OpenSAP Fiori1 Week 04 Securing SAP Fiori UX

8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX

1/34

Week 4 Unit 1:

Introduction to SAP Fiori UX

Security & Single Sign-On


2/34

2014 SAP SE or an SAP affiliate company. All rights reserved 2Public

Introduction to SAP Fiori UX Security & Single Sign-OnSAP Fiori Architecture from a Security & Authentication Perspective

Mobile Desktop

DMZ

Front-End Server

Back-End Server

HTTPS

(HTML/ODATA/INA)

Initial Authentication

X.509

SAML 2.0

Logon Tickets

Kerberos / SPNEGO

ABAP Security

Session

http(s)

http(s)

trusted rfc

SAP

HANA

XS


3/34


Introduction to SAP Fiori UX Security & Single Sign-OnSo You Thought There Was One Guide That Rules All?

All the guides for security topics are collected in the help pages.

Note that the ABAP stack, the SAP HANA stack, and SAP HANA extended

application services all have specific nodes


4/34


Introduction to SAP Fiori UX Security & Single Sign-OnSAP Fiori Supports Authentication Based On

Kerberos / SPNEGO

X.509 Certif icates

SAML 2.0

Logon Tickets


5/34


In the next unit we wil l look at the securi ty aspects of the front-end server

Introduction to SAP Fiori UX Security & Single Sign-OnRe-Cap

Security Overview

Security Architecture

Information & Guides


6/34


7/34


8/34

Week 4 Unit 2:

Understanding Security on the

SAP Front-End Server


9/34 2014 SAP SE or an SAP affiliate company. All rights reserved 2Public

Understanding Security on the SAP Front-End ServerConnecting the Dots

Secure the connection and

communication between the

device and the front-end server.

Secure the communication

between the front-end server andthe back-end server.



Understanding Security on the SAP Front-End ServerSetting Up SSO

Application Server ABAP supports

the following user authentication and

single sign-on mechanisms:

User ID and password

Secure Network Communications(SNC)

Logon tickets

SSL and X.509 client certificates


11/34



Understanding Security on the SAP Front-End ServerSetting Up Secure Network Connection

Enabling SNC for the ABAP system

Securing an RFC connection with

SNC


13/34


14/34

Contact information:

[email protected]

Thank you


15/34


16/34

Week 4 Unit 3:

Understanding Security on the

SAP Back-End Server


17/34


Understanding Security on the SAP Back-End ServerConnecting the Dots

Requests to the ABAP back-end

server

(transactional apps and fact sheets)

Requests to SAP HANA extended

application services

(analytical apps)

Mobile Desktop

DMZ

Front-End Server

Back-End Server

http(s)

http(s)

trusted rfc

SAP

HANA

XS


18/34


Understanding Security on the SAP Back-End ServerSecuring the ABAP Back End

The SAP NetWeaver Security

Guide

User Administration and

Authentication

Network and Communication

Security

Operating System and Database

Platforms
http://help.sap.com/saphelp_nw74/helpdata/en/4a/af6fd65e233893e10000000a42189c/content.htm?current_toc=/en/f3/780118b9cd48c7a668c60c3f8c4030/plain.htm&show_children=truehttp://help.sap.com/saphelp_nw74/helpdata/en/4a/af6fd65e233893e10000000a42189c/content.htm?current_toc=/en/f3/780118b9cd48c7a668c60c3f8c4030/plain.htm&show_children=truehttp://help.sap.com/saphelp_nw74/helpdata/en/4a/af6fd65e233893e10000000a42189c/content.htm?current_toc=/en/f3/780118b9cd48c7a668c60c3f8c4030/plain.htm&show_children=true


19/34


20/34


Understanding Security on the SAP Back-End ServerRe-Cap

Back-end related security

topics

Different types of calls and

routes to the back-end

Guides and information

In the next unit we will review the single sign-on options in SAP Fiori in

some detail


21/34


[email protected]

Thank you


22/34


23/34


24/34


Review the Single Sign-On OptionsAn Overview

SSO with

SAML 2.0

SSO2 tokens

X.509

Kerberos / SPNEGO


25/34


Review the Single Sign-On OptionsSSO with SAML 2.0

Requires a SAML Identi ty Provider

Federation capabilities

User mapping capabilities based on

identity attributes

Enables single logout (SLO)

Protects authentication information

with encryption or with opaque IDs


26/34


Review the Single Sign-On OptionsSSO with SSO2

In our case, the front-end

server can connect to:

SAP ERP

SAP Business Suite

powered by SAP HANA

SAP HANA XS

Ticket-based authentication

is supported natively

The cookie is called

mysapsso2

Digitally signed by the

issuing server


27/34


Review the Single Sign-On OptionsSSO with X.509

Transactional apps

Set up the X.509 certificate

authentication for the front-end server

Fact sheet apps



and back-end server

SAP Smart Business apps



and SAP HANA extended application

services


28/34


In the next unit you wi ll work with me on an exercise covering these topics

Review the Single Sign-On OptionsRe-Cap

SSO overview

Various SSO options

Capabilities and characteristics


29/34


[email protected]

Thank you


30/34


2014 SAP SE or an SAP affil iate company.

All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an

SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE

(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epxfor additional

trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,

and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or

SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and

services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its aff iliated companies have no obligation to pursue any course of business outlined in this document or any related

presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated

companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be

changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,

promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertaintiesthat could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking

statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
http://global12.sap.com/corporate-en/legal/copyright/index.epxhttp://global12.sap.com/corporate-en/legal/copyright/index.epx


31/34


32/34


33/34


[email protected]

Thank you


34/34

2014 SAP SE or an SAP affiliate company.

All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an

SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE

(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epxfor additional

trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,

and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or

SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and

services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related

presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated

companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be

changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,

promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertaintiesthat could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking

statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
http://global12.sap.com/corporate-en/legal/copyright/index.epxhttp://global12.sap.com/corporate-en/legal/copyright/index.epxhttp://global12.sap.com/corporate-en/legal/copyright/index.epxhttp://global12.sap.com/corporate-en/legal/copyright/index.epx

OpenSAP Fiori1 Week 04 Securing SAP Fiori UX

Documents

Transcript of OpenSAP Fiori1 Week 04 Securing SAP Fiori UX