Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
BTPInnovate
Product and Topic Expert
Product and Topic Expert

This blog attempts to explain authentication and Single Sign-On mechanisms with the SAP NetWeaver Business Client. Before we go into these details, it is mandatory to explain some technicalities of the SAP NetWeaver Business Client and give a short introduction into SAP’s own product for Single Sign-On, SAP NetWeaver Single Sign-On.


SAP NetWeaver Business Client (or NWBC in short) brings together web-based and Dynpro-based applications, potentially running on multiple systems, in one single shell. It therefore needs to adopt a combination of different authentication techniques to abstract the user from multiple logins and offer a seamless end user experience.

NWBC is shipped in two variants:

  1. NWBC for Desktop is a MS Windows/.NET-based application that needs a local installation. It uses SAP GUI for Windows under the hood to run Dynpro-based transactions and integrates Web applications using the Internet Explorer control in its shell.
  2. NWBC for HTML is a browser based version using HTTP/s for connecting to a SAP NetWeaver Application Server ABAP backend. SAP GUI transactions are rendered using the SAP GUI for HTML.


For Single Sign-On functionality SAP ships its own product SAP NetWeaver Single Sign-On, which allows customers to implement standard token based SSO for the web browser and for SAP GUI for Windows. It also offers a password manager for Enterprise Single Sign-On.

Let us now focus on the question of authentication and Single Sign-On with NWBC for Desktop. With NWBC for HTML, the standard web SSO mechanisms, listed further in the blog apply.


The NWBC approach to authenticate a user against a system is to use the ICF logon which is a browser-based authentication. When the user during the course of his work calls a web-based application, authentication is handled by the standard Internet Explorer control which the NWBC embeds for rendering Web content. This is however different in case of a classic Dynpro screen. For a Dynpro screen, the authentication is handled by the under the hood instance of SAP GUI for Windows.

So what are the available options of authentication mechanisms with NWBC?


The following initial authentication mechanisms are used in SAP products and apply to NWBC authentication depending on the scenario you are running:


  • User ID and passwords
  • X.509 Client Certificates
  • SAML assertions
  • SAP Logon Tickets
  • SPNEGO and Kerberos


Let us now examine each method in a little more detail.

User ID and password is the easiest of course, but you need to roll-out and offer password reset and recovery functionality for your end-users and it is strongly recommended that you have implemented encryption of the communication path (https) or else your end users send the passwords in clear text making sniffing them extremely easy.

X.509 Client Certificate requires a Public Key Infrastructure (PKI), which issues and handles the whole certificate management for your users. You have the option to implement SAP NetWeaver Single Sign-On instead, which generates certificates on the fly without the need to implement and deploy a costly PKI.

SAML assertions are a modern standard for web-based and cross domain Single Sign-On. You need a so-called Identity Provider to issue SAML assertions for your users, which is also part of SAP NetWeaver Single Sign-On.


Logon Tickets are an SAP proprietary mechanism. In the form of a digitally signed cookie they offer authentication and Single Sign-On. You can generate Logon Tickets with NWBC, with the SAP NetWeaver Portal or with SAP NetWeaver Single Sign-On.


SPNEGO with Kerberos is the web variant for Kerberos and you need SAP NetWeaver Single Sign-On to implement that.


Recommendations

NWBC together with SSO, offers you multiple options for authentication. These options differ depending on the scenario you have implemented with NWBC. The table below  provides some details:


Scenario

SSO Method

NWBC for Desktop embedding Web applications only

X.509 certificates, SAML assertions, SPNEGO with Kerberos, Logon Tickets

NWBC for Desktop embedding Dynpro applications (SAP GUI for Windows)

SNC + X.509 certificates, SNC + Kerberos, Logon Tickets

NWBC for Desktop embedding Dynpro and Web applications

SNC + X.509 certificates, SNC + Kerberos, Logon Tickets

So in short, if you’re running only web applications with the NWBC then you can use the standard web SSO mechanisms as listed further up in the blog.


If you have to access SAP Dynpro applications via the NWBC for Desktop and you want this to be secured via encryption then you have to configure SNC (Secure Network Communication), encrypting the communication path and use either X.509 certificates or Kerberos for Single Sign-On. For both options we recommend the SAP NetWeaver Single Sign-On solution that can generate X.509 certificates or support Kerberos.

Logon Tickets are not recommended by SAP any more unless you need to implement SSO for lower releases (SAP NetWeaver Application Server <7.00).


If you have a hybrid implementation meaning that some of your users will be using NWBC for Desktop and others will be using NWBC for HTML to access the same system, then we strongly recommend that you leverage SAP NetWeaver Single Sign-On as you can implement X.509 and Kerberos for both NWBC types (Desktop and HTML).

For more information on SAP NetWeaver Single Sign-On, please check out the following page on SCN:

http://scn.sap.com/community/netweaver-sso

For more information on SAP NetWeaver Business Client, please check out the following page on SCN:

http://scn.sap.com/community/netweaver-business-client

29 Comments