Why Secure Login Web Client?
Why Secure Login Web Client?
Use Case Description
Version 1.0 / November 2013
SAP NetWeaver Single Sign-On 2.0
SAP AG
Introduction
General Information
This document is based on the Online Help (Version from 2013-09-27):
Central SAP Note SAP NetWeaver Single Sign-On:
https://service.sap.com/sap/support/notes/1912175
Overview Presentation SAP NetWeaver Single Sign-On:
http://scn.sap.com/docs/DOC-4408
Community Network (SCN) SAP NetWeaver Single Sign-On:
http://scn.sap.com/community/netweaver-sso
Context
SAP NetWeaver Single Sign-On is an innovative software solution specifically created for improving user and IT productivity and for protecting business-critical data in SAP business solutions by means of secure single sign-on to the SAP environment. SAP NetWeaver Single Sign-On provides strong encryption, secure communication, and single sign-on between wide varieties of SAP components.
In a default SAP setup, users enter their SAP user name and password on the SAP GUI logon screen. SAP user names and passwords are transferred through the network without encryption.
To secure networks, SAP provides a “Secure Network Communications” interface (SNC) that enables users to log on to SAP systems without entering a user name or password. The SNC interface can also direct calls through the Secure Login Library to encrypt all communication between SAP GUI and the SAP server, thus providing secure single sign-on to SAP.
Secure Login, a component of SAP NetWeaver Single Sign-On allows you to benefit from the advantages of SNC without being obliged to set up a public-key infrastructure (PKI). If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login.
This document describes some use cases and benefits of Secure Login Web Client.
What is Secure Login Web Client?
General Information
Secure Login Web Client is a feature of Secure Login Server. It is a web-based solution for requesting “short-lived” X.509 user certificates based on user authentication (several user repository backend systems are supported). This X.509 user certificate can be used for further user authentication in SAP Landscape.
Secure Login Web Client is not limited to Microsoft Windows operating system and can be used in e.g. Mac OS X based operating system. It does not require any client installation. In addition it can be defined what kind of action should be performed after user authentication. The following options are possible:
- Start SAP GUI application (e.g. launch SAP GUI for Windows or SAP GUI for Java)
- Directly authenticate directly at an specific SAP AS ABAP
- Start redirect URL (e.g. redirect to SAP NetWeaver Portal)
- Combination of actions (e.g. launch SAP GUI and redirect URL)
An X.509 user certificate will be provided to the Microsoft Certificate Store (Microsoft Internet Explorer), Firefox Certificate Store or Mac OS X Keychain.
In terms of user authentication in Secure Login Web Client, it is possible to provide username and password, reuse security tokens (e.g. Kerberos, SAP Logon Tickets or 3rd party Login Module integration in Application Server Java) or reuse existing user authentication in SAP Application Server Java (e.g. SAP NetWeaver Portal). One example could be to reuse Windows Authentication (Kerberos) to get an X.509 user certificate (security token converter).
Secure Login Web Client can help to solve customer requirements for several use cases.
This document describes 3 use cases:
- Scenario External Users
How to provide secure communication and Single Sign-On with external users
(e.g. external consultants or partners)? - Kiosk PC Scenario
How can one Windows client system be shared with several users? - SAP NetWeaver Portal Integration
How to integrate SAP NetWeaver Portal into central authentication process?
Secure Login Web Client vs. Secure Login Client
With Secure Login Client the security libraries and other functions and APIs are always available. Secure Login Client communicates with Secure Login Server to receive an X.509 user certificate. Secure Login Client keeps the X.509 user certificate in memory and provides a link to the Microsoft Certificate Store.
With Secure Login Web Client, the security libraries need to be downloaded. Secure Login Web Client actually stores the X.509 user certificate in the Microsoft Certificate Store.
Figure: Secure Login Web Client vs. Secure Login Client
Advantages of Secure Login Web Client
- No client software installation required
- Runs also on non-Windows operating system (e.g. Mac OS X)
- Integration with Web Access Management Systems (browser integration)
- Integration with SAP Application Server Java (e.g. reuse authentication in SAP NetWeaver Portal)
- Request “long term” certificates (stored in Microsoft Certificate Store)
Advantages of Secure Login Client
- Automatic provisioning of X.509 user certificates during Windows authentication process
- Flexible security token usage in SAP GUI application (e.g. use of X.509 for confidential systems and using Kerberos for standard systems)
- Reuse existing PKI infrastructure for SAP GUI applications
- Native Windows Kerberos support for SAP GUI applications
Secure Login Web Client (Web Adapter Mode)
Secure Login Web Client (Web Adapter Mode) combines the advantages of Secure Login Web Client (browser integration) and Secure Login Client (certificate in memory only).
Figure: Secure Login Web Client vs. Secure Login Web Client (Web Adapter Mode)
Advantages of Secure Login Web Client (Web Adapter Mode)
- Possible solution for Kiosk PC scenario (e.g. in case of a PC crash, X.509 certificate will be destroyed)
- Integration with central Web Access Management Systems
- Integration with SAP Application Server Java (e.g. reuse authentication in SAP NetWeaver Portal)
Use Case Examples
Scenario with external users
Assuming Secure Login solution is in place to provide Single Sign-On and/or secure communication for the SAP environment, the following questions could occur:
- What about external users (e.g. external consultants or partners)?
- Is it required to decrease security level for external users (e.g. allow no secure communication)?
- Is it possible to provide Single Sign-On for external users too?
- Do we need to force people to install Secure Login Client on external hardware?
- Is it possible to separate external identities from company’s user repository?
Figure: Insecure access to SAP Landscape for external users
- LDAP Server
- SAP Application Server (AS ABAP / AS Java)
- Microsoft Active Directory
- RADIUS Server (e.g. RSA Authentication Server)
Figure: Secure access using Secure Login Web Client
Key features of this scenario
- Fulfills security requirements also for external users
- Separate external user accounts from company user repository
External users never get “direct” access (SAP Username and Password) to SAP Landscape - Access restriction for external users
- Support for non-Windows operating system (e.g. Mac OS X)
Kiosk PC Scenario
In a kiosk PC scenario, usually one hardware is shared between several users. No Windows authentication will be performed on this PC. The internet browser application will be used to perform user authentication against a central user repository (e.g. a central portal).
Examples for this use case scenario are hospitals or factory production lines, a fast user switch is very important (easy to use and manage).
User Authentication Workflow
- Start internet browser and perform user authentication against central portal (in the following picture against Web Access Management)
- In case the user is requesting an SAP resource (e.g. web page or SAP GUI connection), Secure Login Web Client will instantly provide an X.509 user certificate
- Central User Authentication can be reused in Secure Login Web Client without additional user authentication (login module integration)
- An X.509 user certificate will be used to perform further authentications to the SAP landscape
- In case the user has finished work, the X.509 user certificate will be removed automatically (using central log off function or closing internet browser application)
Figure: Reuse central user authentication in Secure Login Web Client
Key features of this scenario
- Reuse central authentication
- On demand Single Sign-On for SAP landscape
- Collaboration with Web Access Management System
- Flexible integration using login module technology in SAP NetWeaver Application Server
SAP NetWeaver Portal Integration
In this scenario, SAP NetWeaver Portal is the central application (landing page) for employees. SAP NetWeaver Portal will be used to collect desired user information at a central point. Therefore information will be provided from several SAP Backend Systems (AS ABAP / AS Java) and non-SAP Backend Systems.
Secure Login Web Client is able to reuse existing SAP NetWeaver Portal user authentication in order to provide an X.509 user certificate. The user needs to authenticate once against the SAP NetWeaver Portal and all subsequent user authentications will be managed using SAP NetWeaver Single Sign-On.
Figure: Reuse SAP NetWeaver Portal user authentication in Secure Login Web Client
Key features of this scenario
- Reuse SAP NetWeaver Portal authentication
- On demand Single Sign-On for SAP landscape
Summary
For several use cases the Secure Login component offers different integration scenarios.
- When should I use Secure Login Client?
- Access SAP Business Suite using SAP GUI applications or Web GUI (internet browser)
- Use existing PKI infrastructure (reuse X.509 certificates)
- Complex integration scenarios (e.g. SAP which security token should be used for which SAP Application server)
- When should I use Secure Login Web Client (Web Adapter Mode)?
- Intranet integration
- Central User Authentication using Web GUI (Internet browser)
- SAP NetWeaver Portal integration
- When should I use Secure Login Web Client?
- Provide secure access for external users (e.g. external consultants, support staff, Partner, etc…)
- No software installation possible
- Solution for non-Windows operating system (e.g. Mac OS X)
- Provide “long term” certificates
Nice Article. Just one clarrification.
As per the SAP Implementation Guide and also from the General Information section of this blog, its says that Secure Login Web Client is a web-based solution for requesting “short-lived” X.509 user certificates
But in summary it is mentioned it can provide "long term" certificate?
Can you please explain how can the web client request long term certificate. As per my understanding SLS can provide only short term user certificate and long term server certificate.
Thanks
Sanath
Hi Sanath,
you are right, the main target of Secure Login Server is to provide short lived X.509 user certificates. But it is possible to create "long term" certificates too (check the parameter Validity Period).
Best regards,
Frane
Can we use web client for Mobile device integration. We want to integrate SAP Portal to be accessed from Mobile. We have already implemented SLC for laptops and desktop for Portal and ABAP system integration.
Now we need to integrate Mobile apps for accessing SAP portal. Can web client be used for this?
Thanks
Sanath
Hi Sanath,
this is not possible because the existing Web Client relies on native components that are not available for a mobile device. We plan to provide a solution that will allow you to load certificates into a mobile device similar to how SLC does it for the desktop. However, the different mobile platforms (iOS, Android,..) do things their own way, so not all mobile devices will be supported on the same level. Could you provide some information about your infrastructure, like the operating system of the devices, whether they are managed, whether access is done from internet or intranet,.?
Thanks!
Best regards,
Christian
Hi Frane Milicevic,
Nice documentation, just have one doubt, is X.059 certification allows to do single sign-on for non-sap applications like Oracle Fusion (On Cloud)?
Thanks & Regards,
Krishan Kumar
Hi Kumar,
yes, if Oracle Fusion supports X.509 technology.
Typically a wide range of applications supports certificates (well known technology since decades).
Best regards,
Frane
Hi Frane,
Until some days ago I was confused about how to implement the SSO 3.0. After carefully reading the documentation I was able to configure the SSO for SAP GUI using X.509 certificates autheticating against an LDAP provider. It's working perfect.
The same configuration I did for SAP GUI is working for SAP WEBGUI (via https) but with some details:
1-the client log in must be done via right clicking on SSO-client option log on before opening the browser and client log out must be done via right clicking on SSO-client option log off after closing the browser;
2-the X.509 certificate still valid if the browser session is finished without right clicking on SSO-client option log out; (it's my big concern).
My question to you is about this post.
It seems that my WEBGUI access can be replaced if I configure the "Secure Login Web Client" but I can't understand the documentation provided by the Installation Guide. I spent many hours reading/configuring/re-configuring and nothing concrete was done. Do you have an example (step-by-step) on how to configure it or a link I can follow?
Thanks in advance!
Best Regards,
Rinaldo Zonzini
Hi All,
Do you have any document/SAP Note to achieve SSO for Kiosk PC Scenario? We got similar kind of requirement.
Thanks & Regards,
Suneel
Hi Suneel,
for this scenario we offer for example user identification with RFID tokens, as documented at
https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/e0f4ef5c6ba648fc9f210e16abee76f3.html
Best regards,
Christian