Securing Communication Channels

To transfer application data and security credentials within your SAP Fiori system landscape, you must establish secure network communication and trust between the following components:

SAP Fiori Client
SAP Web Dispatcher
SAP Mobile Platform Server
SAP Fiori Front-End Server

Secure communication is established by using Secure Sockets Layer over HTTP (HTTPS), which uses the X.509 public key infrastructure (PKI). SSL technology provides data encryption, message integrity, server authentication, and optional client authentication for a TCP/IP connection.

This graphic is explained in the accompanying text.

Note Note

This section describes how to establish secure network communication and set up trust between the components in a scenario with SAP Mobile Platform Server (on-premise).

For information about SAP HANA Cloud Platform mobile services, see the SAP HANA Cloud Platform mobile services documentation at https://help.hana.ondemand.com/hana_cloud_platform_mobile_services/frameset.htm.

End of the note.

Note Note

Although you can use any supported reverse proxy (see SAP Note 1904213), these instructions only cover SAP Web Dispatcher. If you use any other reverse proxy, see the manufacturer documentation for more information.

End of the note.

One-Way SSL vs Mutual SSL

In one-way SSL, the server presents a certificate to the client to prove its identity. To establish the SSL connection, the client must authenticate the server, but the server accepts any client into the connection. In mutual SSL, the server presents a certificate to the client and the client presents a certificate to the server. Both the client and the server must validate the identity of the other to establish the SSL connection.

Depending on how you authenticate users, you have to set up either one-way or mutual SSL between components. For example:

Authentication Provider	SSL Setup	SSO Configuration
Basic authentication over HTTPS	Set up one-way SSL from the Fiori Client to the Fiori front-end server.	SSO with Basic Authentication
X.509 user certificates	Set up mutual SSL between each component, all the way from the Fiori Client to the Fiori front-end server. Note Currently only SAP Afaria is supported for provisioning X.509 user certificates to client devices. End of the note.	SSO with X.509 Authentication
SAML2 and principal propagation	If you use SAML 2.0 to authenticate users, you can add the principal propagation module to forward the user principals and credentials to the back end. The SSL setup is as follows: Set up one-way SSL between SAP Fiori Client, SAP Web Dispatcher, and SAP Mobile Platform Server. Set up mutual SSL between SAP Mobile Platform Server and the Fiori front-end server. Mutual SSL is required between these components because the user principals and credentials are forwarded from SAP Mobile Platform Server to the back end through a process called principal propagation, in which temporary X.509 certificates are generated to be used on the Fiori front-end server. User mapping then takes place in the Fiori front-end server.	SSO with SAML2 Authentication

Authentication Provider

SSL Setup

SSO Configuration

Basic authentication over HTTPS

Set up one-way SSL from the Fiori Client to the Fiori front-end server.

SSO with Basic Authentication

X.509 user certificates

Set up mutual SSL between each component, all the way from the Fiori Client to the Fiori front-end server.

Note Note

Currently only SAP Afaria is supported for provisioning X.509 user certificates to client devices.

End of the note.

SSO with X.509 Authentication

SAML2

and

principal propagation

If you use SAML 2.0 to authenticate users, you can add the principal propagation module to forward the user principals and credentials to the back end. The SSL setup is as follows:

Set up one-way SSL between SAP Fiori Client, SAP Web Dispatcher, and SAP Mobile Platform Server.
Set up mutual SSL between SAP Mobile Platform Server and the Fiori front-end server. Mutual SSL is required between these components because the user principals and credentials are forwarded from SAP Mobile Platform Server to the back end through a process called principal propagation, in which temporary X.509 certificates are generated to be used on the Fiori front-end server. User mapping then takes place in the Fiori front-end server.

SSO with SAML2 Authentication

Note Note

About Principal Propagation: Except for X.509 user certificates, if you use any login module in SAP Mobile Platform Server that can authenticate users and establish a subject name (such as SAML2, you can add the Principal Propagation module to forward the user principals and credentials to the back end. In this case, you must establish mutual SSL between SAP Mobile Platform Server and the back end, and choose X.509 as the SSO mechanism to the back end.

End of the note.