4/23/2020

SAP Fiori: Security

Generated on: 2020-04-23

SAP Fiori Implementation Information | Front-end Server 6.0

PUBLIC

Original content: https://help.sap.com/viewer/93d677d2f3cd4719aa2f0feaed8a914d/FES6.0/en-US

Warning

This document has been generated from the SAP Help Portal and is an incomplete version of the official SAP product
documentation. The information included in custom documentation may not re ect the arrangement of topics in the SAP Help
Portal, and may be missing important aspects and/or correlations to other topics. For this reason, it is not for productive use.

For more information, please visit the https://help.sap.com/viewer/disclaimer.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22572958&topics=9745802595654b86849074b0fd9… 1/11
4/23/2020

SAP Fiori: Security

The SAP Fiori security information provides an overview of security-relevant topics for SAP Fiori, and provides links to individual
topics for various deployment scenarios.

Target Audience
Technical consultants

System administrators

Additional Information
You can nd information about security aspects for SAP Fiori-relevant ABAP Platform components on SAP Help Portal at ABAP
Platform:

For the ABAP Platform Security Guide, underABAP Platform, and then, Securing the ABAP Platform ABAP Platform
Security Guide Security Guides for ABAP Platform Functional Units Security Guides for the Application
Server Security Guides for AS ABAP Application Server ABAP Security Guide .

For security information for SAP Web Dispatcher, under Application Server ABAP - Infrastructure Components of
Application Server ABAP SAP Web Dispatcher Administration of the SAP Web Dispatcher Security Information for
SAP Web Dispatcher

For security information for SAP NetWeaver user interface services, under ABAP Platform, and then, UI Technologies SAP
NetWeaver User Interface Services Security Information

For security information for SAP Fiori launchpad, underABAP Platform, and then, UI Technologies SAP Fiori
Launchpad Security Aspects

Related Information
Technical System Landscape
Network and Communication Security
User Authentication and Single Sign-On (SSO)
Mobile Application Security
Virus Scanning (Optional)
Clickjacking Framing Protection

Technical System Landscape

Depending on the SAP Fiori scenario that you want to use, there are different options to set up your system landscape.

The following topic show system landscapes for SAP Fiori apps: Setup of SAP Fiori System Landscape

For information about different deployment options for your SAP Fiori system landscape, see SAP Fiori Deployment Options.

For information about what you need to consider before installing the components for the SAP Fiori landscape, see Pre-Installation
Considerations.

Network and Communication Security

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22572958&topics=9745802595654b86849074b0fd9… 2/11
4/23/2020
According to the apps that you want to use, different steps are required to set up communication between the components of your
SAP Fiori system landscape.

ABAP Servers: Setup of Communication

Step Valid for

Con guring ABAP Server Session Security All app types

Con guring the AS ABAP to Support SSL All app types

Connecting SAP Gateway to Back-End System (Trusted RFC) All app types

Managing RFC Destinations All app types

Activating SAP Gateway All app types

Creating System Alias for Applications All app types

SAP Web Dispatcher: Setup of Communication

Step Valid for

Con guring Communication Channel between Clients and SAP Web Dispatcher All app types

De ning Routing Rules for SAP Web Dispatcher and ABAP Front End Object pages, SAP Fiori search

De ning Routing Rules for SAP Web Dispatcher and ABAP Back End Object pages, SAP Fiori search

Con guring Trust Between SAP Web Dispatcher and ABAP Servers If you use X.509 client certi cates for
authentication at the ABAP servers,
con gure a trust relationship between SAP
Web Dispatcher and the ICM of the ABAP
servers.

User Authentication and Single Sign-On

(SSO)
The authentication concept for SAP Fiori apps comprises initial user authentication on the ABAP front-end server, followed by
authentication of all requests to back-end systems.

Use

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22572958&topics=9745802595654b86849074b0fd9… 3/11
4/23/2020

System Landscape: User Authentication and Single Sign-On

Initial Authentication
When a user launches an SAP Fiori app, the launch request is sent from the client to the ABAP front-end server by the SAP Fiori
launchpad. During launch, the ABAP front-end server authenticates the user by using one of the supported authentication and
single sign-on (SSO) mechanisms. We recommend setting up SSO, thereby enabling users to start SAP Fiori apps using their
single, existing credentials. As a fallback option, initial authentication can be based on the users' passwords on the ABAP front-
end server. SAP provides a dedicated logon handler for form-based logon. After initial authentication on the ABAP front-end
server, a security session is established between the client and the ABAP front-end server.

Authentication for Requests in the Back-End Systems

After initial authentication on the ABAP front-end server, the SAP Fiori apps and the SAP Fiori launchpad can send requests to the
ABAP back-end server. For these requests to back-end servers, additional con guration of SSO mechanisms for authentication
may be required.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22572958&topics=9745802595654b86849074b0fd9… 4/11
4/23/2020

Requests to the ABAP back-end server

Apps send OData requests through the ABAP front-end server towards the ABAP back-end server. After initial authentication, a
security session is established between the client and the ABAP front-end server. OData requests towards the ABAP back-end
server are then communicated securely by trusted RFC.

For search in the SAP Fiori launchpad, apps also send InA search requests from the client to the ABAP back-end server. These
requests can be authenticated with Kerberos/SPNego, X.509 certi cates, or logon tickets. You can con gure the ABAP front-end
server to issue logon tickets after initial authentication, or you can use your existing portal to do so.

SSO Mechanisms for SAP Fiori Apps

Several authentication and single sign-on (SSO) mechanisms are supported for SAP Fiori apps.

For more information about the following supported authentication and single sign-on (SSO) mechanisms, see:

Kerberos/SPNego

X.509 Certi cates

SAML 2.0

Logon Tickets

Kerberos/SPNego
If you access SAP Fiori apps from within your corporate network, you can enable Kerberos/SPNego authentication for the ABAP
front-end server.

If you already have a Kerberos/SPNego infrastructure in place, for example, if you use Microsoft Active Directory, this
authentication is especially recommended.

Kerberos/SPNego authentication provides the following advantages:

It simpli es the logon process by reusing credentials that have already been provided, for example, during logon to the
Microsoft Windows workstation. A separate logon to the ABAP front-end server is not required.

It is also supported for logon to the SAP GUI. Using Kerberos for both SAP GUI and HTTP access simpli es the single sign-
on setup within your system landscape.

It is supported by a growing number of mobile device vendors.

During logon, Kerberos/SPNego authentication requires access to an issuing system (for example, Microsoft Active Directory).
As this system is typically located within the corporate network, Kerberos/SPNego cannot be used for most internet-facing
deployment scenarios. To enable single sign-on with Kerberos/SPNego authentication from outside your corporate network, you
might have to set up a VPN connection.

Kerberos/SPNego is available with the SAP Single Sign-On product, which also provides additional authentication mechanisms,
such as X.509 certi cates or an SAML Identity Provider.

For an overview of SAP Single Sign-On, see http://www.sap.com/product/technology-platform/single-sign-on.html .

Con guration

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22572958&topics=9745802595654b86849074b0fd9… 5/11
4/23/2020
For more information about the con guration that is required for Kerberos/SPNego, see the Secure Login for SAP Single Sign-On
Implementation Guide on SAP Help Portal at https://help.sap.com/viewer/product/SAP_SINGLE_SIGN-ON/latest/en-US .

X.509 Certi cates

If you have implemented a public-key infrastructure (PKI) for user authentication within your organization, you can use X.509
certi cates for authentication at the required back-end systems (ABAP or SAP HANA).

Authentication with X.509 certi cates provides the following advantages:

It does not require an issuing system during logon, which means that it works well in internet-facing scenarios.

It is also supported for logon to the SAP GUI. Using X.509 certi cates for both SAP GUI and HTTP access simpli es the
Single Sign-On setup within your system landscape.

X.509 certi cates must be distributed to the workstations and devices that are used to access SAP Fiori apps. For mobile devices,
this distribution can be performed centrally by a mobile device management software, for example SAP Afaria.

 Recommendation
As X.509 certi cates remain valid for a relatively long time, we recommend that you minimize the security risk by
implementing a method to revoke the certi cates, for example if a mobile device is lost.

Con guration
For information about the con guration that is required for X.509 certi cates, see SAP Help Portal at ABAP Platform under
Securing the ABAP Platform Security Concepts and Tools User Authentication and Single Sign-On Integration in Single Sign-
On (SSO) Environments Single Sign-On for Web-Based Access Using X.509 Client Certi cates Using X.509 Client
Certi cates on the AS ABAP Con guring the AS ABAP to Use X.509 Client Certi cates .

SAML 2.0
If you have implemented the security assertion markup language (SAML) version 2.0 for single sign-on (SSO) within your
organization, you can con gure the ABAP front-end server for use with SAML 2.0.

This authentication method provides the following advantages:

It includes extensive federation capabilities, which means that it works well in scenarios with federated user domains,
where trust con guration can be complicated.

It includes extensive user mapping capabilities that enable you to map SAP users based on identity attributes, such as the
SAP user name attribute or a user's e-mail address. This means that SAML 2.0 works well for scenarios with multiple user
domains.

During logon, SAML 2.0 authentication requires access to an issuing system (Identity Provider). To enable single sign-on with
SAML 2.0 in internet-facing deployment scenarios that leverage its federation capabilities, you must ensure that the SAML Identity
Provider is securely accessible from outside your corporate network.

 Note
In the SAP Fiori system landscape, SAML 2.0 is supported only for communication with the ABAP front-end server.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22572958&topics=9745802595654b86849074b0fd9… 6/11
4/23/2020

Con guration
For information about the con guration that is required for using SAML 2.0, see SAP Help Portal at ABAP Platform under Securing
the ABAP Platform Security Concepts and Tools User Authentication and Single Sign-On Integration in Single Sign-On (SSO)
Environments Single Sign-On for Web-Based Access Using SAML 2.0 Con guring AS ABAP as a Service Provider .

Logon Tickets
For logon tickets, you must con gure the ABAP front-end server to issue logon tickets. Alternatively, you can use an existing
system, such as a portal, in your landscape that already issues logon tickets.

In addition to the front-end server con guration, you must con gure the required back-end systems (ABAP or SAP HANA) to
accept logon tickets. You must also ensure that users in the ABAP system have the same user names as the database users in SAP
HANA; user mapping is not supported.

As logon tickets are transferred as browser cookies, you can only use this authentication mechanism if all systems in your system
landscape are located within the same DNS domain.

 Recommendation
The new standardized authentication methods Kerberos/SPNego, X.509 certi cates, and SAML 2.0 provide additional security
and exibility features compared to proprietary logon tickets. For example, you can de ne user mappings and shorten token
validity periods or session lifetimes on the server. Therefore, we recommend using Kerberos/SPNego, X.509 certi cates, or
SAML 2.0 where technically possible.

 Note
You can perform setup tasks for SAP Fiori by using task lists that SAP delivers. A task list groups con guration tasks logically
and guides you through the necessary tasks.

For an overview of all task lists and tasks for SAP Fiori, see Con guration Using Task Lists.

You can use the following task list to perform this step:

SAP_SAP2GATEWAY_TRUSTED_CONFIG

Con guration
For information about the con guration that is required for using logon tickets, see SAP Help Portal at ABAP Platform under
Securing the ABAP Platform Security Concepts and Tools User Authentication and Single Sign-On Integration in Single Sign-
On (SSO) Environments Single Sign-On for Web-Based Access Using Logon Tickets Using Logon Tickets with AS
ABAP Con guring AS ABAP to Accept Logon Tickets .

Choosing a Single Sign-On Mechanism

Different recommendation for single sign-on mechanisms apply according to the scenario that you have implemented for
accessing SAP Fiori apps.

Recommendations for Single Sign-On

Depending on how you access SAP Fiori apps, the following recommendations apply:

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22572958&topics=9745802595654b86849074b0fd9… 7/11
4/23/2020

Scenario Recommended SSO Method

You access SAP Fiori apps from the Internet, and you do not have a SAML 2.0
PKI in place already.

You access SAP Fiori apps from the Internet, and you have a PKI and X.509
client certi cate management solution in place.

You access SAP Fiori apps from within your corporate network, and Kerberos/SPNEGO
you have a Kerberos/SPNego infrastructure with Microsoft Active
Directory in place already.

The following table provides an overview of the qualities of the different SSO methods:

SAML 2 X.509 Kerberos Logon Tickets

Client Requirements Browser or SAP Fiori Browser or SAP Fiori Browser with SPNego Browser or SAP Fiori
Client Client* with client support or SAP Fiori Client with Cookie
certi cate Client (Intranet or VPN enabled
only)

Infrastructure SAML IdP CA + client certi cate MS Active Directory Ticket issuer (Portal or
Requirements management solution ABAP system)

Cross Domain SSO yes yes no no

Identity mapping yes yes yes no

Identity federation yes no no no

Single logout yes no no no

Lifetime session xed (revokation session xed (default: 8h)

possible)

Proof of ownership private key, symetric key, private key (domain) password --
bearer

Setting Up SSO for SAP Fiori Landscapes

For SAP Fiori landscapes , con gure a single sign-on (SSO) mechanism for initial authentication on the ABAP front-end server.
After initial authentication, any requests to back-end ABAP systems are communicated securely by trusted RFC.

Procedure
To set up single sign-on for a system landscape with an SAP HANA database, proceed as follows:

1. Con gure initial authentication on the ABAP front-end server.

2. Con gure authentication for requests to the ABAP back-end server:

Con gure a trusted RFC connection between the ABAP front-end server and the ABAP back-end server.

For search in the SAP Fiori launchpad, con gure authentication in the back-end server, which processes the search
requests. These requests can be authenticated with Kerberos/SPNego, X.509 certi cates, or logon tickets. You can
con gure the ABAP front-end server to issue logon tickets after initial authentication, or you can use your existing
portal to do so.

Next Steps
https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22572958&topics=9745802595654b86849074b0fd9… 8/11
4/23/2020

 Note
You can perform setup tasks for SAP Fiori by using task lists that SAP delivers. A task list groups con guration tasks logically
and guides you through the necessary tasks.

For an overview of all task lists and tasks for SAP Fiori, see Con guration Using Task Lists.

The following task list applies for this step:

SAP_SAP2GATEWAY_TRUSTED_CONFIG

More Information

For more information about speci c SSO mechanisms for authentication, see SSO Mechanisms for SAP Fiori Apps.

For more information about how to set up a trusted RFC, see SAP Help Portal at ABAP Platform under Securing the ABAP
Platform ABAP Platform Security Guide Security Guides for Connectivity and Interoperability Technologies RFC/ICF
Security Guide RFC Scenarios .

For more information about con guring SAP Fiori search, see Setup of SAP Fiori Search.

Mobile Application Security

There are two ways for SAP Fiori apps to run natively on mobile devices: in SAP Fiori Client or as packaged apps. SAP recommends
using SAP Mobile Platform and SAP Mobile Secure to manage and secure your mobile applications.

SAP Fiori Client

SAP Fiori Client is a mobile application runtime container for SAP Fiori. All SAP Fiori apps can run in SAP Fiori Client instead of a
Web browser. SAP Fiori Client can be downloaded from the public app stores for iOS, Android, and Windows devices. SAP Fiori
Client overcomes limitations in the mobile browser by providing a reliable asset caching mechanism for SAP Fiori application
assets, and also provides device APIs (such as camera, bar code scanner, and geolocation) to SAP Fiori Web applications.

SAP Fiori Client is designed around Apache Cordova architecture, where device APIs and custom functionality are added through
Cordova plug-ins.

For more information about SAP Fiori Client, see http://help.sap.com/viewer/p/SAP_FIORI_CLIENT.

SAP Fiori Packaged Apps

Some SAP Fiori apps can be packaged with the launchpad and deployed as native mobile apps based on the Apache Cordova
framework. Packaged apps contain the JavaScript and HTML assets (plus images, message strings, and so on) as local resources
that are loaded directly into the app's WebView. This delivers a robust user experience because the only network traffic required is
business data. Packaging also allows certain SAP Fiori apps be used in offline mode. In this case, SAP Mobile Platform initializes
the creation of the local offline store and provides the offline OData service that periodically synchronizes the business data
between the back end and the client offline store.

The CLI packager for SAP Fiori is a Node.js application delivered with the SAP Mobile Platform Hybrid SDK. The packager uses the
SAP Mobile Secure cloud build service API to drive a Cordova-style build. The apps can be distributed to mobile devices and users
through SAP Mobile Secure and SAP Mobile Place.

For more information, see http://help.sap.com/viewer/p/SAP_MOBILE_PLATFORM_SDK under Mobilizing SAP Fiori Packaging
SAP Fiori Apps .

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22572958&topics=9745802595654b86849074b0fd9… 9/11
4/23/2020

SAP Mobile Platform

SAP Mobile Platform Server (on premise) and SAP Cloud Platform mobile service for development and operations (on demand)
simplify mobile application management, security, and supportability at an enterprise scale. By integrating SAP Mobile Platform
into your SAP Fiori system landscape, you can create a secure, efficient, and easy-to-manage mobile environment for SAP Fiori.

For information on how to integrate SAP Mobile Platform into your on-premise SAP Fiori landscape, see
http://help.sap.com/viewer/p/FIORI_IMPLEMENTATION.

SAP Cloud Platform, Mobile Service for App and Device Management
SAP mobile service for app and device management is an integrated, cloud-based enterprise mobility management portfolio. It
comprises a comprehensive mobile device management (MDM) solution and a customizable enterprise app store (SAP Mobile
Place). Users on both MDM-managed and unmanaged devices can discover and download relevant apps and set up related
services such as network access, e-mail, identity, and more. For more information, see the administration guide at
https://help.sap.com/viewer/product/MOBILE_SERVICE_FOR_APP_AND_DEVICE_MANAGEMENT/Cloud/en-US under
Administration SAP Cloud Platform mobile service for app and device management Administration Guide .

SAP Afaria is a mobile device management (MDM) system that allows you to secure and manage your organization’s mobile
devices, mobile applications, and data. You can remotely connect to enrolled mobile devices to con gure the device and install
required applications. Afaria is part of the Mobile Secure suite of products from SAP. For more information, see the Afaria product
documentation on SAP Help Portal at http://help.sap.com/viewer/p/SAP_AFARIA.

Virus Scanning (Optional)

Virus scanner and scan pro les are vital for SAP Fiori apps that provide the possibility to upload or display documents.

Uploaded documents are displayed in SAP Fiori apps without further security-related checks. If a document contains malicious
content, unintended actions could be triggered at the front end during download or display, which might lead to cross-site
scripting vulnerabilities. Various SAP Fiori apps offer the possibility to upload or display documents. If you use one of these apps,
you have to install an appropriate virus scanner and de ne sufficiently restrictive scan pro les to prevent upload of malicious
content.

Scan Pro les for SAP Fiori Apps

The virus scanner will reject all documents that are not compliant with the rules de ned in the settings of the scan pro le. These
rules need to disallow dangerous MIME types (such as documents with active content like html or javascript).

The documents are checked with a scan pro le before being stored in the Knowledge Provider (KPro). The following scan pro les
are available for the SAP Fiori apps offering the possibility to upload or display documents:

Area Scan Pro le

Standard /SCMS/KPRO_CREATE

More Information
For more information about the con guration, see SAP Help Portal at
http://help.sap.com/viewer/p/SAP_NETWEAVER_AS_ABAP_752 under Application Help SAP NetWeaver Library: Function-
Oriented View Security System Security Virus Scan Interface .

You can nd additional information in the SAP Notes 786179 and 1494278 .

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22572958&topics=9745802595654b86849074b0fd… 10/11
4/23/2020

Clickjacking Framing Protection

Clickjacking framing protection helps prevent clickjacking (UI redressing) attacks.

Clickjacking or UI redressing attacks trick the users into triggering actions within an application by hijacking mouse clicks. The
users think they are clicking on the underlying element in the presented context, but are actually clicking on an action chosen by
the attacker. To protect against this type of attack, SAP provides a whitelist-based framework for SAP NetWeaver technologies.

For more information about the clickjacking protection framework in SAPUI5, see SAP Help Portal at ABAP Platform under UI
Technologies SAPUI5: UI Development Toolkit for HTML5 Developing Apps Securing Apps Browser Security .

For more information about clickjacking framing protection in the SAP Fiori launchpad, see SAP Help Portal at ABAP Platform
under UI Technologies SAP Fiori Launchpad Security Aspects Clickjacking Framing Protection .

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22572958&topics=9745802595654b86849074b0fd… 11/11