Skip to Content

Why Secure Login Web Client?

Use Case Description

    

Version 1.0 / November 2013

SAP NetWeaver Single Sign-On 2.0

SAP AG

 

Introduction

General Information

This document is based on the Online Help (Version from 2013-09-27):

http://help.sap.com/nwsso

 

Central SAP Note SAP NetWeaver Single Sign-On:

https://service.sap.com/sap/support/notes/1912175

   

Overview Presentation SAP NetWeaver Single Sign-On:

http://scn.sap.com/docs/DOC-4408

   

Community Network (SCN) SAP NetWeaver Single Sign-On:

http://scn.sap.com/community/netweaver-sso

 

Context

SAP NetWeaver Single Sign-On is an innovative software solution specifically created for improving user and IT productivity and for protecting business-critical data in SAP business solutions by means of secure single sign-on to the SAP environment. SAP NetWeaver Single Sign-On provides strong encryption, secure communication, and single sign-on between wide varieties of SAP components.

In a default SAP setup, users enter their SAP user name and password on the SAP GUI logon screen. SAP user names and passwords are transferred through the network without encryption.

To secure networks, SAP provides a “Secure Network Communications” interface (SNC) that enables users to log on to SAP systems without entering a user name or password. The SNC interface can also direct calls through the Secure Login Library to encrypt all communication between SAP GUI and the SAP server, thus providing secure single sign-on to SAP.

Secure Login, a component of SAP NetWeaver Single Sign-On allows you to benefit from the advantages of SNC without being obliged to set up a public-key infrastructure (PKI). If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login.

This document describes some use cases and benefits of Secure Login Web Client.

What is Secure Login Web Client?

General Information

Secure Login Web Client is a feature of Secure Login Server. It is a web-based solution for requesting “short-lived” X.509 user certificates based on user authentication (several user repository backend systems are supported). This X.509 user certificate can be used for further user authentication in SAP Landscape.

Secure Login Web Client is not limited to Microsoft Windows operating system and can be used in e.g. Mac OS X based operating system. It does not require any client installation. In addition it can be defined what kind of action should be performed after user authentication. The following options are possible:

  • Start SAP GUI application (e.g. launch SAP GUI for Windows or SAP GUI for Java)
  • Directly authenticate directly at an specific SAP AS ABAP
  • Start redirect URL (e.g. redirect to SAP NetWeaver Portal)
  • Combination of actions (e.g. launch SAP GUI and redirect URL)

An X.509 user certificate will be provided to the Microsoft Certificate Store (Microsoft Internet Explorer), Firefox Certificate Store or Mac OS X Keychain.

In terms of user authentication in Secure Login Web Client, it is possible to provide username and password, reuse security tokens (e.g. Kerberos, SAP Logon Tickets or 3rd party Login Module integration in Application Server Java) or reuse existing user authentication in SAP Application Server Java (e.g. SAP NetWeaver Portal). One example could be to reuse Windows Authentication (Kerberos) to get an X.509 user certificate (security token converter).

Secure Login Web Client can help to solve customer requirements for several use cases.
This document describes 3 use cases:

  1. Scenario External Users
    How to provide secure communication and Single Sign-On with external users
    (e.g. external consultants or partners)?
  2. Kiosk PC Scenario
    How can one Windows client system be shared with several users?
  3. SAP NetWeaver Portal Integration
    How to integrate SAP NetWeaver Portal into central authentication process?

Secure Login Web Client vs. Secure Login Client

With Secure Login Client the security libraries and other functions and APIs are always available. Secure Login Client communicates with Secure Login Server to receive an X.509 user certificate. Secure Login Client keeps the X.509 user certificate in memory and provides a link to the Microsoft Certificate Store.

With Secure Login Web Client, the security libraries need to be downloaded. Secure Login Web Client actually stores the X.509 user certificate in the Microsoft Certificate Store.

SLWC_vs_SLC.JPG

                                          Figure: Secure Login Web Client vs. Secure Login Client

 

Advantages of Secure Login Web Client

  • No client software installation required
  • Runs also on non-Windows operating system (e.g. Mac OS X)
  • Integration with Web Access Management Systems (browser integration)
  • Integration with SAP Application Server Java (e.g. reuse authentication in SAP NetWeaver Portal)
  • Request “long term” certificates (stored in Microsoft Certificate Store)

Advantages of Secure Login Client

  • Automatic provisioning of X.509 user certificates during Windows authentication process
  • Flexible security token usage in SAP GUI application (e.g. use of X.509 for confidential systems and using Kerberos for standard systems)
  • Reuse existing PKI infrastructure for SAP GUI applications
  • Native Windows Kerberos support for SAP GUI applications

 

Secure Login Web Client (Web Adapter Mode)

Secure Login Web Client (Web Adapter Mode) combines the advantages of Secure Login Web Client (browser integration) and Secure Login Client (certificate in memory only).

SLWC_vs_SLWC_WAM.JPG

                     Figure: Secure Login Web Client vs. Secure Login Web Client (Web Adapter Mode)

Advantages of Secure Login Web Client (Web Adapter Mode)

  • Possible solution for Kiosk PC scenario (e.g. in case of a PC crash, X.509 certificate will be destroyed)
  • Integration with central Web Access Management Systems
  • Integration with SAP Application Server Java (e.g. reuse authentication in SAP NetWeaver Portal)

Use Case Examples

Scenario with external users

Assuming Secure Login solution is in place to provide Single Sign-On and/or secure communication for the SAP environment, the following questions could occur:

  • What about external users (e.g. external consultants or partners)?
  • Is it required to decrease security level for external users (e.g. allow no secure communication)?
  • Is it possible to provide Single Sign-On for external users too?
  • Do we need to force people to install Secure Login Client on external hardware?
  • Is it possible to separate external identities from company’s user repository?

ExternalUser-1_2.JPG

                                                   Figure: Insecure access to SAP Landscape for external users


Secure Login Web Client can be used to provide secure access and Single Sign-On to the SAP landscape. In addition it is possible to separate user authentication from native SAP user authentication. This means it is possible to provide access to SAP Application Server without knowing SAP user credentials. The following external user repositories are supported:

  • LDAP Server
  • SAP Application Server (AS ABAP / AS Java)
  • Microsoft Active Directory
  • RADIUS Server (e.g. RSA Authentication Server)

ExternalUser-2_2.JPG

                                                    Figure: Secure access using Secure Login Web Client

Key features of this scenario

  • Fulfills security requirements also for external users
  • Separate external user accounts from company user repository
    External users never get “direct” access (SAP Username and Password) to SAP Landscape
  • Access restriction for external users
  • Support for non-Windows operating system (e.g. Mac OS X)

Kiosk PC Scenario

In a kiosk PC scenario, usually one hardware is shared between several users. No Windows authentication will be performed on this PC. The internet browser application will be used to perform user authentication against a central user repository (e.g. a central portal).

 

Examples for this use case scenario are hospitals or factory production lines, a fast user switch is very important (easy to use and manage).

 

User Authentication Workflow

  • Start internet browser and perform user authentication against central portal (in the following picture against Web Access Management)
  • In case the user is requesting an SAP resource (e.g. web page or SAP GUI connection), Secure Login Web Client will instantly provide an X.509 user certificate
  • Central User Authentication can be reused in Secure Login Web Client without additional user authentication (login module integration)
  • An X.509 user certificate will be used to perform further authentications to the SAP landscape
  • In case the user has finished work, the X.509 user certificate will be removed automatically (using central log off function or closing internet browser application)

KioskPC.JPG

                               Figure: Reuse central user authentication in Secure Login Web Client

 

Key features of this scenario

  • Reuse central authentication
  • On demand Single Sign-On for SAP landscape
  • Collaboration with Web Access Management System
  • Flexible integration using login module technology in SAP NetWeaver Application Server

SAP NetWeaver Portal Integration

In this scenario, SAP NetWeaver Portal is the central application (landing page) for employees. SAP NetWeaver Portal will be used to collect desired user information at a central point. Therefore information will be provided from several SAP Backend Systems (AS ABAP / AS Java) and non-SAP Backend Systems.

Secure Login Web Client is able to reuse existing SAP NetWeaver Portal user authentication in order to provide an X.509 user certificate. The user needs to authenticate once against the SAP NetWeaver Portal and all subsequent user authentications will be managed using SAP NetWeaver Single Sign-On.

PortalIntegration.JPG

                    Figure: Reuse SAP NetWeaver Portal user authentication in Secure Login Web Client

Key features of this scenario

  • Reuse SAP NetWeaver Portal authentication
  • On demand Single Sign-On for SAP landscape

Summary

For several use cases the Secure Login component offers different integration scenarios.

  • When should I use Secure Login Client?
    • Access SAP Business Suite using SAP GUI applications or Web GUI (internet browser)
    • Use existing PKI infrastructure (reuse X.509 certificates)
    • Complex integration scenarios (e.g. SAP which security token should be used for which SAP Application server)

  • When should I use Secure Login Web Client (Web Adapter Mode)?
    • Intranet integration
    • Central User Authentication using Web GUI (Internet browser)
    • SAP NetWeaver Portal integration

  • When should I use Secure Login Web Client?
    • Provide secure access for external users (e.g. external consultants, support staff, Partner, etc…)
    • No software installation possible
    • Solution for non-Windows operating system (e.g. Mac OS X)
    • Provide “long term” certificates

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

  1. Sanath Periyadka

    Nice Article. Just one clarrification.

    As per the SAP Implementation Guide and also from the General Information section of this blog, its says that Secure Login Web Client is a web-based solution for requesting “short-lived” X.509 user certificates

    But in summary it is mentioned it can provide “long term” certificate?

    Can you please explain how can the web client request long term certificate. As per my understanding SLS can provide only short term user certificate and long term server certificate.

    Thanks

    Sanath

    (0) 
    1. Frane Milicevic Post author

      Hi Sanath,

      you are right, the main target of Secure Login Server is to provide short lived X.509 user certificates. But it is possible to create “long term” certificates too (check the parameter Validity Period).

      Best regards,

      Frane

      (0) 
  2. Sanath Periyadka

    Can we use web client for Mobile device integration. We want to integrate SAP Portal to be accessed from Mobile. We have already implemented SLC for laptops and desktop for Portal and ABAP system integration.

    Now we need to integrate Mobile apps for accessing SAP portal. Can web client be used for this?

    Thanks

    Sanath

    (0) 
    1. Christian Cohrs

      Hi Sanath,

      this is not possible because the existing Web Client relies on native components that are not available for a mobile device. We plan to provide a solution that will allow you to load certificates into a mobile device similar to how SLC does it for the desktop. However, the different mobile platforms (iOS, Android,..) do things their own way, so not all mobile devices will be supported on the same level. Could you provide some information about your infrastructure, like the operating system of the devices, whether they are managed, whether access is done from internet or intranet,.?

      Thanks!

      Best regards,

      Christian

      (0) 
  3. KRISHAN KUMAR

    Hi Frane Milicevic,

    Nice documentation, just have one doubt, is X.059 certification allows to do single sign-on for non-sap applications like Oracle Fusion (On Cloud)?

    Thanks & Regards,

    Krishan Kumar

    (0) 
    1. Frane Milicevic Post author

      Hi Kumar,

      yes, if Oracle Fusion supports X.509 technology.
      Typically a wide range of applications supports certificates (well known technology since decades).

      Best regards,

      Frane

      (0) 
  4. BASIS TIVIT

    Hi Frane,

    Until some days ago I was confused about how to implement the SSO 3.0. After carefully reading the documentation I was able to configure the SSO for SAP GUI using X.509 certificates autheticating against an LDAP provider. It’s working perfect.

    The same configuration I did for SAP GUI is working for SAP WEBGUI (via https) but with some details:

    1-the client log in must be done via right clicking on SSO-client option log on before opening the browser and client log out must be done via right clicking on SSO-client option log off after closing the browser;

    2-the X.509 certificate still valid if the browser session is finished without right clicking on SSO-client option log out;  (it’s my big concern).

    My question to you is about this post.

    It seems that my WEBGUI access can be replaced if I configure the “Secure Login Web Client” but I can’t understand the documentation provided by the Installation Guide. I spent many hours reading/configuring/re-configuring and nothing concrete was done. Do you have an example (step-by-step) on how to configure it or a link I can follow?

    Thanks in advance!

    Best Regards,

    Rinaldo Zonzini

    (0) 

Leave a Reply