Folks, now that we’ve learn about security in SAP Fiori system, let’s dig deep into advanced security concepts in authentication in SAP Fiori landscape.
The SAP Fiori systems needs to know the identity of a user. Knowing a user’s identity allows SAP Fiori system to provide customized experience and allow user permission to access data from the backend servers. The authentication concept for SAP Fiori apps include initial user authentication on ABAP frontend server, followed by authentication of all requests to the backend systems.
#Insight
Authentication is a process in which the credentials provided by a user from the client/browser are compared to those on file in a database of authorized users. After the user is authenticated, it then creates a security session between the client and SAP Gateway server for that particular user.
Take a look at the table below. It shows different types of SAP Fioir apps which support authentication methods for SSO.
Authentication Method for SSO | Transactional Apps | Fact Sheet Apps | Analytical Apps (via SAP HANA XS) | Search (Fact Sheet) Apps |
Username / Password | YES | YES | YES | YES |
SPNego/Kerberos (with SAP NetWeaver SSO) | YES | YES | NO | NO |
SAML 2.0 | YES | YES | NO | NO |
SAP logon tickets | YES | YES | YES | YES |
X.509 | YES | YES | YES | YES |

Kerberos/SPNego
It is a network authentication protocol developed by MIT and arobust protocol which protects from all kinds of attacks. Kerberos offers a trusted third-party and a protocol for authentication. It is built on symmetric-key cryptography and uses tickets to authenticate. It also avoids storing and sharing passwords locally over the internet.
You can enable Kerberos/SPNego authentication for the ABAP frontend server to access SAP Fiori apps in your corporate network. Because active directory system is typically located in your corporate network, Kerberos authentication cannot be used outside the network. To enable SSO outside your corporate network, you need to setup a virtual private network (VPN) connection.
Advantages of Kerberos/SPNego
- SSO setup within your system landscape will be simplified by using Kerberos for both SAP GUI or HTTP.
- It is supported by most mobile device vendors.
- A separate logon to the ABAP frontend server is not necessary.
- Kerberos/SPNego simplifies the logon process to the ABAP frontend server by using the user’s window logon data.
#Insight
The configuration process of Kerberos/SPNego authentication requires significant involvement from your Active Directory Administration Team. The entire procedure for configuring Kerberos/SPNego authentication is documented in the implementation guide on SAP help portal.
Follow our Blog for more updates and current offers!
[hubspot type=form portal=5934508 id=b37ebdfc-5650-4300-9817-b74e08369d72]
Business Consultation and Business Model
At SAP Expert Solutions, apart from SAP services, we actively indulge ourselves in Business Consultation and improve ourselves for the good too, helping small-scale business to scale-up their business growth and individuals to make extra income!
Thus, we have started an initiative to help some of you, on a regular interval basis. Get our Business Guide on Top Successful Business Models & Ideas, specially designed and curated by our Business Support Team.
The Event Sale Timeline: 1st June 2019 – 1st October 2019
Follow and Stay tuned at SAP Expert Solutions for upcoming events and offers. So, gear up, brace yourselves and get ready for the Business Revolution!