49
SAP Fiori Overview of SSL + SAML 2.0 Configuration

Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

Embed Size (px)

Citation preview

Page 1: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

SAP Fiori

Overview of SSL + SAML 2.0 Configuration

Page 2: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

SAP Fiori and SSL + SAML 2.0

A Typical Connection Scenario

Page 3: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 3

SAP Fiori Apps: A Typical Use Case

A typical use case for SAP Fiori apps is where access should be granted from the public internet.

In this case, single sign-on can be implemented using SAML 2.0 based authentication in conjunction

with IdP (Identity Provider) software such as SAP IDP, Ping Federate or Microsoft’s Active Directory

Federation Service (AD FS).

The user will need to authenticate themselves in a process known as Service Provider based

authentication.

Proxy SAP NW

Gateway SAP ECC

SAML 2.0

IdP

Public Internet Corporate DMZ Internal Corporate Network

Page 4: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 4

Authentication Flow: 1/11

The client sends a request to SAP NW Gateway via a proxy server.

This request could be either unauthenticated or expired (due to a timeout).

The request issued by the client refers to an external URL for the SAP Fiori App that is specific to the

particular customer’s situation.

SAP NW

Gateway SAP ECC

SAML 2.0

IdP

Corporate DMZ Internal Corporate Network

1

Public Internet

Unauthenticated

access request

Proxy

Page 5: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 5

Authentication Flow: 2/11

The proxy rewrites the URL to its internal equivalent and forwards the request to SAP NW Gateway.

SAP NW

Gateway SAP ECC

SAML 2.0

IdP

Corporate DMZ Internal Corporate Network

2

Public Internet

URL rewritten

& forwarded Proxy

Page 6: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 6

Authentication Flow: 3/11

SAP NW Gateway recognises that the request is unauthenticated and could respond in one of two

ways: either using an HTTP POST or an HTTP 302 redirect. In the case shown here, an HTTP 302

redirect is being used. Either way, the Gateway server responds to the client by saying:

“I don’t know who you are; go talk to the SAML 2.0 IdP server”

All URLs passing through the proxy server (in either direction) are rewritten as required.

SAP NW

Gateway SAP ECC

SAML 2.0

IdP

Corporate DMZ Internal Corporate Network

3

Public Internet

HTTP 302

redirect Proxy

Page 7: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 7

Authentication Flow: 4/11

The client follows the HTTP 302 redirect URL, and sends the request to the SAML 2.0 IdP server.

In this case, the SAML 2.0 IdP server is located behind the firewall, so the IdP request goes through

the proxy. However, if the SAML 2.0 IdP server is cloud based (i.e. publicly available), it would be a

direct request.

SAP NW

Gateway SAP ECC

SAML 2.0

IdP

Corporate DMZ Internal Corporate Network Public Internet

HTTP 302

redirect

Proxy

4

Page 8: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 8

Authentication Flow: 5/11

The SAML 2.0 IdP server challenges the client to identify itself.

At this point, the SAML 2.0 IdP server can be configured to accept whatever form of authentication is

required by the customer’s security standards – for instance, basic authentication, form or an X.509

certificate etc.

SAP NW

Gateway SAP ECC

SAML 2.0

IdP

Corporate DMZ Internal Corporate Network

5

Public Internet

Who are you? Proxy

Page 9: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 9

Authentication Flow: 6/11

The client responds by supplying the required credentials – for instance, an X.509 certificate.

SAP NW

Gateway SAP ECC

SAML 2.0

IdP

Corporate DMZ Internal Corporate Network Public Internet

I am… (X.509 Certificate)

Proxy

6

Page 10: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 10

Authentication Flow: 7/11

If the SAML 2.0 IdP server determines the user credentials to be valid, it responds with another

HTTP 302 to redirect the client back to the Gateway server; however, this response now additionally

carries a SAML artifact.

SAP NW

Gateway SAP ECC

SAML 2.0

IdP

Corporate DMZ Internal Corporate Network Public Internet

HTTP 302 redirect

+ SAML artifact

7 Proxy

Page 11: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 11

Authentication Flow: 8/11

SAP NW

Gateway SAP ECC

SAML 2.0

IdP

Corporate DMZ Internal Corporate Network Public Internet

Access request

+ SAML artifact

The client follows the HTTP 302 redirect URL and in doing so, passes the SAML artifact back to the

Gateway server.

8

Proxy

Page 12: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 12

Authentication Flow: 9/11

SAP NW

Gateway SAP ECC

SAML 2.0

IdP

Corporate DMZ Internal Corporate Network Public Internet

In order to double-check the validity of the SAML artifact, the Gateway server sends it back to the

SAML 2.0 IdP server for resolution as a back-channel Web Service (SOAP) request. Here, the

Gateway server is saying to the SAML 2.0 IdP server:

"I've just received a SAML artifact that claims to have come from you.

Did you really create this artifact?"

This type of double-check is designed to prevent 3rd parties from spoofing SAML artifacts.

9

Resolve

artifact

Proxy

Page 13: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 13

Authentication Flow: 10/11

SAP NW

Gateway SAP ECC

SAML 2.0

IdP

Corporate DMZ Internal Corporate Network Public Internet

The SAML 2.0 IdP Server resolves the artifact and returns an assertion that says:

"Yes, the artifact came from me and it identifies user such-and-such"

SAP NW Gateway then validates the user name in the assertion and if successful, the user's request

is considered authentic and an ABAP session is created.

10

SAML

assertion

Proxy

Page 14: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 14

Authentication Flow: 11/11

SAP NW

Gateway SAP ECC

SAML 2.0

IdP

Corporate DMZ Internal Corporate Network Public Internet

11

The OData service in SAP NW Gateway now starts and sends data to the client.

From this point onwards, the SAML 2.0 IdP server takes no further part in communication between

the client and the SAP NW Gateway server.

Once the user either explicitly logs off, closes their browser window or allows their session to

timeout, any further client requests will be considered unauthenticated and the whole authentication

flow process described in the preceding slides will be repeated.

Proxy

Page 15: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

SSL + SAML 2.0 Configuration

Configuration steps needed to implement this particular scenario

Caveat:

The instructions in the following section of this presentation are not intended to act as a cookbook or how-to guide. Instead,

they provide an overview of the steps performed during an SAP Fiori implementation and links to the standard SAP Help

Portal information on each of the relevant topics.

Page 16: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 16

Outline of Configuration Steps

The following configuration steps need to be performed in the SAP NetWeaver AS

ABAP server acting as the Gateway hub:

1. Setup SSL Communication Enable the webserver within SAP NW AS ABAP to communicate using the Secure Sockets Layer.

This allows all HTTP based communication with the server to be encrypted.

2. Perform SAML 2.0 Configuration This configuration defines how SAP NW Gateway and the external SAML 2.0 IdP server should

communicate with each other, and should only be performed once the SSL configuration has been

successfully completed.

3. Perform Proxy Configuration The proxy used to protect access to the corporate network must be configured to rewrite at least the

fully qualified hostname and port number contained within all HTTP traffic passing between the SAP

NW Gateway server and the client device running the SAP Fiori application.

Page 17: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

SSL Configuration

Enabling SAP NW Gateway to use the Secure Sockets Layer (HTTPS)

Page 18: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 18

SSL Configuration

Instructions for installing the cryptographic libraries and configuring SSL on a NetWeaver AS ABAP

can be found in the SAP Help Portal. Once the cryptographic libraries are installed and the kernel

profile parameters modified (examples shown below), you must bounce the AS ABAP server.

Notice that the standard HTTPS

port number of 443 is being used

Page 19: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 19

Using Ports Numbers Less Than 1024

The standard port number for unencrypted HTTP communication is 80, and for encrypted HTTP

communication using the Secure Sockets Layer is 443.

However, for security reasons, all variants of the Unix operating system prevent any process from

binding to a port number less than 1024 – unless that process has super user (root) authority.

If you wish your AS ABAP server to use the default port numbers for HTTP and HTTPS communication, you must use an SAP delivered program called icmbnd. This privileged program

binds to port numbers less than 1024, then returns the listening socket to the SAP server instance.

In this way, it acts as a proxy through which the SAP instance can communicate on those ports.

In this case, we are concerned only with the configuration for port 443.

1. In directory /usr/sap/<SID>/SYS/exe/run, change the ownership of program icmbnd using the

command chown root:sapsys icmbnd

2. Check that the profile parameter for your webserver is set in the instance profile. In this case, the value is icm/server_port_1 = PROT=HTTPS,PORT=443,TIMEOUT=30,EXTBIND=1

3. Restart the SAP server instance

Page 20: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 20

SSL Kernel Profile Parameters – What not to do!

Commonly used profile parameter values (such as path names) can be defined as variables and

then referenced as part of other profile parameter values. E.G.

DIR_INSTANCE = /usr/sap/DG9/DVEBMGS15

DIR_EXECUTABLE = $(DIR_INSTANCE)/exe

Therefore, when configuring the path name to the SSL encryption executable, it might seem logical

to do the following:

ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so

Unfortunately, this does not work as expected.

The variable name $(DIR_EXECUTABLE) in the value of parameter ssl/ssl_lib is not evaluated.

Consequently, when the NW Gateway system is restarted, you’ll find that you are unable to log on

with a normal user because this erroneous configuration has invalidated the system’s license!

Page 21: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 21

PSEs and Certificates – Overview

Transaction STRUST is used to manage the configuration of your

system’s SSL certificates and the secure containers within which

they are stored (known as PSEs).

A Personal Security Environment (PSE) is a secure, operating

system level file, managed by an SAP system that holds both the

public and private information of either a user or a component.

This information includes the owner’s public-key certificate, a

private address book of certificates and their private key.

Each component within an SAP system that requires the use of

SSL based communication typically has its own PSE.

Each PSE can contain a list of trusted certificates that will be used

during communication with a particular secure server.

Page 22: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 22

PSEs and Certificates – Check SSL Library Versions

In transaction STRUST, select the menu option Environment Display SSF Version.

At the time of writing this presentation (May, 2013), the latest version is 1.555 patch level 34

Page 23: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 23

PSEs and Certificates – 1/5

The first PSE to create is the “System PSE”.

The “Own Certificate” held in

this PSE is used only for the

generation of SSO2 cookies.

Page 24: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 24

PSEs and Certificates – 2/5

Next, create the “SSL Server Standard” PSE. This is the PSE that holds your SSL server’s

certificate.

The Canonical Name by which

this SSL server is known

CN=*.blahblah.com, OU=I0029244232, OU=SAP Web AS

Page 25: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 25

PSEs and Certificates – 3/5

The “SSL Client (Standard)” PSE holds a list of trusted certificates used when NW Gateway acts as

an HTTPS client. E.G. During back-channel communication with the Identity Provider.

The root certificate of the

SAML 2.0 IdP Server

CN=sso.blahblah.com, OU=IT, O=Blah Ltd, L=London

Page 26: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 26

PSEs and Certificates – 4/5

The PSEs called “SSF SAML2 Service Provider – E” and “SSF

SAML2 Service Provider - S” belong to SAP’s Secure Store &

Forward (SSF) component.

Unless you need to use non-standard settings, do not create

these PSEs manually. They are created for you when the SAML2

configuration wizard is run.

SSF SAML2 Service Provider – E

Used by SSF to encrypt data sent to the Identity Provider.

SSF SAML2 Service Provider – S

Used by SSF to sign data sent to the Identity provider. Signed

data can be sent either in encrypted form or as plain text.

Page 27: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 27

PSEs and Certificates – 5/5

You do not need to add this certificate yourself. It is added automatically by the SAML2 configuration

wizard and is required by the Service Provider to verify the data it receives from the Identity Provider.

The certificate of the Identity

Provider used for data signing

CN=SFDC, O=Blah Ltd, C=GB

Page 28: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 28

PSEs and Certificates – Check HTTPS Connectivity

After the SSL configuration steps have been performed, you should be able to issue a URL to the

NW Gateway server using the HTTPS protocol.

If the browser warns you that the certificate issued by the secure server is not trusted, then this is

probably because your SSL server certificate is self-signed. The browser could also warn you that

the certificate does not belong to the hostname that sent it.

Self-signed certificates are fine for the purposes of testing and building PoC applications, but when

creating a public certificate, it should be signed by a recognised certification authority (CA) – for

instance, VeriSign.

Page 29: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

SAML 2.0 Configuration

Enabling SAP NW Gateway to accept user authentication via

SAML 2.0

Page 30: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 30

Activate Session Security

Using transaction SICF_SESSIONS, activate session security for the client in which you are working.

For more information, see the SAP Help Portal.

This particular system has session

security active only for client 100

Page 31: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 31

SAML 2.0 Configuration

The standard SAP documentation for configuring SAML 2.0 based authentication can be found in the

SAP Help library.

Warning

If SSL communication is not working correctly, do not attempt to start any SAML 2.0 configuration!

Not only will it be impossible to complete the SAML 2.0 configuration, but the SAML 2.0 configuration

will need to be repeated after the SSL configuration has been corrected.

In NW Gateway, start transaction SAML2. This will start your browser and then start a Web Dynpro

application to perform the SAML configuration.

Page 32: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 32

SAML Configuration – 1/6

The signing and encryption key pairs are derived

from the “SSL SAML2 Service Provider – E” and

“SSL SAML2 Service Provider – S” PSEs shown

on slide 26

The first thing to do is create and enable a

Local Provider.

This identifies your NW Gateway server as a

system that can accept SAML based

authentication.

Page 33: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 33

SAML Configuration – 2/6

The Metadata button allows you to export the

SAML 2.0 service provider metadata so that it

can be imported into the external SAML 2.0

identity provider

Once the Local Provider SAML settings have

been defined and enabled for the NW Gateway

server, you should export this information.

Page 34: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 34

SAML Configuration – 3/6

The easiest way to set up a new Trusted

Provider is to ask the administrator of the

SAML 2.0 IdP server to export their server’s

configuration as an XML Metadata file.

An XML configuration file can be

imported directly by this wizard.

https://sso.blahblah.com/idp/SSO.saml2

https://sso.blahblah.com/idp/SSO.saml2

https://sso.blahblah.com/idp/SSO.saml2

https://sso.blahblah.com/idp/SSO.saml2

HTTP 302 redirects will be used

to bind to the external SAML 2.0

IdP server

BlahBlahDev

"BlahBlahDev"

Page 35: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 35

SAML Configuration – 4/6

SAML 2.0 can accept user names in various

different formats.

In this particular case, the format is

open; therefore, the NameID format

of “Unspecified” is configured.

In this particular case, the user name

supplied by the SAML 2.0 assertion is

identical to the userid in SAP NW Gateway

BlahBlahDev

"BlahBlahDev"

Page 36: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 36

SAML Configuration – 5/6

During the import process, the wizard

guides you through several pages, on

each of which you can accept the

default values, except…

On the Signature and Encryption tab

Under “Artifact Profile”, the

“Require Signature” field must

be set to “Never”

BlahBlahDev

CN=SFDC, O=Blah Ltd, C=GB

"BlahBlahDev"

Page 37: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 37

SAML Configuration – 6/6

During the import process, the wizard

guides you through several pages, on

each of which you can accept the

default values, except…

And the Authentication Requirements

tab

Under “Authentication

Response”, the “Binding” field

must be set to “HTTP Artifact”

BlahBlahDev

"BlahBlahDev"

Page 38: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

SAML Enabling a Gateway Service

Enabling a NW Gateway server to accept user authentication via

SAML artifacts and assertions

Page 39: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 39

SAML Enable a Gateway Service – 1/3

Once the SAML configuration has been

completed, you must adapt the logon policy for

the Gateway Services behind the SAP Fiori

apps to use SAML 2.0 Authentication.

This is done in transaction SICF on the NW

Gateway Server.

Locate the ICF node that corresponds to the

SAP Fiori app you are implementing and

double click on it.

The “Invoice Tracking” SAP Fiori app is

implemented as ICF node sra021_srv

Page 40: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 40

SAML Enable a Gateway Service – 2/3

Select the “Logon Data” tab and change the

Procedure field from “Standard” to “Alternative

Logon Procedure”.

SAML based authentication is

activated by changing the logon procedure

Change the Security Requirement to SSL

Page 41: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 41

SAML Enable a Gateway Service – 3/3

Once the “Alternative Logon Procedure” has

been changed, you can scroll down within the

Logon Data tab area and you will see a list of

Logon Procedures.

By default, SAML Logon is item 7 in the list.

To change this order, simply overtype the

number in the left-hand column with 1 (or 2).

The list is then automatically sorted according

to the new order, but “Logon Through HTTP

Fields” will always be item one.

Save your changes and when you execute the

Gateway service, the client will be redirected to

the logon screen of the external SAML 2.0 IdP

server.

SAML based authentication will

now be used in the event that the

HTTP header does not contain the required user information

Page 42: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

Proxy Configuration

Using a proxy to protect access from the public internet

Page 43: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 43

Proxy Configuration

Due to the fact that there are many different proxy products available and each is configured slightly

differently, it is not possible to give exact instructions at this point. Irrespective of how your particular

proxy is configured to rewrite URLs, the following URL information must be forwarded:

• The pathname to the SAP Fiori app

• All HTTP header fields

• The entire URL query string

SAP NW

Gateway SAP ECC

SAML 2.0

IdP

Public Internet Corporate DMZ Internal Corporate Network

Proxy

Page 44: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 44

Proxy Configuration: A Possible Error – 1/2

If the URL information passed through to SAP NW

Gateway is incomplete, you could get the error

message shown here:

No default application path is configured for ACS endpoint

What this means is that although the proxy is passing through the application path and HTTP headers, it is not

passing through the query string parameters. Therefore, SAP NW Gateway receives a valid, authenticated

request, but without any app name (held in the query string parameter called "Relay State").

Since the app name is missing, Gateway then tries to run a default application, but since none is configured, the

above error is displayed.

Page 45: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 45

Proxy Configuration: A Possible Error – 2/2

Incidentally, if you want to configure a default application to run in the

event that none is specified, it can be done in the SAML2 configuration

wizard under “Local Provider” “Service Provider Settings”.

Important

This is not required for any of the SAP Fiori apps!

Only used in case of IdP-initiated SSO because

in this case, the service provider does not know what app to run after authentication.

Page 46: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

Trouble Shooting

What to do if it all goes horribly wrong…

Page 47: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 47

Trouble Shooting

If you find an error in your configuration, the following tools are available:

1. SAP Help Portal on how to diagnose SAML 2.0 problems

2. SDN Wiki Page for SAML 2.0

3. Common problems encountered when configuring SAML 2.0 for AS ABAP

4. Trouble shooting SAML 2.0 scenarios

5. When testing the SAP Fiori apps from a non-mobile client (say your desktop browser), some of

these apps require the following query string parameter to be added to the URL:

sap-ui-xx-fakeOS=<os_name>

where <os_name> is “ios” or “android” or “bb”

Page 48: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 48

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

© 2013 SAP AG. All rights reserved

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.

SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

Page 49: Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

© 2013 SAP AG. All rights reserved. 49

© 2013 SAP AG. Alle Rechte vorbehalten.

Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in

welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet.

In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden.

Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten

auch anderer Softwarehersteller enthalten.

Microsoft, Windows, Excel, Outlook, und PowerPoint sind eingetragene Marken der Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System

z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7,

POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize,

XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere,

Tivoli, Informix und Smarter Planet sind Marken oder eingetragene Marken der IBM Corporation.

Linux ist eine eingetragene Marke von Linus Torvalds in den USA und anderen Ländern.

Adobe, das Adobe-Logo, Acrobat, PostScript und Reader sind Marken oder eingetragene Marken von

Adobe Systems Incorporated in den USA und/oder anderen Ländern.

Oracle und Java sind eingetragene Marken von Oracle und/oder ihrer Tochtergesellschaften.

UNIX, X/Open, OSF/1 und Motif sind eingetragene Marken der Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame und MultiWin sind Marken oder

eingetragene Marken von Citrix Systems, Inc.

HTML, XML, XHTML und W3C sind Marken oder eingetragene Marken des W3C®, World Wide Web

Consortium, Massachusetts Institute of Technology.

Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri

und Xcode sind Marken oder eingetragene Marken der Apple Inc.

IOS ist eine eingetragene Marke von Cisco Systems Inc.

RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry

Storm, BlackBerry Storm2, BlackBerry PlayBook und BlackBerry App World sind Marken oder eingetragene

Marken von Research in Motion Limited.

Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads,

Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice,

Google Mail, Gmail, YouTube, Dalvik und Android sind Marken oder eingetragene Marken von Google Inc.

INTERMEC ist eine eingetragene Marke der Intermec Technologies Corporation.

Wi-Fi ist eine eingetragene Marke der Wi-Fi Alliance.

Bluetooth ist eine eingetragene Marke von Bluetooth SIG Inc.

Motorola ist eine eingetragene Marke von Motorola Trademark Holdings, LLC.

Computop ist eine eingetragene Marke der Computop Wirtschaftsinformatik GmbH.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork,

SAP HANA und weitere im Text erwähnte SAP-Produkte und Dienstleistungen sowie die entsprechenden

Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und anderen Ländern.

Business Objects und das Business-Objects-Logo, BusinessObjects, Crystal Reports, Crystal Decisions,

Web Intelligence, Xcelsius und andere im Text erwähnte Business-Objects-Produkte und Dienstleistungen

sowie die entsprechenden Logos sind Marken oder eingetragene Marken der Business Objects Software Ltd.

Business Objects ist ein Unternehmen der SAP AG.

Sybase und Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere und weitere im Text erwähnte

Sybase-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene

Marken der Sybase Inc. Sybase ist ein Unternehmen der SAP AG.

Crossgate, m@gic EDDY, B2B 360°, B2B 360° Services sind eingetragene Marken der Crossgate AG in

Deutschland und anderen Ländern. Crossgate ist ein Unternehmen der SAP AG.

Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen. Die Angaben

im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte können länderspezifische

Unterschiede aufweisen.

Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und Vervielfältigung

dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, nur mit

ausdrücklicher schriftlicher Genehmigung durch SAP AG gestattet.