If you use SAML 2.0 to authenticate users, you can add the principal propagation module to forward the user principals and credentials to the back end. The SSL setup is as follows:
Set up one-way SSL between SAP Fiori Client, SAP Web Dispatcher, and SAP Mobile Platform Server.
Set up mutual SSL between SAP Mobile Platform Server and the Fiori front-end server. Mutual SSL is required between these components because the user principals and credentials are forwarded from SAP Mobile Platform Server to the back end through a process called principal propagation, in which temporary X.509 certificates are generated to be used on the Fiori front-end server. User mapping then takes place in the Fiori front-end server.
Note
This section describes how to establish secure network communication and set up trust between the components in a scenario with SAP Mobile Platform Server (on-premise).
For information about SAP HANA Cloud Platform mobile services, see the SAP HANA Cloud Platform mobile services documentation at https://help.hana.ondemand.com/hana_cloud_platform_mobile_services/frameset.htm.
Task | Description |
---|---|
Configuring the client to trust SAP Web Dispatcher | You can have the SAP Web Dispatcher server certificate signed by a well-known CA which is already in the truststore as populated by the device manufacturer, or have it signed by an internal CA. In the latter case, use an MDM solution such as Afaria to distribute the signing certificate to the clients. |
Configure SSL termination and reencryption. Configure the SAP Web Dispatcher server port. Configure the connection to SAP Mobile Platform Server. | |
Replace the default self-signed server certificate with a CA-signed certificate. | |
Import the Afaria CA signing certificate into the truststore so that Web Dispatcher will trust the user certificate presented by the client. | |
Import the CA certificate used to sign the SAP Mobile Platform Server certificate into the truststore. | |
Replace the default self-signed certificate with a CA-signed certificate. | |
Map the Impersonator role to the subjectDN of the SAP Web Dispatcher client PSE. | |
Import the CA certificate used to sign the Fiori front-end server certificate into the SAP Mobile Platform keystore. | |
Create a technical user certificate to be used for mutual SSL between SAP Mobile Platform Server and the Fiori front-end server. | |
Enabling Principal Propagation to the Fiori Front-End Server | In principal propagation, temporary X.509 user certificates are generated at runtime to enable user principals and credentials to be forwarded from SAP Mobile Platform Server to the back end. Generate a signing certificate for these temporary certificates. |
Import the SAP Mobile Platform Server technical user certificate into the truststore. | |
Enabling Principal Propagation on the Fiori Front-End Server | The Fiori front-end server has to trust the temporary user certificates generated by the principal propagation module. |