Keeping Simple Things Simple
SAP Fiori is all about creating a new SAP user experience. Fiori apps feature attractive, interactive user interfaces that can be used on all devices, and their common technical infrastructure keeps implementation efforts to a minimum. SAP Fiori currently includes 190+ apps for the most common business functions, such as workflow approvals, information lookups, and self-service tasks.
SAP Fiori apps make working with SAP software more enjoyable, but we should not forget the fact that they just LOOK like they are all about fun and games. In reality, they are a pretty wrapper for serious data. You are still working with sensitive enterprise information in your backend ERP system. Secure data access is just as important here as it is in your traditional SAP GUI for Windows.
Single Sign-On for SAP Fiori Apps
The philosophy behind Fiori is to keep simple things simple. And here’s the good news: You can keep security simple as well, without sacrificing effectiveness. Securing access to your data doesn’t have to involve cumbersome processes. You don’t have to take anything away from the positive user experience Fiori is designed to provide. By implementing SAP Single Sign-On, your apps become automatically available after just one initial user authentication at the users Windows desktop, with no need for further log-on procedures. How we do that while keeping sensitive data secure at all times? Check the technology behind the SAP Single Sign-On (SSO) solution in SCN.
SSO With SPNEGO
The most straightforward way to maximize your benefit is using SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism), a Kerberos technology which is the method of choice in intranet scenarios. It simply re-uses your Windows domain authentication for single sign-on. For extranet scenarios see section about X.509 certificates at the end of this article.
It is easy to install and ensures a low cost of ownership. With SPNEGO, a trust relationship is established between the SAP Fiori app and the SAP NetWeaver Gateway that publishes SAP Business Suite backend data via easy-to-consume OData services. Users log in just once at their Windows domain, and a Kerberos token mechanism handles all subsequent authentication processes. This SSO implementation isn’t limited to your Fiori apps, of course. You can integrate as many SAP and non-SAP applications into your Kerberos single sign-on infrastructure as you wish (as long as they can accept Kerberos tokens – for other options, check our recent SAP Insider article). All this happens in the background, entirely hidden from the user, who can conveniently navigate between apps and traditional systems.
Setting up single sign-on for Fiori apps works much like implementing it for other SAP environments, such as SAP GUI for Windows or HTML. It’s a quick and straightforward implementation, as you can see in Frane Milicevic’s video guides.
SSO With X.509 Certificates
X.509 certificates also provide a viable option for creating a secure SSO infrastructure if you're considering to extend single sign-on to extranet or cross-company scenarios. For more information, refer to our SCN guide on implementing X.509.
SSO for SAP Fiori Apps also on your mobile device
If you want to be competitive in your market, you most probably need to offer for your business users simple and secure access to SAP Fiori from anywhere and from any device. If you want to keep security simple also for mobile access in your company, you can simply implement the mobile SSO solution coming with the SAP Single Sign-On product. The solution is built using time-based one-time passwords (RFC 6238) technology and is available for mobile users via the SAP Authenticator mobile application. Also the latest version of the native mobile application, SAP Fiori Client 1.5.0, is integrated out-of-the box with SAP Authenticator. You can find more details how it is working in the SCN blog: Mobile Single Sign-On for SAP Fiori with SAP Authenticator.