Set up S/4HANA system to enable content federation

Set up the allow list to enable the execution of SAP S/4HANA applications within an iFrame on an SAP Build Work Zone site, and establish an SAP Fiori launchpad parameter to control the visibility of classic apps.

Step 1: Open UCON Cockpit:

Because SAP S/4HANA apps are connected to SAP Build Work Zone using something called iFrames, you need to set up an allowlist to protect your system from a type of cyber attack called clickjacking. This allowlist service is like a shield for your system. You can manage this kind of protection using the Unified Connectivity Framework (UCON Framework) to make sure that your communication through RFC and HTTP(S) is secure and only authorized users can access it.

To make sure SAP Build Work Zone can get data from your SAP S/4HANA system, you should add your trial account to the allowlist for Clickjacking Framing Protection.

If you don't turn on the allowlist, SAP Build Work Zone will use a stricter way to protect against clickjacking. It will only allow framing if the application's home (where it comes from) is part of the same group as Work Zone (they have to be very close together).

Start the transaction uconcockpit.

Step 2: Activate clickjacking protection

You now see the Clickjacking Framing Protection entry in the table. It is currently set to Logging mode. This means that connections are only logged, but not checked. With this setting, connectivity from your SAP BTP trial account will work. However, this is not a secure setting. In a productive environment, you would need to add the patterns for your SAP Build Work Zone to the whitelist and then set the scenario to Active check mode.

Step 3: Open SAP Fiori launchpad client-specific settings

The parameter EXPOSURE_SYSTEM_ALIASES_MODE defines how to handle system aliases during content exposure. In an embedded deployment of the SAP Fiori front-end server, all apps run on the same server. Therefore, system aliases can be cleared during exposure.

SPRO

SAP NetWeaver > UI Technologies > SAP Fiori > SAP Fiori Launchpad Settings

Step 4: Check activation status of cdm3 service

Step 5: Check exposing user

You also need to make sure that the user which does the content exposure has the right role and that the page cache is turned on for them. This is also already the case for user bpinst.

The permissions to run the content exposure are delivered with the role SAP_FLP_ADMIN. The BPINST user has full administrator permissions and can be used for content exposure.

Go to tab Parameters and make sure that the parameter /UI2/PAGE_CACHE_OFF does not show up here. If it does, remove it.

This parameter is only used for test purposes to identify caching issues. It should not be available in productive systems anyhow, as it can slow down the loading process significantly.