The SAP Fiori Single Sign On (SSO) is a new option that is aimed to take the SAP Fiori security to the new level. The philosophy behind Fiori is to keep simple things simple. As Fiori becomes mainstream, IT teams are facing the challenge to align Fiori with existing enterprise Single Sign On (SSO) guidelines and requirements. The challenge is to keep security simple as well, without sacrificing effectiveness. Securing access to your data doesn’t have to involve cumbersome processes. You don’t have to take anything away from the positive user experience With Fiori being a desktop and mobile solution, your apps should be automatically available after just one initial user authentication at the users desktop or mobile device, with no need for further log-on procedures. How we do that while keeping sensitive data secure at all times? The authentication concept for SAP Fiori apps involves two stages:

  1. Initial authentication at the ABAP front-end server
  2. Authentication of all requests to back-end systems.

Let’s have a brief overview of what each stage is all about.

1. Initial Authentication Once a user initiates a SAP Fiori app, the launch request is sent from the client to the ABAP front-end server by the SAP Fiori launchpad. At the time of launch, the ABAP front-end server authenticates the user with one of the supported authentication and SSO mechanisms. Upon successful initial authentication on the ABAP front-end server, a security session is established between the client and the ABAP front-end server.

2. Authentication requests at the back-end systems After successful establishment of security session between the client and the ABAP front-end server, transactional apps can then send OData requests from the ABAP front end server to the ABAP back-end server. OData requests to the ABAP back-end server are then communicated securely by trusted RFC without the requirement of additional authentication. In this blog we take a high-level look at 2 options to achieve Single Sign On capability for SAP Fiori apps –

  1. SAP Fiori SSO using SAP Authenticator
  2. SAP Fiori SSO using Mocana Atlas Platform

Mobile SSO for SAP Fiori with SAP Authenticator

SAP offers “Mobile SSO” for various applications and trusted websites on mobile devices. This solution is based on Time based One-Time Password (TOTP) algorithm, which is of the open standard RFC 6238. This algorithm computes a one time pass code from a shared secret key and current time. With the respective user name and pass code, the authentication to the Identity Provider triggers IDP initiated single sign-on mechanism. For TOTP client, SAP authenticator is the mobile application, which is available for iOS and android platforms. Once you implement this solution, you will have the flexibility to use Fiori applications, bookmarked on your device after a single click. Once you click on the respective Fiori application bookmark, the SAP authenticator creates a pass code and a URL with respective parameters. Next, the SAP authenticator sends this URL to the browser, wherein the browser opens the URL that triggers the single Sign-On. On the other hand, the Identity Provider checks the entered credentials and if the authentication is successful, issues a SAML 2.0 assertion for you and for the respective service provider (SAP Fiori). In the final step that refers to the HTTP-POST binding response, the SAP Fiori application gets securely opened on your mobile device.

SAP Fiori SSO using Mocana Atlas Platform

Now that you have understood how SSL single sign on authentication works, let’s look into certain security aspects of authentication, considering that it becomes daunting and expensive to deliver secure mobile apps at an enterprise scale. In order to move up in the value chain, organizations have to think beyond the usual handful of apps by expanding access to a much broader range of high end enterprise applications.

The need of the hour is to have a single and a unified platform that empowers organizations to establish authentication securely, identify and trust relationships with applications on virtually any mobile device. That implies organizations needs a platform that makes these connections less complex to provide and at the same time, less expensive to maintain. From the above backdrop, a new security platform – Mocana Atlas™ Extended Enterprise Platform is making new inroads in this space that is a revolutionary platform aimed to simplify enterprise mobile app deployments by reducing many of the toughest security bottlenecks, plaguing large scale rollouts, while considerably minimizing mobile total cost of ownership. Mocana Atlas is deployed behind the firewall to securely connect mobile apps to back-end systems with exceptional simplicity for IT and one click access for end users across the entire extended organization.

With focus on app security, your organization can benefit complete enhanced depths of visibility into your deterministic state of the apps that define the extended enterprise, wherever these apps are present, either on managed or unmanaged devices. Organizations enjoy high levels of control – how the app is utilized and how data is accessed without compromising on end user experience. Hence, a new secured transport layer to a dedicated secure app. gateway, also called as Mocana Atlas appliance can be provided to ensure that your data is completely secured, while it travels all the way from the app. boundary to the critical back-end systems of record back at the enterprise. Mocana Atlas extended enterprise platform, along with Mocana MAP, offers new insights into the fragile links of your mobility initiatives and supports you with policies and tools to help you instantly and economically minimize those issues before they become a major threat to your business, using a single management console. Mocana Atlas works as a bridge application – it can connect existing enterprise MDM, MAM and EMM software instances from other vendors and helps your organization to leverage more out of the software you already have.

Mocana Atlas offers end-to-end security and enhanced security-posture intelligence at the point of network connection that lets your enterprise acquire new insights including a complete data protection with enhanced visibility into the mobile apps and transactions, which are transforming your networks. This application offers complete transparency to end users, providing a easy single-sign on across all MAP-protected apps.

Innovapptive’s offerings in this space

Innovapptive’s SAP-qualified rapid deployment solution (RDS) for SAP Fiori includes the new SAP Fiori apps that helps in implementation of SAP NetWeaver Gateway, SAP UI5 and one or more Fiori Apps for full productive purposes in a fixed time and fixed price. SAP Fiori apps offers a simple and easy to use consumer-grade user experience that work seamlessly across devices – desktop, tablet, or smartphone. Innovapptive’s RDS implementation for SAP Fiori streamlines your workforce immediately and brings forth instant value to your enterprise. Apart from that, RDS can help drastically minimize implementation efforts compared to a classic approach, since the base processes within the scope are neatly defined best practices and are more efficient, than defining customer specific processes.

Key takeaways of Innovapptive’s SAP Fiori RDS

  1. Simplifies the enterprise user experience – SAP® Fiori offers a collection of apps to simplify daily tasks of your business, while driving enterprise wide productivity.
  2. Provides your enterprise with instant productivity boost – Using SAP Fiori RDS, it lets your employees to complete workflow approvals, information lookups, and   self-service tasks across HR, finance, procurement, and sales more efficiently. This package starts working within weeks, and instantly mobilizes your employees, while tremendously improving your enterprise wide productivity.
  3. Bring simplicity and agility to your SAP Fiori Deployment – A fixed cost and deployment timeline for the SAP Fiori solution enables your enterprise to quickly extend the value of your ERP investments by offering instant and cost-effective method for deploying standard processes and adopting the latest innovations in mobility. A typical deployment is less than 2 weeks that helps your organization lower the total cost of ownership (TCO), speed up time to value and retain the flexibility to extend the solution.
  4. Offers flexibility and modularity – With our RDS package offering high levels of flexibility and modularity, you can quickly jump start with just one app or any combination of available 200+ Fiori apps, delivering the full business value to your enterprise in under 2 weeks.

Request a Demo

If you would like a demo of Innovapptive’s portfolio of Native or Web based mobile solutions, please click on the link. Alternatively, if you would like to discuss with an Innovapptive solution expert, you can reach out to us by emailing us at or you can reach a sales representative at (713) 275-1804.