SAP Cloud Platform Mobile Service – Fiori Client Oauth
Introduction – This Blog is written to provide architecture view for enhancing SAP Fiori Client app using SAP Cloud Platform Mobile service and achieving SSO using OAuth and SAP SSO Assertion tokens.
Background – SAP Fiori Client is a standard app given by SAP which can be used to access SAP Fiori Launchpad (On-Premise or Cloud) on your mobile devices. SAP Fiori Client supports URL based access to Fiori Launchpad and based on your back-end authorization it allows you to perform activities.
As we all are moving towards enhancing user experience and as any other app users are looking to have SSO kind of feature in mobile apps so that user shouldn’t enter their back-end credentials again and again.
SAP Fiori Client by default doesn’t support this requirement however it can be customized to meet this requirement. We have used SAP Cloud Platform – Mobile service to customized this app along with OAuth and SAP SSO assertion tokens meet SSO requirement.
Note: Please note this solution can be achieved using different mechanism as well example: principle propogation, OAuth2SAMLbearerassertion etc.
Before we drill down more on solution lets see different authentication mechanism which are available to meet this requirements and its use case as well, also understand value proposition for SAPAssertionSSO.
|Authentication Types||Description||When to Use|
|SAPAssertionSSO||Configure the Back-end system to accepts assertion tickets, Assertions tickets are signed by X.509 DSA key pair, Authentication is based on only user ID||
Can be used when Back-End service endpoint is a SAP NetWeaver AS system
Cloud Connector is needed
|Principal Propogation||Allows Destination to forward the identity of an on-demand user to SAP Cloud Connector, which then forwards it to backend system||
Can be used when Back-End service endpoint accepts client certificate authentication.
Cloud Connector is needed
|OAuth2SAMLbearerassertion||Enables applications to use SAML assertions to access OAuth-protected resources||Can be sued when Back_end service endpoint is OAuth-protected resources|
SAPAssertionSSO: SAP AsserttionSSO is available as one of authentication types in SAP cloud Platform mobile services for connecting Back-End SAP Fiori server, This destination allows users to seamlessly connect to Back-End server from SAP cloud Platform without the need of providing his/her identity every time he/she makes connections to Back-End.By default, all the SAP systems accepts assertion tickets(provided setting has been enabled). This is one time setup per back-end system so the time and effort for this is short. Please note in this authentication type user name should be identical in IDP server and back-end server.
Please read this link for more details about SAPAssertionSSO authentication method.
Architecture: Below is the architecture for our solution, We will drill on end to end setup and testing in next blog.
Components used : We have used below components to make this solution working
- SAP Cloud Platform Mobile Services – This service is used to customise SAP Fiori Client
- SAP Cloud Platform – OAuth Service – This service is used to register OAuth client and generating tokens
- SAP Cloud Platform – Connectivity Service – This service is used to connect SAP Cloud Platform Mobile service with SAP Cloud Connector
- SAP IDP Server – We have used SAP IDP server to authenticate users
- SAP Cloud Connector – SAP Cloud Connector is used to connect to back-end on-premise server and SAP Cloud Platform
- SAP Fiori Client app – Front end app used to see Fiori Launchpad .