User Authentication and Single Sign-On (SSO)
The authentication concept for SAP Fiori apps comprises initial user authentication on the ABAP front-end server, followed by authentication of all requests to back-end systems.
Initial Authentication
When a user launches an SAP Fiori app, the launch request is sent from the client to the ABAP front-end server by the SAP Fiori launchpad. During launch, the ABAP front-end server authenticates the user by using one of the supported authentication and single sign-on (SSO) mechanisms. We recommend setting up SSO, thereby enabling users to start SAP Fiori apps using their single, existing credentials. As a fallback option, initial authentication can be based on the users' passwords on the ABAP front-end server. SAP provides a dedicated logon handler for form-based logon. After initial authentication on the ABAP front-end server, a security session is established between the client and the ABAP front-end server.
Authentication for Requests in the Back-End Systems
After initial authentication, a security session is established between the client and the ABAP front-end server. Transactional apps can then send OData requests through the ABAP front-end server towards the ABAP back-end server. OData requests towards the ABAP back-end server are then communicated securely by trusted RFC and no additional authentication is required.