Journey to publish on-premises SAP Fiori apps to the Internet

Recently I was asked to investigate publishing our SAP Fiori launchpad over the internet. Our main purpose was to allow mobile access from anywhere in the world. (Of course, security is a big concern when are you about to publish ESS/MSS)

Well, this was quite challenging to me as it required to make sure no unauthorized users get into our SAP Fiori environment.

I like to share my journey of how I made this possible…

First, I thought that this will be simple and easy. SAP always talks about publishing SAP Gateway server in DMZ!!! In a very novice way, it as simple as providing a public IP and making FIORI accessible over internet and secure using credentials.

However, I know many will just laugh at even putting the above thought. There are many concerns around security which needs to be addressed. After all we don’t want someone piggybacks Fiori gateway system and hacked into our network and SAP landscape.

I thought to put SAP Web dispatcher server in front of all this which makes the system more secure anyway it is a reverse proxy product…

My Game Plan…

Use Microsoft Active Directory Federation service to the authenticated user into SAP Fiori application with SAML.  Microsoft Active directory federation service also supports Multi-factor authentication which is the way to go. So I got the first part to make it more secure. MFA you can not beat this! Some banks already using this…

So now what my architecture will look like? (High Level)

Let me talk to one by one component on this diagram.

Users:

A user can be anywhere in the world who is making a request to access SAP Fiori through their personal devices or shared devices and it can be Mobile or PC

Internet:

Well, Nowadays internet playing the major role in our day to day life.(Ask me how I feel when I move to a new home and no internet for 15 days)

Let me tell you in simple words… We have an entry point is through the internet for any Fiori request coming in and going out.

ADFS:

This service is allowing a user to authenticate and making sure if a request is coming from outside its prompt you to perform MFA.

Firewall:

We have only one port open on the firewall which is HTTPS and only allowing particular port and HTTPS types of the request through on internet facing firewall.

Web dispatcher:

Web Dispatcher server is a standalone server and not joined to the domain. This server has live IP  address and associated with internet address for example www.wesitename.com

This web dispatcher HTTPS URL is signed with certificate signing authority so whenever you access the website it will we HTTPS and nothing else is served by it.

This web dispatcher is connected to the SAP gateway system.

This system fave filter rules and it will point to Fiori launchpad as soon as you hit enty point web URL

#requests coming from www.mywebsite.com are append with sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html
if %{SERVER_ADDR} stricmp "xxx.xxx.xxx.xxx"
RegIRedirectURL ^/$ sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html

Do not forget to add Profile parameter in your Web Dispatcher as below and change them according to your requirements.

#-----------------------------------------------------------------------
# ICM Logging Parameter
#-----------------------------------------------------------------------
icm/HTTP/logging_0 = PREFIX=/, LOGFILE=httpaccess.log, LOGFORMAT=SAPMSG, MAXSIZEKB=10240, SWITCHTF=month, FILEWRAP=on
#-----------------------------------------------------------------------
# Cipher Suites Parameter
#-----------------------------------------------------------------------
ssl/ciphersuites = 801:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 816:PFS:HIGH::EC_P256:EC_HIGH

Firewall:

This is an internal firewall and only allowing Message server and https port connection to Fiori server any other type of requests are blocked.

Fiori Server:

There is HTTPS configuration done between SAP web Dispatcher and Fiori server.

So final in simple process diagram how MFA will work is as below

Hope you enjoy reading my journey document and feel free to leave comments.

Thank you for reading

Yogesh

PS: Don’t forget to change your workflow URL if you make any changes to your entry point URL