SAP Enterprise Portal and SAP Fiori Common Architecture Recommendations Authors: Aviad Rivlin, Thomas Csapo Reviewers: Andrew Silvey October 2014 | Version 1.0

SAP ENTERPRISE PORTAL AND SAP FIORI - COMMON ARCHITECTURE RECOMMENDATIONS

TABLE OF CONTENT

1 EXECUTIVE SUMMARY ................................................................................................................... 3

2 WHAT IS SAP FIORI LAUNCHPAD – AN OVERVIEW ................................................................... 4

3 SAP ENTERPRISE PORTAL AND SAP FIORI INTEGRATION ...................................................... 5

4 ARCHITECTURE .............................................................................................................................. 7 4.1 Intranet scenario .............................................................................................................................. 7

4.2 Extranet scenario ............................................................................................................................. 8

5 ADDITIONAL REFERENCES ......................................................................................................... 10

SAP ENTERPRISE PORTAL AND SAP FIORI - COMMON ARCHITECTURE RECOMMENDATIONS

1 EXECUTIVE SUMMARY

The SAP Enterprise Portal is the recommended single point of access for applications and content for more

than 10 years and has been implemented by thousands of customers across regions and industries.

The SAP Portal UX is aligning with the Fiori UX in two dimensions:

The SAP Fiori launchpad running on the SAP Enterprise Portal (as a new portal framework page)

Fiori applications serving as business content for the portal

A typical scenario for the SAP Enterprise Portal together with the Fiori apps is the consumption on mobile

devices, providing access to the system from inside and outside of the corporate network on multiple

devices. This scenario often raises security concerns about networking and data protection.

Below is a typical architecture outlining the key layers and protocols used to securely allow access to the

Portal and the Fiori apps from inside and outside the corporate network, while keeping the corporate

business date protected and un-vulnerable (as much as possible) from attacks coming from outside of the

corporate network.

Landscape Diagram 1: A common Portal/Fiori secured network

SAP ENTERPRISE PORTAL AND SAP FIORI - COMMON ARCHITECTURE RECOMMENDATIONS

2 WHAT IS SAP FIORI LAUNCHPAD – AN OVERVIEW

SAP Fiori launchpad is a real-time, role based and personalized aggregation point for business functions and

applications deployable on multiple platforms – ABAP front end server, SAP Enterprise Portal, HANA Cloud

Platform and SAP HANA, thus showcasing the SAP clients’ alignment. It runs on multiple devices and

provides a single point of access for business applications.

The Fiori launchpad is developed based on SAPUI5 and following the responsive design paradigm, providing

end users a coherent user experience across devices and consumption channels.

SAP ENTERPRISE PORTAL AND SAP FIORI - COMMON ARCHITECTURE RECOMMENDATIONS

3 SAP ENTERPRISE PORTAL AND SAP FIORI INTEGRATION

Starting with SAP Enterprise Portal 7.4 SP8, the portal user experience is aligned with the Fiori user

experience in two main aspects:

New Fiori framework page – a new SAPUI5 responsive framework page is available in the portal

following the Fiori (launchpad) design. This new framework page is the recommended framework

page for mobile consumption of the portal (available as of SAP Enterprise Portal 7.4 SP7)

Consumption of Fiori and Fiori-like1 applications in the portal – Fiori applications

2 serve as business

content for the portal (available as of SAP Enterprise Portal 7.4 SP8 together with UI Add-on SP9 on

the Front End Server)

The integration of the SAP Enterprise Portal and SAP Fiori apps is used very often for mobile scenarios and

hence raises many questions focusing on system landscape architecture, authentication and single sign-on.

In this document we will share best practices and recommendations in this area.

1 Fiori-like SAP Web IDE based applications deployed on-premise

2 Subset of the Fiori apps can run in stand-alone mode and be consumed in the portal

SAP ENTERPRISE PORTAL AND SAP FIORI - COMMON ARCHITECTURE RECOMMENDATIONS

In this scenario, the SAP Enterprise Portal1 acts as the single point of access for business applications (Fiori

and non-Fiori) and content. The applications can be hosted on the ABAP Front End Server (Fiori

applications), on the Portal / JAVA sever, or on any other server in the landscape.

The Fiori framework page2 is hosted on the Portal server, aggregating Fiori applications

3, together with

additional applications running on the different servers.

A reverse proxy is a mandatory component in this architecture because the Fiori launchpad is implementing

a security mechanism to prevent click-jacking4 attacks. The reverse proxy (or a similar component) role is to

hide or disguise the SAP systems hostnames and therefore assimilate the http calls from the portal server

and the ABAP Front End Server to have a matching host name and domain.

Key reasons to integrate the SAP Enterprise Portal with SAP Fiori

Provide end users a true single point of access, with a single URL, to all the end users daily business

applications (Fiori and non-Fiori) and content

Renew the portal user experience with attractive, responsive and multi-device applications while

keeping the established UI in place

Aligned look&feel of the portal and the business applications (including Fiori apps)

Strong authentication and Single Sign-On concepts provided by the portal and the NetWeaver

platform

Leverage existing investment in the SAP Enterprise Portal

Important notes:

Fiori applications are running on the ABAP Front End Serve. The apps are not running on the

NetWeaver JAVA server

Only a subset of the Fiori applications can be consumed in a stand-alone mode to the portal

1 Minimum version to consume Fiori applications in the SAP Portal: SAP Enterprise Portal 7.4 SP8 and UI

Add-on SP9 2 Planned enhancement: consumption of the Fiori applications (and additional standards based applications)

in a new standards based Ajax Framework page 3 Another option is to consume the ABAP based Fiori launchpad in the portal. No change in the architecture and tools when implementing this scenario

4 Clickjacking - A clickjacked page tricks a user into performing undesired actions by clicking on a concealed

link. Additional info at: http://en.wikipedia.org/wiki/Clickjacking

SAP ENTERPRISE PORTAL AND SAP FIORI - COMMON ARCHITECTURE RECOMMENDATIONS

4 ARCHITECTURE

4.1 Intranet scenario

When accessing the SAP Portal and the Fiori applications from within the corporate network, the architecture

(see diagram #2) is relatively simple. None of the landscape components are exposed to the internet and no

special security measures should be applied to secure these servers from external attacks.

All servers are hosted in the same network. Firewalls are optional, but not required.

Reverse proxy is a mandatory component in the landscape to overcome the click-jacking protections

Protocols:

o Device to Portal: HTTPS

o ABAP Front End Server to Portal: HTTPS (recommended) / oData / RFC – depending on the

UI technology

o LDAP

User storage

o Users are typically stored in a central user repository (such as a central LDAP)

Landscape Diagram 2 – Internal SAP Enterprise Portal and Fiori applications landscape1

1 HTTP connection is also an option

SAP ENTERPRISE PORTAL AND SAP FIORI - COMMON ARCHITECTURE RECOMMENDATIONS

4.2 Extranet scenario

When accessing the SAP Portal and the Fiori applications from outside of the corporate network, special

security measures should be introduced to protect the systems from possible attacks.

We typically introduce 3 levels of network protection; each level is isolated from the outer one via a firewall.

Internet

Outer DMZ – first level networking protection where typically the Revere Proxy is hosted to direct (or

rejects) call from the internet to the internal systems

Inner DMZ – a secured area in the network, located behind two firewalls and typically hosting the user

interface (UI) components (portal, gateway, front end server, etc.)

Intranet – the most secured area in the network (behind three firewalls). In this network level, typically

the most protected software components are hosted (ERP systems, Business Warehouse, data-

bases, etc.)

Access between servers in the different layers is restricted for specific IPs / host-names to secure the access

between the different networking layers and severs.

Addition landscape details

Protocols:

o Device to Portal: HTTPS

o ABAP Front End Server to Portal: HTTPS (recommended) / oData / RFC – depending on the

UI technology

o LDAP

User storage

o Users are typically stored in a central user repository (such as a central LDAP)

o There are options to store the main LDAP in the intranet and provide an external branch for

the inner DMZ LDAP. There are several techniques to achieve this provided by the different

LDAP vendors1

Networking

o The firewall should secure each network layer by locking / approving ports, calls from

specific IPs and hosts, etc.

1 For example: Active Directory Lightweight Directory Services Overview

SAP ENTERPRISE PORTAL AND SAP FIORI - COMMON ARCHITECTURE RECOMMENDATIONS

Landscape Diagram 3: A common Portal/Fiori external facing secured network1

Landscape Diagram 4: Another option for Portal/Fiori external facing secured network1

1 HTTP connection is also an option for all connections below the Reverse Proxy

SAP ENTERPRISE PORTAL AND SAP FIORI - COMMON ARCHITECTURE RECOMMENDATIONS

5 ADDITIONAL REFERENCES

SAP Fiori

Official documentation: http://help.sap.com/fiori

Browser / Devices / OS Information: SAP note 1935915

SAP Enterprise Portal

SAP Fiori Launchpad on Portal:

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/36/e069facded4977b277834c8914de79/frameset.ht

m

- SAP Fiori iView: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/f6/e253dbf51742c0ade3e01feb96c6f7/frameset.htm

- Configuring SAP Web Dispatcher:

http://help.sap.com/saphelp_nw74/helpdata/en/6e/9c5877c825496184b53231cc687783/frameset.htm

- SAP note 2031108 - SAP Fiori Integration with SAP Enterprise Portal - Central note

- SAP note 2008931 - Known issues for Fiori Framework Page (FLP on Portal)

SAP Fiori Launchpad

- Official documentation:

http://help.sap.com/saphelp_uiaddon10/helpdata/en/f9/51b50a07ce41deb08ced62711fe8b5/content.htm?

frameset=/en/b5/2e74afea0c4aeb8b642b8e6ba8911f/frameset.htm

- Running Fiori app as a standalone application:

http://help.sap.com/saphelp_uiaddon10/helpdata/en/53/7758e0deb0477386ea400c915073b3/frameset.ht

m

© 2014 SAP SE. All rights reserved.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAPBusinessObjects Explorer, StreamWork, SAP HANA, and other SAPproducts and services mentioned herein as well as their respectivelogos are trademarks or registered trademarks of SAP SE in Germanyand other countries.

Business Objects and the Business Objects logo, BusinessObjects,Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, andother Business Objects products and services mentioned herein aswell as their respective logos are trademarks or registered trademarksof Business Objects Software Ltd. Business Objects is an SAPcompany.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQLAnywhere, and other Sybase products and services mentioned hereinas well as their respective logos are trademarks or registeredtrademarks of Sybase Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services areregistered trademarks of Crossgate AG in Germany and othercountries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks oftheir respective companies. Data contained in this document servesinformational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materialsare provided by SAP SE and its affiliated companies ("SAP Group")for informational purposes only, without representation or warranty ofany kind, and SAP Group shall not be liable for errors or omissionswith respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the expresswarranty statements accompanying such products and services, ifany. Nothing herein should be construed as constituting an additionalwarranty.

www.sap.com