Skip to Content

Kerberos-based Single Sign-on and SAPCRYPTOLIB

In a recent SDN forum posting, there was a discussion about the possibility to implement Kerberos-based single sign-on (SSO) with a security library that based on PKI technology – like SAPCRYPTOLIB.

The key point in such a discussion is of course the definition of “Kerberos-based single sign-on”. In my opinion, the customers’ solution requirement is the ultimate guideline for the definition. What customers usually want, if they look for a Kerberos-based SSO solution, is the ability to leverage an existing Windows infrastructure investment (Windows desktops, Active Directory Servers, Kerberos infrastructure) and to implement a solution that enables employees to use their current user context on the desktop (logged in as Windows domain user) to authenticate to and securely use SAP applications without entering SAP user name and password.

If this is the definition, then it is clearly possible to implement Kerberos-based SSO with a security library, which is based on certificate technology. The key idea is to separate the user authentication (via Kerberos) from the secure access and single sign-on to SAP (via X.509 certificates).

Now, some people may ask, why to use client certificates “under the hood” for the sign-on to SAP, when the authentication is done via Kerberos? Doesn’t this add complexity, compared to other Kerberos solutions? Not necessarily – such a solution can be setup in minutes. We are not talking about a company-wide PKI here, but about a software solution which uses certificate technology for one specific purpose (SSO and session encryption) and which thus can abstract from the complexities of managing long-term personal certificates. The key point, however, is that such a solution has many advantages when it comes to non-functional criteria:

  • openness of the solution to involve business partner
  • flexible authentication choices
  • no restrictions in terms of domains or user mappings
  • finer granularity of authentication possible
  • ready for E-SOA
  • no vendor- or technology lock-in
  • extensibility
  • and lower total cost of ownership

If any of these criteria are important to you, then a solution that implements Kerberos-based SSO on top of X.509 certificate-based technology is the right choice.

So, yes, Kerberos-based SSO with a PKI-based security library is possible. It’s easy to implement. And you can use a technology that is compatible with SAPCRYPTOLIB that you may already use on your SAP systems. But most of all, you are not locked-in to a specific authentication technology and are prepared for future SAP technologies to come.

Be the first to leave a comment
You must be Logged on to comment or reply to a post.