3 Installation of SAP Notes (Transactional Apps)1.3.4 Setup of Clients1.3.5 Downloading and Installing Product Versions1.3.6 Virus Scanning1.4 Communication Channels1.4.1 ABAP Servers: Setup of Communication1.4.1.1 Configuring ABAP Server Session Security1.4.1.2 Configuring the AS ABAP to Support SSL1.4.1.3 Connect SAP Gateway to SAP Business Suite (Trusted RFC)1.4.1.4 Managing RFC Destinations1.4.1.5 Activating SAP Gateway1.4.1.6 Creating System Alias for Applications1.4.2 User Authentication and Single Sign-On (SSO)1.4.2.1 Setting Up SSO for SAP Fiori Landscapes with ABAP Environments1.4.2.2 SSO Mechanisms for SAP Fiori Apps1.4.2.2.1 Kerberos/SPNego1.4.2.2.2 X.509 Certificates1.4.2.2.3 SAML 2.01.4.2.2.4 Logon Tickets

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 2 of 18

1 Setup of SAP Fiori System Landscape with ABAP Environment

In the SAP Fiori system landscape with ABAP environment, you can use transactional apps.

This system landscape applies to the intranet deployment scenario. When accessing SAP Fiori apps over the Internet, that is, from outside the corporatenetwork, make sure the access is secure. For more information, see Deployment Options.

Set up the system landscape to enable SAP Fiori before you start to implement an app.

An app requires front-end components (providing the user interface and the connection to the back end) and back-end components (providing the data). Thefront-end components and the back-end components are delivered in separate products and have to be installed in a system landscape that is enabled forSAP Fiori.

The following figure shows the detailed system landscape for SAP Fiori transactional apps.

System Landscape for SAP Fiori Transactional Apps

Components of the System Landscape

Depending on the system landscape, the following components are used:

Client

To be able to run SAP Fiori apps, the runtime environment (such as the browser) of the client must support HTML5.

ABAP Front-End Server

The ABAP front-end server contains all the infrastructure components to generate an SAP Fiori app-specific UI for the client and to communicate with the SAPBusiness Suite back-end systems. The UI components and the gateway are based on SAP NetWeaver. Typically, both are deployed on the same server.

The central UI component is a framework that provides the common infrastructure for all SAP Fiori apps: SAP Fiori launchpad is the basis of all SAP Fiori UIs,and provides fundamental functions for SAP Fiori apps such as logon, surface sizing, navigation between apps, and role- based app catalogs. End-usersaccess the SAP Fiori apps from the SAP Fiori launchpad. The specific UIs for the apps are delivered as SAP Business Suite product-specific UI add-onproducts, which must be additionally installed on the front-end server.

SAP Gateway handles the communication between the client and the SAP Business Suite back end. SAP Gateway uses OData services to provide back-enddata and functions, and processes HTTPS requests for OData services. The transactional apps, which are updating data in the SAP Business Suite systems,use this communication channel.

ABAP Back-End Server

In the ABAP back-end server, the SAP Business Suite products are installed, which provide the business logic and the back-end data, including users, roles,and authorizations. The add-ons for the SAP Fiori apps are continuously released in Support Packages. The back-end server is based on SAP NetWeaver.

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 3 of 18

Database

SAP HANA is an in-memory database platform that you can use to analyze large volumes of data in real-time.

anyDB stands for any database that stores the data for the back-end server. For most transactional apps, any database can be deployed instead of SAPHANA.

1.1 Deployment Options

Deployment of SAP Gateway

RecommendationFor running SAP Fiori apps, we recommend that you use a Central Hub Deployment of SAP Gateway. This means that you install SAP Gatewayindependent of consumer technologies in a standalone system, either behind or in front of the firewall. You therefore separate back end components fromfront-end components.

We do not recommend the Embedded Deployment option. This document is entirely based on the Central Hub Deployment option.

Intranet DeploymentYou can deploy SAP Fiori apps in the intranet, that is, inside your corporate network.

The SAP Fiori documentation focuses on the intranet deployment scenario.

When accessing SAP Fiori apps over the Internet, that is, from outside the corporate network, you have to perform additional tasks. For more information, seeInternet-Facing Deployment.

Internet-Facing Deployment

RecommendationWhen setting up SAP Fiori apps for consumption from outside the corporate network, we recommend that you deploy SAP Web Dispatcher (or any otherreverse proxy) in the demilitarized zone (DMZ).

RecommendationIn addition, we highly recommend using Web Application Firewall capabilities in the reverse proxy or using an additional Web Application Firewall as firstline of defense, especially when consuming SAP Fiori analytical apps or search capabilities over the Internet.

SAP Web Dispatcher (or the reverse proxy) should only forward requests to services in the internet communication manager that are necessary to run SAPFiori apps.

There are services to run the SAP Fiori launchpad and services to run the specific apps:

For the services to run the SAP Fiori launchpad, see Activate SICF Services for SAP Fiori Launchpad.For the services to run the specific apps, see the app-specific documentation.For information about how to activate the specific services, see Front-End Server: Activate ICF Services of SAP UI5 Application.

For an internet-facing deployment of mobile devices, you can use the SAP Mobile Platform Server. SAP Mobile Platform Server is an open, standards-basedapplication server that provides a suite of services for mobile applications. By integrating SAP Mobile Platform Server into your SAP Fiori system landscape,you can create a secure, efficient, and easy-to-manage mobile environment for SAP Fiori.

More InformationFor more information about SAP Mobile Platform Server, see Integration of SAP Mobile Platform into SAP Fiori Landscape.

For more information about SAP Gateway deployment options, see the following documentation:

For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nwgateway20 Installation and Upgrade Information Master Guide SAP Gateway Master Guide : Deployment Options and Embedded Versus Hub Deployment .

For SAP NetWeaver 7.4, see SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View SAP GatewayFoundation (SAP_GWFND) SAP Gateway Foundation Master Guide Deployment Options .

For more information about using multiple network zones, see the following documentation:

For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nw731 Security Information Security Guide Network andCommunication Security Using Multiple Network Zones .For SAP NetWeaver 7.4, see SAP Help Portal at http://help.sap.com/nw74 Security Information Security Guide Network andCommunication Security Using Multiple Network Zones .

1.2 Pre-Installation

Before you begin to install the system landscape for SAP Fiori, make sure you have planned the following:

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 4 of 18

Network Architecture

You have to decide in which network zones the components of the SAP Fiori system landscape reside.

For example, should the clients be able to access the SAP Fiori apps over the Internet, or only within the company's intranet? Is there a DMZ and is the SAPWeb Dispatcher (SAP Fiori fact sheets and analytical apps) deployed there? Depending on your network architecture, make sure you have the right securitymeasures in place, such as a secure firewall configuration.

Certificates for Single Sign-On

For single sign-on (SSO) using logon tickets, you require an SSL server certificate for each of the components between which you want to use SSO.

Components can be, depending on your system landscape:

SAP Web Dispatcher (SAP Fiori fact sheets and analytical apps)SAP Gateway on front-end serverABAP back-end server (Search in SAP Fiori fact sheets)SAP HANA XS Engine (SAP Fiori analytical apps)

NoteDepending on from where you obtain the certificates, it can take several days to get them.

For more information, see section SAP HANA Authentication and Single Sign-On in the SAP HANA Security Guide at http://help.sap.com/hana_platform Security .

Browser Prerequisites

SAP Fiori apps require a web browser that can display files in HTML5 format.

For more information, see Setup of Clients.

Roles and Authorizations

You have to decide how to set up the roles and authorizations for the SAP Fiori users. This includes, for example, which user group uses which apps.

For more information, see section User Management and Authorization in the generic section App Implementation.

Operating System Access for SAP HANA Database

Required if you use SAP Fiori apps that use an SAP HANA database.

To configure HTTPS and SSO in the SAP HANA database, the administrator requires privileges to access SAP HANA on the operating system level.

For more information, see section Operating System User <sid>adm in the SAP HANA Administration Guide at http://help.sap.com/hana_platform System Administration .

Data Replication

Required if you use SAP Fiori analytical apps that use SAP HANA in a side-by-side scenario alongside any database that contains the SAP Business Suitedata.

Make sure that data replication between the database that contains the SAP Business Suite data and SAP HANA is configured.

For more information, see section Replicate Data (Side-by-Side Only) in the SAP HANA Live Administrator's Guide at http://help.sap.com/hba Installation, Security, Configuration, and Operations Information .

1.2.1 Entities Relevant for Installation

This section provides an overview of the entities that are relevant in the different phases when implementing SAP Fiori apps in a system landscape thatcontains SAP Business Suite components.

Planning Landscape Functions: Business Function

Business functions (BF) are installed via a technical usage.

You control business functions by using switches.

Technical usages correspond to one or several business functions.Examples

TU Central Applications : Many BFsTU Biller Direct : 1 BF

Planning Landscape Changes: Technical Usage

Technical usages (TU) refer to product instances.

You use technical usages, for example, when planning the implementation.

All product instances of a technical usage must be installed to use the business function.Technical usages can correspond to one or many product instances (1 by default).

Applying Landscape Changes: Product Instance

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 5 of 18

Product instances (PI) group software components that must run on the same technical system.

You use product instances, for example, to define product systems in the landscape management database.

Product instances can have one or many software components.Product instances are addressed during maintenance, update, and upgrade.

Delivering Software: Software Component

Software components (SC) are delivery units shipped with installations and support packages.

Software component versions can be reused in many product instances.For product version installation, usually Support Package Stacks are used.

1.3 Installation

This document covers the general steps to take when installing SAP Fiori apps. Where necessary, these instructions refer to app-specific documentation.

System Landscape

According to the type of app you want to use, the system landscape for SAP Fiori apps consists of different components for the front end and the back end.For more information, see Setup of SAP Fiori System Landscape with ABAP Environment.

For the installation of SAP Gateway, we recommend using the Central Hub Deployment option, which means that you separate business content from front-end content. You therefore have to install components on a back-end server and a front-end server. For more information, see Deployment Options.

Prerequisites

You have set up the following software:

anyDBorSAP HANA, platform editionSAP NetWeaverSAP Business Suite product

For information about the required releases and support package stacks, see Installation Requirements (Transactional Apps).

Installation Tasks

The table lists the installation tasks required for SAP Fiori apps:

Step Task Details

1 Front-End ServerInstall the required components.

See Setup of Front-End Server.

2 Back-End Server and Front-End ServerInstall the required SAP Notes.

See Installation of SAP Notes (Transactional Apps).

3 ClientSet up the client.

See Setup of Clients.

Installation Tool

We recommend that you use Software Update Manager in combination with Maintenance Planner to install the components. This facilitates SAP NetWeaver-based application system upgrades, enhancement package updates, and support package installation, while offering a harmonized UI. Software UpdateManager is shipped as part of the software logistics toolset (SL Toolset) 1.0 – independently of the applications.

You can download Software Update Manager from the download center on SAP Service Marketplace at http://support.sap.com/swdc SAP SoftwareDownload Center Search for Software . Search for Software Update Manager.

Maintenance Planner is the central point of access for all maintenance activities. It supports the installation of updates and upgrades and completely managesthe maintenance activities for your whole solution, and is centrally accessible from SAP Support Portal. You can find more information on SAP Help Portal athttp://help.sap.com/maintenanceplanner .

NoteAlternatively, you can use SAP Add-On Installation Tool (transaction SAINT) for the installation. For more information, see the SAP Library for SAP Add-On Installation Tool on SAP Help Portal at http://help.sap.com/spmanager SAP Add-On Installation Tool .

1.3.1 Installation Requirements (Transactional Apps)

To enable SAP Fiori, ensure that the relevant back-end and front-end components are available in your system landscape.

Database

Some SAP Fiori products containing transactional apps can be installed based on anyDB, other SAP Fiori products require an SAP HANA database as aninstallation basis. The database requirement of an SAP Fiori product depends on the database requirements of the corresponding SAP Business Suiteproduct.

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 6 of 18

Database Details

anyDB See the installation guide for the respective SAP Business Suite product release.

SAP HANA, platform edition 1.0 SPS 8 See the documentation for SAP HANA platform at http://help.sap.com/hana_platform Installation and Update SAP HANAServer Installation and Update Guide .

Components on ABAP Back-End Server

On the back-end server, SAP Fiori products are installed as add-ons to specific SAP Business Suite products. The product version required for the SAPNetWeaver installation on the back-end server depends on the requirements of the respective SAP Business Suite product and its required database:

Database Product Version Details

anyDB SAP NetWeaver version depending on respectiveSAP Business Suite product

See the installation guide for the respective SAPBusiness Suite product release.

SAP HANA SAP NetWeaver 7.4 SPS 7 See the documentation for SAP NetWeaver 7.4 at http://help.sap.com/nw74 Installation andUpgrade Information Installation Guide .

Respective SAP Business Suite product See Installation Information in the documentation of therespective SAP Fiori product.

Components on ABAP Front-End Server

On your front-end server, the following components have to be available:

SAP NetWeaver componentsSAP Gateway componentsCentral UI components

Depending on your SAP NetWeaver version, there are different procedures for the other components:

If you run SAP NetWeaver 7.3 on your front-end server, you have to install the listed components.If you run SAP NetWeaver 7.4 on your front-end server, the listed components are automatically installed with your SAP NetWeaver installation. Verifythat they are in place.

SAP NetWeaver 7.31

The following product versions are required:

Product Version Details

SAP NetWeaver 7.31 SPS 5 or higher (recommended minimum SPS 8) See the documentation for SAP NetWeaver 7.31 at http://help.sap.com/nw731 Installation and Upgrade Information Installation Guide .

SAP Gateway components:SAP Gateway 2.0 SPS 10(CONCEPT GATEWAY 2.0)(SAP NetWeaver product versions: SAP EHP3 FOR SAP NETWEAVER 7.0 (ASABAP) or SAP EHP1 FOR SAP NETWEAVER 7.3)

Product instance:Gateway Server Core NW 703/731Comprised component versions:

GW_CORE 200 (GW_Core 200) SP 10SAP IW FND 250 (IW_FND 250) SP 10SAP WEB UIF 7.31 (WEBCUIF 731) SP 10

Central UI components:UI add-on 1.0 for SAP enhancement package 3 for SAP NetWeaver 7.0, minimumSPS 12(SAP_NW_UI_EXTENSIONS_7.03)(SAP NetWeaver product versions: SAP EHP3 FOR SAP NETWEAVER 7.0 (ASABAP) or SAP EHP1 FOR SAP NETWEAVER 7.3)

Product instances:Integration Services: ProviderIntegration Services: Libs

Comprised component versions:SAP UI ADD-ON INFRA V1.0 (UI_INFRA 100) SP 12SAP UI2 SERVICES V1.0 (UI2_SRVC 100) SP 12SAPUI5 CLIENT RT AS ABAP 1.00 (UISAPUI5 100) SP 12SAP UI2 FOUNDATION V1.0 (UI2_FND 100) SP 12SAP UI2 IMPL. FOR NW 7.00 V1.0 (UI2_700 100) SP 12SAP UI2 IMPL. FOR NW 7.01 V1.0 (UI2_701 100) SP 12SAP UI2 IMPL. FOR NW 7.02 V1.0 (UI2_702 100) SP 12SAP UI2 IMPL. FOR NW 7.31 V1.0 (UI2_731 100) SP 12

SAP NetWeaver 7.4

The following product versions are required:

Product Version Details

SAP NetWeaver 7.4 SPS 4 See the documentation for SAP NetWeaver 7.4 at http://help.sap.com/nw74 Installation and Upgrade Information Installation Guide .

SAP Gateway component:The component for the SAP Gateway foundation is included in the SAP NetWeaver7.4 installation (SAP NetWeaver 7.4 (AS ABAP) or SAP NetWeaver 7.4 for Suite (ASABAP)). Verify that it is in place.

Comprised component version:SAP NW GATEWAY FOUNDATION (SAP_GWFND) SP 10(As of SAP NetWeaver 7.4, the components GW_CORE, IW_FND and IW_BEP arereplaced by this new software component for the SAP Gateway foundation.)

Central UI component:The component for the SAP UI is included in the SAP NetWeaver 7.4 installation

Comprised component version:USER INTERFACE TECHNOLOGY 7.40 (SAP_UI 740) SP 12

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 7 of 18

(SAP NetWeaver 7.4 (AS ABAP) or SAP NetWeaver 7.4 for Suite (AS ABAP)). Verifythat it is in place.

More InformationWe recommend that you use installation tools supporting your installation and updating process. Alternatively, you can download the product versionscontaining the relevant components from SAP Service Marketplace, manually. For more information, see Downloading and Installing Product Versions.

SAP Gateway Components:

For more information about the installation of SAP Gateway for SAP NetWeaver 7.31, see the documentation for SAP Gateway 2.0 on SAP Help Portalat http://help.sap.com/nwgateway20 Installation and Upgrade Information Installation Guide SAP Gateway Installation Guide .For more information about SAP Gateway components for SAP NetWeaver 7.40, see SAP Help Portal at http://help.sap.com/nw74 ApplicationHelp Function-Oriented View SAP Gateway Foundation (SAP_GWFND) SAP Gateway Foundation Master Guide Deployment Options .

1.3.2 Setup of Front-End Server

ProcessThe table lists the installation tasks on the front-end server required for SAP Fiori apps:

Step Task Details

1 Check or install the required SAP Gatewaycomponents.

For transactional apps, see Installation Requirements(Transactional Apps).For fact sheets, see Installation Requirements (FactSheets).

2 Specify the default language and the logon language. See Specify Language Settings.

3 Install the central user interface (UI) components. For transactional apps, see Installation Requirements(Transactional Apps).For fact sheets, see Installation Requirements (FactSheets).

4 Install the applicable product-specific UI componentthat corresponds to the SAP Business Suite productthat you use.

See Installation Information in the documentation of therespective SAP Fiori product.

1.3.2.1 Specify Language Settings

You must specify the settings for supported languages in the SAP Gateway system. Settings include default and logon languages.

For more information, see the following documentation:

For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nwgateway20 Configuration and Deployment Information ConfigurationGuide SAP Gateway Configuration Guide General Configuration Settings Language Settings .For SAP NetWeaver 7.40, see SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View SAP GatewayFoundation (SAP_GWFND) SAP Gateway Foundation Configuration Guide General Configuration Settings Language Settings .

PrerequisitesYou have installed the same language packages for SAP Fiori in the SAP Gateway system and the SAP Business Suite back-end system.

Activities

Default Languages

Ensure that the default language of the SAP Gateway system is the same as the default language of the back-end system, for example, English. If this is notthe case, ensure that the SAP Gateway system contains a subset of the languages of the back-end system.

Logon Languages

The logon language for the ABAP Application Server is set according to the following process:

1. If the Mandatory Logon Data indicator has been activated for a service in transaction , the system uses the language that was entered there.2. If this is not the case, but the HTTP request contains the language in the HTTP header (as a header or a form field), you log on to the system using this

language.3. The browser settings of the calling client are then used. The system selects as the logon language the first language from the list that is maintained in

the browser, and which is also installed in the SAP system. The language list is specified using the HTTP header field accept-language .

NoteWith Internet Explorer, you can for example set the language you require by choosing Tools Internet Options Languages .

SICF

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 8 of 18

4. If no language is defined by this process, the classic SAP system mechanisms are used. The logon language is based on the user settings (intransaction ) and if nothing is entered here, the default language of the SAP system is used automatically.

1.3.3 Installation of SAP Notes (Transactional Apps)

The SAP Notes below provide important overview information and links to further SAP Notes that you need to implement.

Central SAP Notes

SAP Note Number Target Server Description

2170223 Front-end server General Information: FIORI UI InfrastructureComponents Q3/2015

2169917 Front-end server General Information: FIORI SAP Gateway 2.0 Q3/2015

Product-Specific Release Information Notes (RIN)

For more information, see Installation Information in the documentation of the respective SAP Fiori product.

1.3.4 Setup of Clients

SAP Fiori apps are designed for both desktop and mobile device and can be used with an HTML5-capable web browser. For more information about supportedcombinations of device, browser and operating system, see SAP Note 1935915 .

For Android and iOS devices, you can use SAP Fiori Client. This native application renders SAP Fiori application content, and provides more reliable assetcaching. For iOS, it additionally supplies an enhanced attachment viewing process. For more information about SAP Fiori Client, see SAP Help Portal at http://help.sap.com/fiori-client SAP Fiori Client User Guide .

1.3.5 Downloading and Installing Product Versions

We recommend using Maintenance Planner on SAP Support Portal to install and update product versions. Maintenance Planner calculates the requiredsoftware components that have to be deployed on each server. This allows you to plan all your landscape changes at once. You can collectively push thearchives and installation media to the download basket in a single transaction.

Alternatively, you can download the required files directly from SAP Service Marketplace and deploy them manually. This allows you to deploy only singleproduct versions.

For more information about Maintenance Planner, see SAP Help Portal at http://help.sap.com/maintenanceplanner .

Procedure

NoteFor product versions on the SAP HANA server:

Your SAP HANA database has to be registered in the System Landscape Directory (SLD).

For more information about how to register in SLD, see the SAP HANA Update Guides on SAP Help Portal at http://help.sap.com/hana_platform Installation and Update .

Maintenance Planner

1. You can launch Maintenance Planner as follows:From the SAP Fiori apps reference library at http://www.sap.com/fiori-apps-library , if available for the required apps.On SAP Support Portal at https://apps.support.sap.com/sap/support/mp .

2. For more information about further proceeding, see section Maintenance Planner-Based SAP Fiori Installation in the Maintenance Planner User Guide onSAP Help Portal at http://help.sap.com/maintenanceplanner and http://scn.sap.com/community/it-management/alm/blog/2015/08/14/simplified-installation-of-sap-fiori-apps-with-maintenance-planner .

NoteFor product versions on the SAP HANA server:

Make sure that the latest support package stack for SAP HANA is running.

For product versions on the ABAP server:

Make sure that the relevant support package stack for SAP NetWeaver is running.

For information about the required product versions of your product, see the following documentation:

Central components: Installation Requirements in the documentation of your SAP Fiori system landscape setupProduct-specific components for transactional apps and fact sheets (not for SAP HANA XS): Installation Information in the documentation of therespective SAP Fiori productProduct-specific components for analytical apps: Product Installation Information in the documentation of the respective SAP Smart Business product

SU01

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 9 of 18

SAP Service Marketplace

NoteFor product versions on the SAP HANA server:

Make sure that the latest support package stack for SAP HANA is running.

You can download the product versions from the SAP Service Marketplace as follows:

1. Open the software download center at http://support.sap.com/swdc .2. Choose Search for Software .3. Enter the technical name of the software component, for example, .4. Download the component.5. Repeat steps 2 to 4 for each required component.

For information about the required product versions of your product, see the following documentation:Central components: Installation Requirements in the documentation of your SAP Fiori system landscape setupProduct-specific components for transactional apps and fact sheets (not for SAP HANA XS): Installation Information in the documentation of therespective SAP Fiori productProduct-specific components for analytical apps: Product Installation Information in the documentation of the respective SAP Smart Businessproduct

After downloading the components, you can start the installation and update manually. Ensure that the components that you install in your landscape have thelatest support package level.

1.3.6 Virus Scanning

Uploaded documents are displayed in SAP Fiori apps without further security-related checks. If a document contains malicious content, unintended actionscould be triggered at the front end during download or display, which might lead to cross-site scripting vulnerabilities. Various SAP Fiori apps offer thepossibility to upload or display documents. If you use one of these apps, you have to install an appropriate virus scanner and define sufficiently restrictivescan profiles to prevent upload of malicious content.

Scan Profiles for SAP Fiori Applications

The virus scanner will reject all documents that are not compliant with the rules defined in the settings of the scan profile. These rules need to disallowdangerous MIME types (such as documents with active content like html or javascript).

The documents are checked with a scan profile before being stored in the Knowledge Provider (KPro). The following scan profiles are available for the SAPFiori apps offering the possibility to upload or display documents:

Area Scan Profile

Standard /SCMS/KPRO_CREATE

SAP Master Data Governance /MDG_BS_FILE_UPLOAD/MDG_VSCAN

NoteFor the SAP Fiori apps My Quotations and Sales Order Fulfillment Monitor, you can overrule the standard scan profile with the following settings(evaluated from top to bottom until a profile is found):

1. Value of parameter &GOS_VPROFILE from memory id &GOS_VSI_PROFILE2. Value of parameter &BCS_VPROFILE from memory id &BCS_VSI_PROFILE3. Value in field VALUE for the record in table SXPARAMS with key PARAM = SO_VSI_PROFILE

More InformationFor more information about the configuration for SAP NetWeaver 7.31, see the SAP Help Portal at http://help.sap.com/nw731 Application Help Function-Oriented View Security System Security Virus Scan Interface .

For more information about the configuration for SAP NetWeaver 7.40, see the SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View Security System Security Virus Scan Interface .

You can find additional information in the SAP Notes 786179 and 1494278 .

1.4 Communication Channels

To transfer application data and security credentials within your SAP Fiori system landscape, communication between the client, the front end, and the backend is established by using different communication channels and protocols:

UI FOR EHP7 FOR SAP ERP 6.0

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 10 of 18

System Landscape with ABAP Environment: Communication Channels

Communication Between Client and ABAP Front-End Server

For transactional apps, the client can issue the following types of requests to the ABAP front-end server:

HTML requestsOData requests

For communication between the client and the ABAP front-end server, an HTTPS connection is established.

Communication Between ABAP Front-End and ABAP Back-End Server

For transactional apps and fact sheets, data and services from the ABAP back-end server are provided to the ABAP front-end server by using ODataservices. For communication between the ABAP front-end server and the ABAP back-end server, a trusted RFC connection is established.

More InformationFor information about setting up communication encryption for SAP NetWeaver, see the following documentation:

For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nw731 Security Information Security Guide Network andCommunication Security Transport Layer Security For SAP NetWeaver 7.40, see SAP Help Portal at http://help.sap.com/nw74 Security Information Security Guide Network andCommunication Security Transport Layer Security

For information about setting up communication encryption for SAP HANA, see SAP Help Portal at http://help.sap.com/hana_platform Security SAPHANA Security Guide SAP HANA Network and Communication Security Securing Data Communication .

1.4.1 ABAP Servers: Setup of Communication

ActivitiesTo set up the connection between the client and the ABAP front-end server, you must make the following settings:

Configure HTTP security session management for the ABAP front-end server.Configure the ABAP front-end server to support SSL.

NoteIf you implement SAP Fiori transactional apps in an internet-facing scenario, we recommend that you deploy SAP Web Dispatcher in a demilitarized zone(DMZ). For more information, see Deployment Options.

To set up the connection between SAP Gateway on your ABAP front-end server and the SAP Business Suite system on your ABAP back-end server, youmust make the following settings:

Define a trust relationship between the SAP Business Suite back-end system and the SAP Gateway system.

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 11 of 18

Create an RFC destination in the SAP Gateway system to the SAP Business Suite back-end system.Activate SAP Gateway on the ABAP front-end server.Create system aliases for applications.

NoteFrom SAP NetWeaver 7.4 Support Package 6, you can perform setup tasks for SAP Fiori by using task lists that SAP delivers. A task list groupsconfiguration tasks logically and guides you through the necessary tasks.

For an overview of all task lists and tasks for SAP Fiori, see Configuration Using Task Lists.

The following task list applies for this step:

SAP_SAP2GATEWAY_TRUSTED_CONFIG

RecommendationTo ensure confidentiality and integrity of data, we recommend protecting HTTP connections by using Transport Layer Security (TLS) or Secure SocketsLayer (SSL). For information about setting up communication encryption for SAP NetWeaver, see the following documentation:

For SAP NetWeaver 7.31, see the SAP Help Portal at http://help.sap.com/nw731 Security Information Security Guide Network andCommunication Security Transport Layer Security .For SAP NetWeaver 7.4, see the SAP Help Portal at http://help.sap.com/nw74 Security Information Security Guide Network andCommunication Security Transport Layer Security .

1.4.1.1 Configuring ABAP Server Session Security

For the ABAP front-end server and the ABAP back-end server running Enterprise Search, you must activate HTTP security session management by using thetransaction SICF_SESSIONS. When you activate HTTP security session management, we recommend that you activate the following extra protection forsecurity-related cookies:

HttpOnlyThis attribute instructs the browser to deny access to the cookie through client side script. As a result, even if a cross-site scripting (XSS) flaw existsand a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party.SecureThis attribute instructs the browser to send the cookie only if the request is being sent over a secure channel such as HTTPS. This helps protect thecookie from being passed over unencrypted requests.

NoteA token-based protection against cross-site request forgery (CSRF) is active by default in SAP Gateway and SAP HANA XS SAP Fiori OData services. Itprotects all modifying requests.

In addition, we recommend configuring HTTP session expiration with a reasonable timeout. To configure this, you use the profile parameterhttp/security_session_timeout.

Logout from Multiple Systems

SAP Fiori apps only support logout with the ABAP front-end server and a single SAP HANA XS. If additional SAP Gateway systems or SAP HANA XSsystems are deployed (for example, to distribute OData services across multiple server farms), the corresponding HTTP sessions are not closed when theuser logs out. In this case, it is important to have session expiration configured.

More InformationFor more information about activating HTTP security session management, see the following documentation:

For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nw731 Application Help Function-Oriented View Security UserAuthentication and Single Sign-On Authentication Infrastructure AS ABAP Authentication Infrastructure Activating HTTP Security SessionManagement on AS ABAP .For SAP NetWeaver 7.40, see SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View Security UserAuthentication and Single Sign-On Authentication Infrastructure AS ABAP Authentication Infrastructure Activating HTTP Security SessionManagement on AS ABAP .

For more information about session security protection for SAP Gateway, see the following documentation:

For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nwgateway20 Security Information Security Guide SAP GatewaySecurity Guide Session Security Protection .For SAP NetWeaver 7.40, see SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View SAP GatewayFoundation (SAP_GWFND) SAP Gateway Foundation Security Guide Session Security Protection .

1.4.1.2 Configuring the AS ABAP to Support SSL

All communication between the client, SAP Web Dispatcher, and the ABAP servers is handled by using HTTPS connections. To secure these HTTPSconnections, you must configure all ABAP servers to support the Secure Sockets Layer (SSL) protocol.

For more information about the steps that are required to enable SSL on the ABAP servers, see:

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 12 of 18

For SAP NetWeaver 7.31: http://help.sap.com/nw731 Application Help Function-Oriented View Security Network and Transport LayerSecurity Transport Layer Security on the AS ABAP Configuring SAP NetWeaver Application Server ABAP to Support SSL For SAP NetWeaver 7.4: http://help.sap.com/nw74 Application Help Function-Oriented View Security Network and Transport LayerSecurity Transport Layer Security on SAP NetWeaver AS for ABAP Configuring SAP NetWeaver AS for ABAP to Support SSL

NoteFor secure communication between SAP Web Dispatcher and the ABAP servers, SSL must also be enabled for SAP Web Dispatcher. For moreinformation about setting up SSL for SAP Web Dispatcher, see Configuring Communication Channel between Clients and SAP Web Dispatcher.

1.4.1.3 Connect SAP Gateway to SAP Business Suite (TrustedRFC)

In the SAP Business Suite back-end system, you must create an RFC destination to the SAP Gateway system on your front-end server and define the trustrelationship between the SAP Business suite system (to be the trusting system) and the SAP Gateway system (to be the trusted system).

NoteFrom SAP NetWeaver 7.4 Support Package 6, you can perform setup tasks for SAP Fiori by using task lists that SAP delivers. A task list groupsconfiguration tasks logically and guides you through the necessary tasks.

For an overview of all task lists and tasks for SAP Fiori, see Configuration Using Task Lists.

The following task list applies for this step:

SAP_SAP2GATEWAY_TRUSTED_CONFIGFor more information about how to maintain the trust relationship, see the following documentation:

For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nwgateway20 Configuration and Deployment Information ConfigurationGuide SAP Gateway Configuration Guide SAP Gateway Configuration Connection Settings for SAP Gateway Hub System ConnectionSettings: SAP Gateway to SAP Systems Defining Trust for SAP Systems .For SAP NetWeaver 7.4, see SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View SAP GatewayFoundation (SAP_GWFND) SAP Gateway Foundation Configuration Guide SAP Gateway Configuration Connection Settings for the SAPGateway Hub System Connection Settings: SAP Gateway to SAP Systems Defining Trust for SAP Systems .

NoteEnsure that the RFC connection is securely configured.

For information about the required security settings, see the following documentation:

For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nw731 Security Information Security Guide Security Guides forConnectivity and Interoperability Technologies RFC/ICF Security Guide RFC Scenarios RFC Communication Between SAP Systems Network Security and Communication .

For SAP NetWeaver 7.4, see SAP Help Portal at http://help.sap.com/nw74 Security Information Security Guide Security Guides forConnectivity and Interoperability Technologies RFC/ICF Security Guide RFC Scenarios RFC Communication Between SAP Systems Network Security and Communication .

1.4.1.4 Managing RFC Destinations

You define remote function call (RFC) destinations from the ABAP front-end server to the ABAP back-end system(s). Additionally, define an RFC destinationthat has the front-end server itself as target for local RFC calls.

PrerequisitesYou have created the trusted relationship because the back-end servers must already trust the front-end server. For more information, see Connect SAPGateway to SAP Business Suite (Trusted RFC).

Procedure1. In Customizing for SAP NetWeaver, choose UI Technologies SAP Fiori Initial Setup Connection Settings (Front-End Server to ABAP Back-

End Server) Manage RFC Destinations .2. Define the required RFC destinations.

For more information about the settings, see the following documentation:For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nwgateway20 Configuration and Deployment Information Configuration Guide SAP Gateway Configuration Guide SAP Gateway Configuration Connection Settings for SAP Gateway Hub System Connection Settings: SAP Gateway to SAP Systems Creating an RFC Destination for SAP Gateway Hub to SAP System .

For SAP NetWeaver 7.4, see SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View SAP GatewayFoundation (SAP_GWFND) SAP Gateway Foundation Configuration Guide SAP Gateway Configuration Connection Settings for the SAPGateway Hub System Connection Settings: SAP Gateway to SAP Systems Creating an RFC Destination for SAP Gateway Hub to SAPSystem .

1.4.1.5 Activating SAP GatewayPUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 13 of 18

1.4.1.5 Activating SAP Gateway

Before you can use SAP Gateway functionality, you have to activate it globally in your system. You can activate and deactivate SAP Gateway. When youdeactivate it, all SAP Gateway services stop running, no consumer servers can communicate with it, and an error message is sent to any system that callsfor the services.

NoteFrom SAP NetWeaver 7.4 Support Package 6, you can perform setup tasks for SAP Fiori by using task lists that SAP delivers. A task list groupsconfiguration tasks logically and guides you through the necessary tasks.

For an overview of all task lists and tasks for SAP Fiori, see Configuration Using Task Lists.

You can use the following task list to perform this step:

SAP_GATEWAY_BASIC_CONFIG

PrerequisitesEnsure that you have installed and configured the consumer server.

You have completed the installation and post-installation configuration for SAP Gateway. For more information, see Connect SAP Gateway to SAP BusinessSuite (Trusted RFC) and Managing RFC Destinations.

Procedure1. In Customizing for SAP NetWeaver, choose UI Technologies SAP Fiori Initial Setup Connection Settings (Front-End Server to ABAP Back-

End Server) Activate SAP Gateway .A message displays.

2. Choose Activate .A message displays informing you of the current status.

1.4.1.6 Creating System Alias for Applications

An SAP system alias is needed as the logical name of a system connection, that is, you specify where the SAP system alias should point to. Depending onthe SAP Gateway content scenario and your system landscape you thus set up the system alias. The system alias is the result of the routing for an inboundrequest on SAP Gateway. It can be a remote or a local system. If that system alias is flagged as a Local GW (Local Gateway) instance, it means that thesystem that is responsible for processing (managing and storing) the data of an inbound request is the local SAP Gateway instance itself.

For the SAP Fiori system landscape, you need one system alias pointing to the front-end server with the indicator Local GW selected. For each back-endsystem that you want to use, you need at least one system alias with the software version Default . If you use approvals in a back-end system, you need anadditional system alias for task processing within the workflows used in this back-end system.

NoteFrom SAP NetWeaver 7.4 Support Package 6, you can perform setup tasks for SAP Fiori by using task lists that SAP delivers. A task list groupsconfiguration tasks logically and guides you through the necessary tasks.

For an overview of all task lists and tasks for SAP Fiori, see Configuration Using Task Lists.

The following task lists apply to this step:

SAP_GATEWAY_ADD_SYSTEMSAP_GATEWAY_ADD_SYSTEM_ALIAS

PrerequisitesYou have defined remote function call (RFC) destinations from the ABAP front-end server to all back-end servers. For more information, see Managing RFCDestinations.

Procedure1. In Customizing for SAP NetWeaver, choose UI Technologies SAP Fiori Initial Setup Connection Settings (Front-End Server to ABAP Back-

End Server) Define SAP System Alias .2. Choose New Entries .3. Create the following SAP system aliases:

For the front-end server: One SAP system alias with the Local GW indicator selected.For each back-end system: One SAP system alias with the corresponding RFC destination assigned and the software version Default .For each back-end system for which you use approval apps: One additional SAP system alias for task processing with the following parameters:

Local GW : Not selectedFor Local App : SelectedSoftware Version : Select the relevant data provider, such as /IWPGW/BWF.

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 14 of 18

For more information about further settings, see the following documentation:For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nwgateway20 Configuration and Deployment Information Configuration Guide SAP Gateway Configuration Guide SAP Gateway Configuration Connection Settings for SAP Gateway Hub System Connection Settings: SAP Gateway to SAP Systems Creating an SAP System Alias .

For SAP NetWeaver 7.4, see SAP Help Portal at http://help.sap.com/nw74 Application Help Function-Oriented View SAP GatewayFoundation (SAP_GWFND) SAP Gateway Foundation Configuration Guide SAP Gateway Configuration Connection Settings for the SAPGateway Hub System Connection Settings: SAP Gateway to SAP Systems Creating an SAP System Alias .

1.4.2 User Authentication and Single Sign-On (SSO)

System Landscape: User Authentication and Single Sign-On

OverviewThe authentication concept for SAP Fiori apps comprises initial user authentication on the ABAP front-end server, followed by authentication of all requests toback-end systems.

Initial Authentication

When a user launches an SAP Fiori app, the launch request is sent from the client to the ABAP front-end server by the SAP Fiori launchpad. During launch,the ABAP front-end server authenticates the user by using one of the supported authentication and single sign-on (SSO) mechanisms. We recommend settingup SSO, thereby enabling users to start SAP Fiori apps using their single, existing credentials. As a fallback option, initial authentication can be based on theusers' passwords on the ABAP front-end server. SAP provides a dedicated logon handler for form-based logon. After initial authentication on the ABAP front-end server, a security session is established between the client and the ABAP front-end server.

Authentication for Requests in the Back-End Systems

After initial authentication, a security session is established between the client and the ABAP front-end server. Transactional apps can then send ODatarequests through the ABAP front-end server towards the ABAP back-end server. OData requests towards the ABAP back-end server are then communicatedsecurely by trusted RFC and no additional authentication is required.

1.4.2.1 Setting Up SSO for SAP Fiori Landscapes with ABAPEnvironments

For SAP Fiori landscapes with ABAP environments, you must configure an SSO mechanism for initial authentication on the ABAP front-end server. Afterinitial authentication, any requests to back-end ABAP systems are communicated securely by trusted RFC.

Procedure

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 15 of 18

To set up single sign-on for a system landscape with an ABAP environment, proceed as follows:

1. Configure initial authentication on the ABAP front-end server.2. Configure authentication for requests to the ABAP back-end server:

Configure a trusted RFC connection between the ABAP front-end server and the ABAP back-end server.

NoteFrom SAP NetWeaver 7.4 Support Package 6, you can perform setup tasks for SAP Fiori by using task lists that SAP delivers. A task list groupsconfiguration tasks logically and guides you through the necessary tasks.

For an overview of all task lists and tasks for SAP Fiori, see Configuration Using Task Lists.

The following task list applies for this step:

SAP_SAP2GATEWAY_TRUSTED_CONFIG

More InformationFor more information about specific SSO mechanisms for authentication, see Single Sign-On Mechanisms for SAP Fiori Apps.For more information about how to set up a trusted RFC, see:

For SAP NetWeaver 7.31: http://help.sap.com/nw731 Security Guide Security Guides for Connectivity and Interoperability Technologies RFC/ICF Security Guide RFC Scenarios .

For SAP NetWeaver 7.4: http://help.sap.com/nw74 Security Guide Security Guides for Connectivity and Interoperability Technologies RFC/ICF Security Guide RFC Scenarios .

1.4.2.2 SSO Mechanisms for SAP Fiori Apps

The following authentication and single sign-on (SSO) mechanisms are supported for SAP Fiori apps:

Kerberos/SPNegoX.509 CertificatesSAML 2.0Logon Tickets

1.4.2.2.1 Kerberos/SPNego

If you access SAP Fiori apps from within your corporate network, you can enable Kerberos/SPNego authentication for the ABAP front-end server. Thisauthentication is especially recommended, if you already have a Kerberos/SPNego infrastructure in place, for example, if you use Microsoft Active Directory .

Kerberos/SPNego authentication provides the following advantages:

It simplifies the logon process by reusing credentials that have already been provided, for example, during logon to the Microsoft Windows workstation.A separate logon to the ABAP front-end server is not required.It is also supported for logon to the SAP GUI. Using Kerberos for both SAP GUI and HTTP access simplifies the Single Sign-On setup within yoursystem landscape.It is supported by a growing number of mobile device vendors.

During logon, Kerberos/SPNego authentication requires access to an issuing system (for example, Microsoft Active Directory ). As this system is typicallylocated within the corporate network, Kerberos/SPNego cannot be used for most internet-facing deployment scenarios. To enable Single Sign-On withKerberos/SPNego authentication from outside your corporate network, you might have to set up a VPN connection.

Kerberos/SPNego is available with the SAP Single Sign-On product, which also provides additional authentication mechanisms, such as X.509 certificates oran SAML Identity Provider.

For an overview of SAP Single Sign-On, see http://www.sap.com/pc/tech/security/software/single-sign-on/index.html .

ConfigurationFor more information about the configuration that is required for Kerberos/SPNego, see the Secure Login for SAP Single Sign-On Implementation Guide onSAP Help Portal at http://help.sap.com/sapsso .

1.4.2.2.2 X.509 Certificates

If you have implemented a public-key infrastructure (PKI) for user authentication in your organization, you can use X.509 certificates by configuring therequired back-end systems (ABAP or SAP HANA) to accept X.509 certificates.

Authentication with X.509 certificates provides the following advantages:

It does not require an issuing system during logon, which means that it works well in internet-facing scenarios.It is also supported for logon to the SAP GUI. Using X.509 certificates for both SAP GUI and HTTP access simplifies the Single Sign-On setup withinyour system landscape.

X.509 certificates must be distributed to the workstations and devices that are used to access SAP Fiori apps. For mobile devices, this distribution can beperformed centrally by a mobile device management software, for example SAP Afaria.

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 16 of 18

As X.509 certificates remain valid for a relatively long time, we recommend that you minimize the security risk by implementing a method to revoke thecertificates, for example if a mobile device is lost.

ConfigurationFor information about the configuration that is required for X.509 certificates, see:

For SAP NetWeaver 7.31: http://help.sap.com/nw731 Application Help Function-Oriented View Security User Authentication and SingleSign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web-Based Access Using X.509 Client Certificates UsingX.509 Client Certificates on the AS ABAP Configuring the AS ABAP to use X.509 Client Certificates .For SAP NetWeaver 7.4: http://help.sap.com/nw74 Application Help Function-Oriented View Security User Authentication and SingleSign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web-Based Access Using X.509 Client Certificates UsingX.509 Client Certificates on the AS ABAP Configuring the AS ABAP to use X.509 Client Certificates .

1.4.2.2.3 SAML 2.0

If you have implemented the security assertion markup language (SAML) version 2.0 as the method of SSO within your organization, you can configure theABAP front-end server for use with SAML 2.0.

This authentication method provides the following advantages:

It includes extensive federation capabilities, which means that it works well in scenarios with federated user domains, where trust configuration can becomplicated.It includes extensive user mapping capabilities that enable you to map SAP users based on identity attributes, such as the SAP user name attribute or auser's e-mail address. This means that SAML 2.0 works well for scenarios with multiple user domains.

During logon, SAML 2.0 authentication requires access to an issuing system (Identity Provider). To enable Single Sign-On with SAML 2.0 in internet-facingdeployment scenarios that leverage its federation capabilities, you must ensure that the SAML Identity Provider is securely accessible from outside yourcorporate network.

NoteIn the SAP Fiori system landscape, SAML 2.0 is supported only for communication with the ABAP front-end server.

ConfigurationFor information about the configuration that is required for using SAML 2.0, see:

For SAP NetWeaver 7.31: http://help.sap.com/nw731 Application Help Function-Oriented View Security User Authentication and SingleSign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web-Based Access Using SAML 2.0 Configuring AS ABAP asa Service Provider .For SAP NetWeaver 7.4: http://help.sap.com/nw74 Application Help Function-Oriented View Security User Authentication and SingleSign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web-Based Access Using SAML 2.0 Configuring AS ABAP asa Service Provider .

1.4.2.2.4 Logon Tickets

For logon tickets, you must configure the ABAP front-end server to issue logon tickets. Alternatively, you can use an existing system, such as a portal, inyour landscape that already issues logon tickets. In addition, you must configure the required back-end systems (ABAP or SAP HANA) to accept logontickets. You must also ensure that users in the ABAP system have the same user names as the database users in SAP HANA; user mapping is notsupported.

As logon tickets are transferred as browser cookies, you can only use this authentication mechanism if all systems in your system landscape are locatedwithin the same DNS domain.

RecommendationThe new standardized authentication methods Kerberos/SPNego, X.509 certificates, and SAML 2.0 provide additional security and flexibility featurescompared to proprietary logon tickets. For example, you can define user mappings and shorten token validity periods or session lifetimes on the server.Therefore, we recommend using Kerberos/SPNego, X.509 certificates, or SAML 2.0 where technically possible.

NoteFrom SAP NetWeaver 7.4 Support Package 6, you can perform setup tasks for SAP Fiori by using task lists that SAP delivers. A task list groupsconfiguration tasks logically and guides you through the necessary tasks.

For an overview of all task lists and tasks for SAP Fiori, see Configuration Using Task Lists.

You can use the following task list to perform this step:

SAP_SAP2GATEWAY_TRUSTED_CONFIG

Configuration

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 17 of 18

For information about the configuration that is required for using logon tickets, see:

For SAP NetWeaver 7.31: http://help.sap.com/nw731 Application Help Function-Oriented View Security User Authentication and SingleSign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web-Based Access Using Logon Tickets Using Logon Ticketswith AS ABAP Configuring AS ABAP to Accept Logon Tickets .For SAP NetWeaver 7.4: http://help.sap.com/nw74 Application Help Function-Oriented View Security User Authentication and SingleSign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web-Based Access Using Logon Tickets Using Logon Ticketswith AS ABAP Configuring AS ABAP to Accept Logon Tickets .

PUBLIC© 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 18 of 18