Skip to Content

The following article lists the details of the new features and changes in SAP NetWeaver Single Sign-On 2.0.


Single Sign-On Based on Kerberos

SPNEGO for SAP NetWeaver Application Server ABAP

Windows Kerberos authentication using web interface of SAP NetWeaver Application Server ABAP.

  • Supported versions of SAP NetWeaver Application Server

Secure Login Client

Client application which uses existing or provides new security tokens (Kerberos and X.509) for a variety of applications.

  • Installer based on SAP setup
    • Now uses SAP standard installation engine now
    • Allows for integration into SAP GUI installation packages
  • Enhanced platform support
    • Windows 8, Windows Server 2012 (WTS, CITRIX).
  • Additional languages
    • EN, DE, JP, FR, PT, RU, ZH, ES
  • Accessability support
    • High contrast, screen reader, keyboard navigation, tool tips

Secure Login Library

Cryptography and Security Library for SAP NetWeaver ABAP.

  • Performance improvement
    • Optional use of INTEL AES-NI (hardware encryption) on Microsoft Windows and Linux platforms
  • Command line tools redesigned


Single Sign-On Based on X.509 Certificates

Secure Login Client

Client application which uses existing or provides new security tokens (Kerberos and X.509) for a variety of applications.

  • Enhanced integration with SAP NetWeaver Business Client
  • Installer based on SAP setup
    • Using SAP standard installation engine now
    • Allow to integrate into SAP GUI installation packages
  • Enhanced platform support
    • Windows 8, Windows Server 2012 (WTS, CITRIX).
  • Additional languages
    • EN, DE, JP, FR, PT, RU, ZH, ES
  • Accessability support
    • High contrast, screen reader, keyboard navigation, tool tips

Secure Login Server

Central service running on SAP NetWeaver JAVA which provides X.509v3 certificates to users and application servers.

  • Enhanced authentication mechanism
    • Login modules provided by the AS Java can be used for authentication
  • Secure Login administration console in WebDynpro
    • Completely redesigned UI based on SAP NetWeaver standards
    • Additional languages
      • EN, DE, JP, FR, PT, ZH, RU
  • Deeper integration into SAP NetWeaver stack
    • Integrate into SAP NetWeaver key and certificate store
    • Integrate into SAP NetWeaver logs and traces
    • Integrate into SAP NetWeaver configuration
    • Benefit from standard NetWeaver tools and features like backup and restore, high availability and clustering, monitoring
  • Improved X.509 attribute configuration
    • Selected LDAP attributes can be used
    • Enhanced mapping options in certificates (example Subject Alternative Names)
  • X.509 user certificate propagation to UME
    • Store issued user certificates in SAP NetWeaver UME entry of respective user
  • X.509 compliance enhancement
    • Store user certification requests and issued user certificates in file system
  • Enhanced group profile configuration for Secure Login Client
    • Define arbitrary groups of client authentication profiles; these groups can be assigned to different users
  • PKI migration wizard
    • Import certificates and keys from Secure Login Server 1.0
  • Secure Login Web Client
    • Apple key chain support on Mac OS X
    • Enhanced browser support
      • Mozilla Firefox 17 ESR, Microsoft Internet Explorer 10
    • Enhanced platform support
      • Windows 8, Windows Server 2012, Mac OS X 10.7/10.8
    • Web adapter (Web Client interface to Secure Login Client)
      • Secure Login Client manages certifcate requests
    • Reuse of SAP NetWeaver Portal authentication
      • Seamless and silent integration of Web Client or Web Adapter into the SAP NetWeaver Portal
  • Re-certification of RSA SecurID Authentication

Secure Login Library

Cryptography and Security Library for SAP NetWeaver ABAP.

  • Performance improvement
    • Optional use of INTEL AES-NI (hardware encryption) on Microsoft Windows and Linux platforms
  • Command line tools redesigned
  • ABAP STRUST compatibility
    • Enhanced PSE management
    • Better support of STRUST PSE files and credentials


Single Sign-On Based on SAML

Identity Provider

Central service running on SAP NetWeaver JAVA which provides SAML 2.0 tokens for Web-based Single Sign-On.

  • Full IDP proxy support
    • See the IDP blog for details. It includes also a link to the IDP implementation guide which provides further information
  • SCIM support
    • Cloud to on-premise user connector
    • See the SCIM blog for details
  • Support of pluggable attribute providers
    • Used to add assertion attributes that are not based on UME user attributes, groups or roles
    • See the IDP blog for details

 

Application Server Java / Identity Provider

  • Enhanced SAML 2.0 identity federation
  • High-performance Service Provider & Identity Provider
    • Significant improvement for both SP & IDP
    • See the IDP blog for details


 

Single Sign-On Based on UserID/Password

Password Manager

Single Sign-On based on user ID and password.

  • New product name
    • The name of the component “Enterprise Single Sign-On” has been changed to “Password Manager”
  • Feature enhancements
    • New UI design
    • New categories of data that can be securely stored (notes, credit card details, and identities) including live search across all categories
    • New mechanism for web site registration
    • Basic authentication support, and support for more uncommon login triggers
    • New encryption mechanism and XML-based format for the password store
    • Built-in password generator
  • TCO reduction
    • SAP setup installer (attended/unattended installation)
  • Enhanced platform support
    • Windows 8 (desktop/classic mode only)
    • Enhanced browser support:
      • Mozilla Firefox 17 ESR
      • Microsoft Internet Explorer 10 (Windows 8 only)
  • Additional languages
    • EN, DE, JP, FR, PT, RU, ZH, ES


General

  • FIPS 140-2 certification for crypto kernel
    • Certification process is on going
    • See the FIPS blog for more details
To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

  1. Isvarya Kumar Bolisetti

    Hi Jens,

    Thanks for the details.

    Is SSO using SAML based authentication for “SAPGUI Windows” supported now?I am looking for an SSO in cloud environment for ABAP systems with SAPGUI on windows based access.

    Best Regards,

    Isvarya

    (0) 
    1. Jens Koster Post author

      Hi Isvarya,

      SAML 2.0 is not supported through the SAPGUI network protocol.

      However, you could use the Secure Login Server to issue X.509 certificates for authentication using SAPGUI.

      You can also configure the Secure Login Server to use SAML 2 tokens to “convert” that into a certificate.

      Regards,
      Jens

      (0) 
  2. Felipe Madruga

    Hello,

    I understood that SAP NW SSO 2 includes an IdP and a STS.

    However, consider that I already have an IdP, let’s say that is Microsoft ADFS.

    Just to enable a SAP Netweaver Gateway to accept tokens issued by my IdP, I need licensing for SAP NW SSO? What is the lowest version that allow this configuration?

    Regards,

    Felipe

    (0) 
  3. Eduardo Silva

    Hi Jens,

    Im implementing the ssl 2.0 Kerberos in Linux x86_64 and find me configuring the keytab sapgenpse but when I try to list the sapgenpse commands -h does not show any keytab command.

    Any idea why this error?

    Best Regards

    Eduardo

    (0) 

Leave a Reply