If you have implemented a public-key infrastructure (PKI) for user authentication in your organization, you can use X.509 certificates by configuring the required back-end systems (ABAP or SAP HANA) to accept X.509 certificates.
Authentication with X.509 certificates provides the following advantages:
It does not require an issuing system during logon, which means that it works well in internet-facing scenarios.
It is also supported for logon to the SAP GUI. Using X.509 certificates for both SAP GUI and HTTP access simplifies the Single Sign-On setup within your system landscape.
X.509 certificates must be distributed to the workstations and devices that are used to access SAP Fiori apps. For mobile devices, this distribution can be performed centrally by a mobile device management software, for example SAP Afaria.
As X.509 certificates remain valid for a relatively long time, we recommend that you minimize the security risk by implementing a method to revoke the certificates, for example if a mobile device is lost.