System Landscape: User Authentication and Single Sign-On
The authentication concept for SAP Fiori apps comprises initial user authentication on the ABAP front-end server, followed by authentication of all requests to back-end systems.
When a user launches an SAP Fiori app, the launch request is sent from the client to the ABAP front-end server by the SAP Fiori launchpad. During launch, the ABAP front-end server authenticates the user by using one of the supported authentication and single sign-on (SSO) mechanisms. We recommend setting up SSO, thereby enabling users to start SAP Fiori apps using their single, existing credentials. As a fallback option, initial authentication can be based on the users' passwords on the ABAP front-end server. SAP provides a dedicated logon handler for form-based logon. After initial authentication on the ABAP front-end server, a security session is established between the client and the ABAP front-end server.
After initial authentication on the ABAP front-end server, the SAP Fiori apps and the SAP Fiori launchpad can send requests to the ABAP back-end server and to SAP HANA Extended Application Services (SAP HANA XS). For these requests to back-end servers, additional configuration of SSO mechanisms for authentication may be required.
Requests to the ABAP back-end server (transactional apps and fact sheets)
Transactional apps and fact sheets send OData requests through the ABAP front-end server towards the ABAP back-end server. After initial authentication, a security session is established between the client and the ABAP front-end server. OData requests towards the ABAP back-end server are then communicated securely by trusted RFC.
For search in SAP Fiori Launchpad, fact sheets also send InA search requests from the client to the ABAP back-end server. These requests can be authenticated with Kerberos/SPNego, X.509 certificates, or logon tickets. You can configure the ABAP front-end server to issue logon tickets after initial authentication, or you can use your existing portal to do so.
Requests to SAP HANA XS (analytical apps)
Analytical apps send OData requests from the client to SAP HANA XS. These requests can be authenticated with Kerberos/SPNego, X.509 certificates, or logon tickets. You can configure the ABAP front-end server to issue logon tickets after initial authentication, or you can use your existing portal to do so.