SAP Fiori - Security

Securing SAP Fiori system ensures that the information and processes support your business needs, are secured without any unauthorized access to critical information.

You must ensure that the user errors, negligence, or attempted manipulation of your system must not result in loss of information or processing time.

All these security policies should apply to all components in a Fiori system.

Managing users in SAP Fiori −

  • To manage SAP Fiori transactional apps, you should have below users −
  • Users in SAP NetWeaver Gateway and ABAP front-end server
  • User in the ABAP back-end server

Authentication Methods

While launching SAP Fiori app, the request is sent from the client to the ABAP front-end server by the SAP Fiori Launchpad via Web Dispatcher. ABAP front-end server authenticates the user when this request is sent. To authenticate the user, the ABAP front-end server uses the authentication and single sign-on (SSO) mechanisms provided by SAP NetWeaver. The mechanism mentioned below can be used for authentication −


SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

SAP Logon Tickets

SAP Logon Tickets represent user credentials in SAP systems. When enabled, users can access multiple SAP applications and services through SAPgui and web browsers without further username and password inputs from the user. SAP Logon Tickets can also be a vehicle for enabling single sign-on across SAP boundaries; in some cases, logon tickets can be used to authenticate into third party applications such as Microsoft-based web applications.

X.509 Certificates

An X.509 certificate contains information about the identity to which a certificate is issued and the identity that issued it. Many of the certificates that people refer to as Secure Sockets Layer (SSL) certificates are in fact X.509 certificates.

Authentication in the Back-End Systems

Once initial authentication is done on the ABAP front-end server, a security session is established between the client and the ABAP front-end server.

This allows SAP Fiori apps and Launchpad to send OData requests to the ABAP back-end server. These requests are communicated securely by using trusted RFC.

Secure Network Communication SNC

Secure Network Communications (SNC) integrates SAPNetWeaver Single Sign-On or an external security product with SAP systems. With SNC, you strengthen security by using additional security functions provided by a security product that are not directly available with SAP systems.

SNC protects the data communication paths between the various client and server components of the SAP system that use the SAP protocols RFC or DIAG. There are well-known cryptographic algorithms that have been implemented by the various security products, and with SNC, you can apply these algorithms to your data for increased protection.

Imporatant Features

  • SNC secures the data communication paths between the various SAP system client and server components. There are well-known cryptographic algorithms that have been implemented by security products supported and with SNC, you can apply these algorithms to your data for increased protection.

  • With SNC, you receive application-level, end-to-end security. All communication that takes place between two SNC-protected components is secured.

  • Additional security features like Smart cards can be used that SAP does not directly provide.

  • You can change the security product at any time without affecting the SAP business applications.

Levels of Protection

You can apply three levels of security protection. They are −

  • Authentication only
  • Integrity protection
  • Privacy protection

Authentication only

When using authentication only, the system verifies the identity of the communication partners. This is the minimum protection level offered by SNC.

Integrity Protection

When using integrity protection, the system detects any changes or manipulation of the data, which may have occurred between the two ends of a communication.

Privacy Protection

When using privacy protection, the system encrypts the messages being transferred to make eavesdropping useless. Privacy protection also includes integrity protection of the data. This is the maximum level of protection provided by SNC.