Setting Up SSO for SAP Fiori Landscapes with SAP HANA XS

Use

For SAP Fiori landscapes with SAP HANA XS, you must configure an SSO mechanism for initial authentication on the ABAP front-end server. For requests to back-end servers, additional authentication is required for requests to SAP HANA XS. Any requests to back-end ABAP systems are communicated securely by trusted RFC.

For fact sheets, you must additionally configure an SSO mechanism for authentication of InA search requests sent from the client to the ABAP back-end server.

Note

From SAP NetWeaver 7.4 Support Package 6, you can perform setup tasks for SAP Fiori by using task lists that SAP delivers. A task list groups configuration tasks logically and guides you through the necessary tasks.

For an overview of all task lists and tasks for SAP Fiori, see Configuration Using Task Lists.

The following task list applies for this step:

SAP_SAP2GATEWAY_TRUSTED_CONFIG

Procedure

To set up single sign-on for a system landscape with SAP HANA XS, proceed as follows:

Configure initial authentication on the ABAP front-end server.
For transactional apps and fact sheets, configure authentication for requests to the ABAP back-end server:
- Configure a trusted RFC connection between the ABAP front-end server and the ABAP back-end server.
- For search in the SAP Fiori launchpad, configure authentication in the back-end server, which processes the search requests. Requests can be authenticated with Kerberos/SPNego, X.509 certificates, or logon tickets. You can configure the ABAP front-end server to issue logon tickets after initial authentication, or you can use your existing portal to do so.
For analytical apps, configure authentication for requests to SAP HANA XS. Requests can be authenticated with Kerberos/SPNego, X.509 certificates, or logon tickets. You can configure the ABAP front-end server to issue logon tickets after initial authentication, or you can use your existing portal to do so.
- Maintain the SAP HANA trust store.
- Maintain the internal SAP Web Dispatcher profile for SAP HANA XS.
  
  Note
  The SAP Web Dispatcher referred to here is internal to SAP HANA XS and not the SAP Web Dispatcher included in the SAP Fiori system landscape.
- Configure trust relationships.
- Maintain the SSO provider for SAP HANA XS.
To configure user authentication methods for SAP HANA XS, you use the XS Applications tool of the Web-based SAP HANA XS Administration Tool. We recommend configuring user authentication methods for the following packages, which contain the content necessary for the applications:
- sap.hba.apps
- sap.hba.r
Note
The authentication methods specified for these packages also apply to any subpackages.

More Information

For more information about specific SSO mechanisms for authentication, see Single Sign-On Mechanisms for SAP Fiori Apps.
For more information about how to set up a trusted RFC, see:
- For SAP NetWeaver 7.31: http://help.sap.com/nw731 Security Guide Security Guides for Connectivity and Interoperability Technologies RFC/ICF Security Guide RFC Scenarios .
- For SAP NetWeaver 7.4: http://help.sap.com/nw74 Security Guide Security Guides for Connectivity and Interoperability Technologies RFC/ICF Security Guide RFC Scenarios .
For more information about configuring SAP Fiori search, see SAP Fiori Search.
For more information about configuring SSO for SAP HANA XS, see the SAP HANA Security Guide and the SAP HANA Administration Guide at http://help.sap.com/hana_platform System Administration SAP HANA Administration Guide SAP HANA XS Administration Tools Maintaining Single Sign-On for SAP HANA XS Applications .