SAML 2.0 Browser Protocol

Web Server Side (for example PHP site)

Short-lived X.509 certificates

Business to Consumer

Basic authentication when using the user self-service

 

The recommended authentication option for SAPUI5 based applications depends on the scenario (intranet or extranet). For intranet scenarios, Kerberos works best.

 

For extranet scenarios, SAML 2.0 Browser Protocol or OAuth are recommended.

 

X.509 certificates are the method of choice for SAP Cloud Platform Mobile Services based scenarios or if the consumer is some kind of Web Server (for example a PHP site). Here the webserver should generate short-lived certificates, which the SAP Gateway server should trust.

 

Basic authentication should only be used in B2C scenarios that use the user's self-service.

 

Roles and Authorization Objects

SAP Gateway hub users

• Role with authorization object “S_SERVICE” for the service is called

SAP back-end users

• Role with authorization object “S_RFCACL” and “S_RFC”
• Application-specific role