Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Why Secure Login Web Client?

frane_milicevic
Active Participant
‎11-12-2013 3:18 PM

Why Secure Login Web Client?

Use Case Description

    

Version 1.0 / November 2013

SAP NetWeaver Single Sign-On 2.0

SAP AG

 

Introduction

General Information

This document is based on the Online Help (Version from 2013-09-27):

http://help.sap.com/nwsso

 

Central SAP Note SAP NetWeaver Single Sign-On:

https://service.sap.com/sap/support/notes/1912175

   

Overview Presentation SAP NetWeaver Single Sign-On:

http://scn.sap.com/docs/DOC-4408

   

Community Network (SCN) SAP NetWeaver Single Sign-On:

http://scn.sap.com/community/netweaver-sso

 

Context

SAP NetWeaver Single Sign-On is an innovative software solution specifically created for improving user and IT productivity and for protecting business-critical data in SAP business solutions by means of secure single sign-on to the SAP environment. SAP NetWeaver Single Sign-On provides strong encryption, secure communication, and single sign-on between wide varieties of SAP components.

In a default SAP setup, users enter their SAP user name and password on the SAP GUI logon screen. SAP user names and passwords are transferred through the network without encryption.

To secure networks, SAP provides a “Secure Network Communications” interface (SNC) that enables users to log on to SAP systems without entering a user name or password. The SNC interface can also direct calls through the Secure Login Library to encrypt all communication between SAP GUI and the SAP server, thus providing secure single sign-on to SAP.

Secure Login, a component of SAP NetWeaver Single Sign-On allows you to benefit from the advantages of SNC without being obliged to set up a public-key infrastructure (PKI). If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login.

This document describes some use cases and benefits of Secure Login Web Client.

What is Secure Login Web Client?

General Information

Secure Login Web Client is a feature of Secure Login Server. It is a web-based solution for requesting “short-lived” X.509 user certificates based on user authentication (several user repository backend systems are supported). This X.509 user certificate can be used for further user authentication in SAP Landscape.

Secure Login Web Client is not limited to Microsoft Windows operating system and can be used in e.g. Mac OS X based operating system. It does not require any client installation. In addition it can be defined what kind of action should be performed after user authentication. The following options are possible:

  • Start SAP GUI application (e.g. launch SAP GUI for Windows or SAP GUI for Java)
  • Directly authenticate directly at an specific SAP AS ABAP
  • Start redirect URL (e.g. redirect to SAP NetWeaver Portal)
  • Combination of actions (e.g. launch SAP GUI and redirect URL)

An X.509 user certificate will be provided to the Microsoft Certificate Store (Microsoft Internet Explorer), Firefox Certificate Store or Mac OS X Keychain.

In terms of user authentication in Secure Login Web Client, it is possible to provide username and password, reuse security tokens (e.g. Kerberos, SAP Logon Tickets or 3rd party Login Module integration in Application Server Java) or reuse existing user authentication in SAP Application Server Java (e.g. SAP NetWeaver Portal). One example could be to reuse Windows Authentication (Kerberos) to get an X.509 user certificate (security token converter).

Secure Login Web Client can help to solve customer requirements for several use cases.
This document describes 3 use cases:

  1. Scenario External Users
    How to provide secure communication and Single Sign-On with external users
    (e.g. external consultants or partners)?
  2. Kiosk PC Scenario
    How can one Windows client system be shared with several users?
  3. SAP NetWeaver Portal Integration
    How to integrate SAP NetWeaver Portal into central authentication process?

Secure Login Web Client vs. Secure Login Client

With Secure Login Client the security libraries and other functions and APIs are always available. Secure Login Client communicates with Secure Login Server to receive an X.509 user certificate. Secure Login Client keeps the X.509 user certificate in memory and provides a link to the Microsoft Certificate Store.

With Secure Login Web Client, the security libraries need to be downloaded. Secure Login Web Client actually stores the X.509 user certificate in the Microsoft Certificate Store.

                                          Figure: Secure Login Web Client vs. Secure Login Client

 

Advantages of Secure Login Web Client

  • No client software installation required
  • Runs also on non-Windows operating system (e.g. Mac OS X)
  • Integration with Web Access Management Systems (browser integration)
  • Integration with SAP Application Server Java (e.g. reuse authentication in SAP NetWeaver Portal)
  • Request “long term” certificates (stored in Microsoft Certificate Store)

Advantages of Secure Login Client

  • Automatic provisioning of X.509 user certificates during Windows authentication process
  • Flexible security token usage in SAP GUI application (e.g. use of X.509 for confidential systems and using Kerberos for standard systems)
  • Reuse existing PKI infrastructure for SAP GUI applications
  • Native Windows Kerberos support for SAP GUI applications

 

Secure Login Web Client (Web Adapter Mode)

Secure Login Web Client (Web Adapter Mode) combines the advantages of Secure Login Web Client (browser integration) and Secure Login Client (certificate in memory only).

                     Figure: Secure Login Web Client vs. Secure Login Web Client (Web Adapter Mode)

Advantages of Secure Login Web Client (Web Adapter Mode)

  • Possible solution for Kiosk PC scenario (e.g. in case of a PC crash, X.509 certificate will be destroyed)
  • Integration with central Web Access Management Systems
  • Integration with SAP Application Server Java (e.g. reuse authentication in SAP NetWeaver Portal)

Use Case Examples

Scenario with external users

Assuming Secure Login solution is in place to provide Single Sign-On and/or secure communication for the SAP environment, the following questions could occur:

  • What about external users (e.g. external consultants or partners)?
  • Is it required to decrease security level for external users (e.g. allow no secure communication)?
  • Is it possible to provide Single Sign-On for external users too?
  • Do we need to force people to install Secure Login Client on external hardware?
  • Is it possible to separate external identities from company’s user repository?

                                                   Figure: Insecure access to SAP Landscape for external users
Secure Login Web Client can be used to provide secure access and Single Sign-On to the SAP landscape. In addition it is possible to separate user authentication from native SAP user authentication. This means it is possible to provide access to SAP Application Server without knowing SAP user credentials. The following external user repositories are supported:

  • LDAP Server
  • SAP Application Server (AS ABAP / AS Java)
  • Microsoft Active Directory
  • RADIUS Server (e.g. RSA Authentication Server)


                                                    Figure: Secure access using Secure Login Web Client

Key features of this scenario

  • Fulfills security requirements also for external users
  • Separate external user accounts from company user repository
    External users never get “direct” access (SAP Username and Password) to SAP Landscape
  • Access restriction for external users
  • Support for non-Windows operating system (e.g. Mac OS X)

Kiosk PC Scenario

In a kiosk PC scenario, usually one hardware is shared between several users. No Windows authentication will be performed on this PC. The internet browser application will be used to perform user authentication against a central user repository (e.g. a central portal).

 

Examples for this use case scenario are hospitals or factory production lines, a fast user switch is very important (easy to use and manage).

 

User Authentication Workflow

  • Start internet browser and perform user authentication against central portal (in the following picture against Web Access Management)
  • In case the user is requesting an SAP resource (e.g. web page or SAP GUI connection), Secure Login Web Client will instantly provide an X.509 user certificate
  • Central User Authentication can be reused in Secure Login Web Client without additional user authentication (login module integration)
  • An X.509 user certificate will be used to perform further authentications to the SAP landscape
  • In case the user has finished work, the X.509 user certificate will be removed automatically (using central log off function or closing internet browser application)

                               Figure: Reuse central user authentication in Secure Login Web Client

 

Key features of this scenario

  • Reuse central authentication
  • On demand Single Sign-On for SAP landscape
  • Collaboration with Web Access Management System
  • Flexible integration using login module technology in SAP NetWeaver Application Server

SAP NetWeaver Portal Integration

In this scenario, SAP NetWeaver Portal is the central application (landing page) for employees. SAP NetWeaver Portal will be used to collect desired user information at a central point. Therefore information will be provided from several SAP Backend Systems (AS ABAP / AS Java) and non-SAP Backend Systems.

Secure Login Web Client is able to reuse existing SAP NetWeaver Portal user authentication in order to provide an X.509 user certificate. The user needs to authenticate once against the SAP NetWeaver Portal and all subsequent user authentications will be managed using SAP NetWeaver Single Sign-On.

                    Figure: Reuse SAP NetWeaver Portal user authentication in Secure Login Web Client

Key features of this scenario

  • Reuse SAP NetWeaver Portal authentication
  • On demand Single Sign-On for SAP landscape

Summary

For several use cases the Secure Login component offers different integration scenarios.

  • When should I use Secure Login Client?
    • Access SAP Business Suite using SAP GUI applications or Web GUI (internet browser)
    • Use existing PKI infrastructure (reuse X.509 certificates)
    • Complex integration scenarios (e.g. SAP which security token should be used for which SAP Application server)

  • When should I use Secure Login Web Client (Web Adapter Mode)?
    • Intranet integration
    • Central User Authentication using Web GUI (Internet browser)
    • SAP NetWeaver Portal integration

  • When should I use Secure Login Web Client?
    • Provide secure access for external users (e.g. external consultants, support staff, Partner, etc…)
    • No software installation possible
    • Solution for non-Windows operating system (e.g. Mac OS X)
    • Provide “long term” certificates

9 Comments
Labels in this area
Popular Blog Posts