Show TOC

User Authentication and Single Sign-On Locate this document in the navigation structure

Initial Authentication

When a user launches an SAP Fiori app, the launch request is sent from the client to the ABAP front-end server by the SAP Fiori Launchpad. During launch, the ABAP front-end server authenticates the user. To authenticate the user, the ABAP front-end server uses the authentication and single sign-on (SSO) mechanisms provided by SAP NetWeaver, in particular:

  • X.509 certificates

    If you have implemented a PKI infrastructure for user authentication in your organization, you can use X.509 certificates by configuring the required back-end systems to accept X.509 certificates.

  • SAP logon tickets

    For SAP logon tickets, you must configure the ABAP front-end server to issue SAP logon tickets. Alternatively, you can use an existing system, such as a portal, in your landscape that already issues logon tickets. In addition, you must configure the required back-end systems to accept SAP logon tickets. You must also ensure that users in the ABAP systems have the same user names.

  • SAML 2.0

    If you have implemented the security assertion markup language (SAML) version 2.0 as the method of SSO within your organization, you can configure the ABAP front-end server for use with SAML 2.0.

Authentication Requests in the Back-End Systems

After initial authentication on the ABAP front-end server, a security session is established between the client and the ABAP front-end server. The SAP Fiori apps and the SAP Fiori Launchpad can then send OData requests to the ABAP back-end server. These requests are communicated securely by trusted RFC.

Note Note

You must set up a trusted RFC between SAP NetWeaver Gateway and the ABAP back-end server.

End of the note.

More Information

For information about how to set up a trusted RFC, see   Security Guide   Security Guides for Connectivity and Interoperability Technologies   RFC/ICF Security Guide   RFC Scenarios  .

For information about configuring user authentication and SSO on the ABAP front-end server, see   Application Help   Function-Oriented View   Security   User Authentication and Single Sign-On   Authentication on the AS ABAP  .