To transfer application data and security credentials within your SAP Fiori system landscape, you must establish secure network communication and trust between the following components:
SAP Fiori Client
SAP Web Dispatcher
SAP Mobile Platform Server
SAP Fiori Front-End Server
Secure communication is established by using Secure Sockets Layer over HTTP (HTTPS), which uses the X.509 public key infrastructure (PKI). SSL technology provides data encryption, message integrity, server authentication, and optional client authentication for a TCP/IP connection.
Note
This section describes how to establish secure network communication and set up trust between the components in a scenario with SAP Mobile Platform Server (on-premise).
For information about SAP HANA Cloud Platform mobile services, see the SAP HANA Cloud Platform mobile services documentation at https://help.hana.ondemand.com/hana_cloud_platform_mobile_services/frameset.htm.
Note
Although you can use any supported reverse proxy (see SAP Note 1904213), these instructions only cover SAP Web Dispatcher. If you use any other reverse proxy, see the manufacturer documentation for more information.
In one-way SSL, the server presents a certificate to the client to prove its identity. To establish the SSL connection, the client must authenticate the server, but the server accepts any client into the connection. In mutual SSL, the server presents a certificate to the client and the client presents a certificate to the server. Both the client and the server must validate the identity of the other to establish the SSL connection.
Depending on how you authenticate users, you have to set up either one-way or mutual SSL between components. For example:
Authentication Provider | SSL Setup | SSO Configuration |
---|---|---|
Basic authentication over HTTPS | Set up one-way SSL from the Fiori Client to the Fiori front-end server. | |
X.509 user certificates | Set up mutual SSL between each component, all the way from the Fiori Client to the Fiori front-end server. Note Currently only SAP Afaria is supported for provisioning X.509 user certificates to client devices. End of the note. | |
SAML2 and principal propagation | If you use SAML 2.0 to authenticate users, you can add the principal propagation module to forward the user principals and credentials to the back end. The SSL setup is as follows:
|
Note
About Principal Propagation: Except for X.509 user certificates, if you use any login module in SAP Mobile Platform Server that can authenticate users and establish a subject name (such as SAML2, you can add the Principal Propagation module to forward the user principals and credentials to the back end. In this case, you must establish mutual SSL between SAP Mobile Platform Server and the back end, and choose X.509 as the SSO mechanism to the back end.