View
225
Download
2
Category
Preview:
Citation preview
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
1/34
Week 4 Unit 1:
Introduction to SAP Fiori UX
Security & Single Sign-On
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
2/34
2014 SAP SE or an SAP affiliate company. All rights reserved 2Public
Introduction to SAP Fiori UX Security & Single Sign-OnSAP Fiori Architecture from a Security & Authentication Perspective
Mobile Desktop
DMZ
Front-End Server
Back-End Server
HTTPS
(HTML/ODATA/INA)
Initial Authentication
X.509
SAML 2.0
Logon Tickets
Kerberos / SPNEGO
ABAP Security
Session
http(s)
http(s)
trusted rfc
SAP
HANA
XS
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
3/34
2014 SAP SE or an SAP affiliate company. All rights reserved 3Public
Introduction to SAP Fiori UX Security & Single Sign-OnSo You Thought There Was One Guide That Rules All?
All the guides for security topics are collected in the help pages.
Note that the ABAP stack, the SAP HANA stack, and SAP HANA extended
application services all have specific nodes
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
4/34
2014 SAP SE or an SAP affiliate company. All rights reserved 4Public
Introduction to SAP Fiori UX Security & Single Sign-OnSAP Fiori Supports Authentication Based On
Kerberos / SPNEGO
X.509 Certif icates
SAML 2.0
Logon Tickets
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
5/34
2014 SAP SE or an SAP affiliate company. All rights reserved 5Public
In the next unit we wil l look at the securi ty aspects of the front-end server
Introduction to SAP Fiori UX Security & Single Sign-OnRe-Cap
Security Overview
Security Architecture
Information & Guides
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
6/34
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
7/34
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
8/34
Week 4 Unit 2:
Understanding Security on the
SAP Front-End Server
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
9/34 2014 SAP SE or an SAP affiliate company. All rights reserved 2Public
Understanding Security on the SAP Front-End ServerConnecting the Dots
Secure the connection and
communication between the
device and the front-end server.
Secure the communication
between the front-end server andthe back-end server.
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
10/34 2014 SAP SE or an SAP affiliate company. All rights reserved 3Public
Understanding Security on the SAP Front-End ServerSetting Up SSO
Application Server ABAP supports
the following user authentication and
single sign-on mechanisms:
User ID and password
Secure Network Communications(SNC)
Logon tickets
SSL and X.509 client certificates
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
11/34
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
12/34 2014 SAP SE or an SAP affiliate company. All rights reserved 5Public
Understanding Security on the SAP Front-End ServerSetting Up Secure Network Connection
Enabling SNC for the ABAP system
Securing an RFC connection with
SNC
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
13/34
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
14/34
Contact information:
open@sap.com
Thank you
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
15/34
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
16/34
Week 4 Unit 3:
Understanding Security on the
SAP Back-End Server
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
17/34
2014 SAP SE or an SAP affiliate company. All rights reserved 2Public
Understanding Security on the SAP Back-End ServerConnecting the Dots
Requests to the ABAP back-end
server
(transactional apps and fact sheets)
Requests to SAP HANA extended
application services
(analytical apps)
Mobile Desktop
DMZ
Front-End Server
Back-End Server
http(s)
http(s)
trusted rfc
SAP
HANA
XS
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
18/34
2014 SAP SE or an SAP affiliate company. All rights reserved 3Public
Understanding Security on the SAP Back-End ServerSecuring the ABAP Back End
The SAP NetWeaver Security
Guide
User Administration and
Authentication
Network and Communication
Security
Operating System and Database
Platforms
http://help.sap.com/saphelp_nw74/helpdata/en/4a/af6fd65e233893e10000000a42189c/content.htm?current_toc=/en/f3/780118b9cd48c7a668c60c3f8c4030/plain.htm&show_children=truehttp://help.sap.com/saphelp_nw74/helpdata/en/4a/af6fd65e233893e10000000a42189c/content.htm?current_toc=/en/f3/780118b9cd48c7a668c60c3f8c4030/plain.htm&show_children=truehttp://help.sap.com/saphelp_nw74/helpdata/en/4a/af6fd65e233893e10000000a42189c/content.htm?current_toc=/en/f3/780118b9cd48c7a668c60c3f8c4030/plain.htm&show_children=true8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
19/34
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
20/34
2014 SAP SE or an SAP affiliate company. All rights reserved 5Public
Understanding Security on the SAP Back-End ServerRe-Cap
Back-end related security
topics
Different types of calls and
routes to the back-end
Guides and information
In the next unit we will review the single sign-on options in SAP Fiori in
some detail
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
21/34
Contact information:
open@sap.com
Thank you
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
22/34
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
23/34
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
24/34
2014 SAP SE or an SAP affiliate company. All rights reserved 2Public
Review the Single Sign-On OptionsAn Overview
SSO with
SAML 2.0
SSO2 tokens
X.509
Kerberos / SPNEGO
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
25/34
2014 SAP SE or an SAP affiliate company. All rights reserved 3Public
Review the Single Sign-On OptionsSSO with SAML 2.0
Requires a SAML Identi ty Provider
Federation capabilities
User mapping capabilities based on
identity attributes
Enables single logout (SLO)
Protects authentication information
with encryption or with opaque IDs
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
26/34
2014 SAP SE or an SAP affiliate company. All rights reserved 4Public
Review the Single Sign-On OptionsSSO with SSO2
In our case, the front-end
server can connect to:
SAP ERP
SAP Business Suite
powered by SAP HANA
SAP HANA XS
Ticket-based authentication
is supported natively
The cookie is called
mysapsso2
Digitally signed by the
issuing server
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
27/34
2014 SAP SE or an SAP affiliate company. All rights reserved 5Public
Review the Single Sign-On OptionsSSO with X.509
Transactional apps
Set up the X.509 certificate
authentication for the front-end server
Fact sheet apps
Set up the X.509 certificate
authentication for the front-end server
and back-end server
SAP Smart Business apps
Set up the X.509 certificate
authentication for the front-end server
and SAP HANA extended application
services
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
28/34
2014 SAP SE or an SAP affiliate company. All rights reserved 6Public
In the next unit you wi ll work with me on an exercise covering these topics
Review the Single Sign-On OptionsRe-Cap
SSO overview
Various SSO options
Capabilities and characteristics
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
29/34
Contact information:
open@sap.com
Thank you
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
30/34
2014 SAP SE or an SAP affiliate company. All rights reserved 8Public
2014 SAP SE or an SAP affil iate company.
All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epxfor additional
trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,
and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its aff iliated companies have no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated
companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,
promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertaintiesthat could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking
statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
http://global12.sap.com/corporate-en/legal/copyright/index.epxhttp://global12.sap.com/corporate-en/legal/copyright/index.epx8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
31/34
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
32/34
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
33/34
Contact information:
open@sap.com
Thank you
8/10/2019 OpenSAP Fiori1 Week 04 Securing SAP Fiori UX
34/34
2014 SAP SE or an SAP affiliate company.
All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epxfor additional
trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,
and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated
companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,
promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertaintiesthat could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking
statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
http://global12.sap.com/corporate-en/legal/copyright/index.epxhttp://global12.sap.com/corporate-en/legal/copyright/index.epxhttp://global12.sap.com/corporate-en/legal/copyright/index.epxhttp://global12.sap.com/corporate-en/legal/copyright/index.epxRecommended