Show TOC

User Authentication and Single Sign-On (SSO)Locate this document in the navigation structure

Use


Figure 1: System Landscape: User Authentication and Single Sign-On
Overview

The authentication concept for SAP Fiori apps comprises initial user authentication on the ABAP front-end server, followed by authentication of all requests to back-end systems.

Initial Authentication

When a user launches an SAP Fiori app, the launch request is sent from the client to the ABAP front-end server by the SAP Fiori launchpad. During launch, the ABAP front-end server authenticates the user by using one of the supported authentication and single sign-on (SSO) mechanisms. We recommend setting up SSO, thereby enabling users to start SAP Fiori apps using their single, existing credentials. As a fallback option, initial authentication can be based on the users' passwords on the ABAP front-end server. SAP provides a dedicated logon handler for form-based logon. After initial authentication on the ABAP front-end server, a security session is established between the client and the ABAP front-end server.

Authentication for Requests in the Back-End Systems

After initial authentication on the ABAP front-end server, the SAP Fiori apps and the SAP Fiori launchpad can send requests to the ABAP back-end server. For these requests to back-end servers, additional configuration of SSO mechanisms for authentication may be required.

  • Requests to the ABAP back-end server (transactional apps and fact sheets)

    Transactional apps and fact sheets send OData requests through the ABAP front-end server towards the ABAP back-end server. After initial authentication, a security session is established between the client and the ABAP front-end server. OData requests towards the ABAP back-end server are then communicated securely by trusted RFC.

    For search in SAP Fiori Launchpad, fact sheets also send InA search requests from the client to the ABAP back-end server. These requests can be authenticated with Kerberos/SPNego, X.509 certificates, or logon tickets. You can configure the ABAP front-end server to issue logon tickets after initial authentication, or you can use your existing portal to do so.