cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Advanced users' authentication using contactless ID Tokens (RFID cards)

Go to solution
Former Member

on ‎04-20-2015 9:28 AM

0 Kudos

Good day!

We are going to implement an authentication of users in kiosk by theirs contactless cards as described in note 1970286.

But we have a business requirement to make an additional check before login - user must enters some secret word, password, private information before he/she will be logged in.

So the scenario is:

1) User puts his card to the reader

2) As described in the note he gets a one-time certificate

3) The system shows a window to enter secret word

4) Log in

How can we achieve it? Thanks in advance.

ps Login to ABAP server through a browser

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member200373
Participant
‎04-20-2015 10:34 AM
0 Kudos

Hello,

such dual authentication is supported.

We designed the RFID based certificate enrollment to run on a Kiosk PC system with a dedicated Windows Desktop user performing the (unattended) TLS or SPNego authentication to Secure Login Server.

But you can add an interactive JAAS login module to the security policy, e.g. SAP Authenticator or Active Directory/LDAP, to get one more user credential into the certificate enrollment procedure. Your policy may look like this:

Now Secure Login Client & Server are performing...

1. a silent SPNego authentication of the Windows Desktop user,

2. a prompted SAP Authenticator login of the real person in front of the Desktop,

3. an Active Directory identification of the RFID token UID,

and a fresh certificate for the person mapped to this RFID token is issued.

-- Stephan

Show replies
Show replies
Former Member
‎04-20-2015 11:59 AM
0 Kudos

Hello Stephan, thank you for your answer!

Do your users enter through Java AS? Because settings of authentication stack and JAAS is dedicated for Java. And yes, that is what I need, but we have to enhance  login sequence for ABAP AS. Do you have such kind of experience?

Anyway your answer is helpful:).

Former Member
‎04-20-2015 12:14 PM
0 Kudos

Looking deeper to the ABAP authentication, seems we can select alternative login sequence for our service in SICF and do something new. Need some more investigation.

former_member200373
Participant
‎04-20-2015 1:50 PM
0 Kudos

The idea of Secure Login (Server) is to use X.509 certificates to login to AS ABAP, and to define authentication stacks on AS JAVA / SLS to get the desired level of security.

So your short-lived X.509 acts like a strong ticket to AS ABAP, and AS JAVA/SLS is your strong ticket generator.

-- Stephan

Answers (0)

Ask a Question