Why Secure Login Web Client?
Use Case Description
Version 1.0 / November 2013
SAP NetWeaver Single Sign-On 2.0
SAP AG
This document is based on the Online Help (Version from 2013-09-27):
Central SAP Note SAP NetWeaver Single Sign-On:
https://service.sap.com/sap/support/notes/1912175
Overview Presentation SAP NetWeaver Single Sign-On:
http://scn.sap.com/docs/DOC-4408
Community Network (SCN) SAP NetWeaver Single Sign-On:
http://scn.sap.com/community/netweaver-sso
SAP NetWeaver Single Sign-On is an innovative software solution specifically created for improving user and IT productivity and for protecting business-critical data in SAP business solutions by means of secure single sign-on to the SAP environment. SAP NetWeaver Single Sign-On provides strong encryption, secure communication, and single sign-on between wide varieties of SAP components.
In a default SAP setup, users enter their SAP user name and password on the SAP GUI logon screen. SAP user names and passwords are transferred through the network without encryption.
To secure networks, SAP provides a “Secure Network Communications” interface (SNC) that enables users to log on to SAP systems without entering a user name or password. The SNC interface can also direct calls through the Secure Login Library to encrypt all communication between SAP GUI and the SAP server, thus providing secure single sign-on to SAP.
Secure Login, a component of SAP NetWeaver Single Sign-On allows you to benefit from the advantages of SNC without being obliged to set up a public-key infrastructure (PKI). If a PKI has already been set up, the digital user certificates of the PKI can also be used by Secure Login.
This document describes some use cases and benefits of Secure Login Web Client.
Secure Login Web Client is a feature of Secure Login Server. It is a web-based solution for requesting “short-lived” X.509 user certificates based on user authentication (several user repository backend systems are supported). This X.509 user certificate can be used for further user authentication in SAP Landscape.
Secure Login Web Client is not limited to Microsoft Windows operating system and can be used in e.g. Mac OS X based operating system. It does not require any client installation. In addition it can be defined what kind of action should be performed after user authentication. The following options are possible:
An X.509 user certificate will be provided to the Microsoft Certificate Store (Microsoft Internet Explorer), Firefox Certificate Store or Mac OS X Keychain.
In terms of user authentication in Secure Login Web Client, it is possible to provide username and password, reuse security tokens (e.g. Kerberos, SAP Logon Tickets or 3rd party Login Module integration in Application Server Java) or reuse existing user authentication in SAP Application Server Java (e.g. SAP NetWeaver Portal). One example could be to reuse Windows Authentication (Kerberos) to get an X.509 user certificate (security token converter).
Secure Login Web Client can help to solve customer requirements for several use cases.
This document describes 3 use cases:
With Secure Login Client the security libraries and other functions and APIs are always available. Secure Login Client communicates with Secure Login Server to receive an X.509 user certificate. Secure Login Client keeps the X.509 user certificate in memory and provides a link to the Microsoft Certificate Store.
With Secure Login Web Client, the security libraries need to be downloaded. Secure Login Web Client actually stores the X.509 user certificate in the Microsoft Certificate Store.
Figure: Secure Login Web Client vs. Secure Login Client
Advantages of Secure Login Web Client
Advantages of Secure Login Client
Secure Login Web Client (Web Adapter Mode) combines the advantages of Secure Login Web Client (browser integration) and Secure Login Client (certificate in memory only).
Figure: Secure Login Web Client vs. Secure Login Web Client (Web Adapter Mode)
Advantages of Secure Login Web Client (Web Adapter Mode)
Assuming Secure Login solution is in place to provide Single Sign-On and/or secure communication for the SAP environment, the following questions could occur:
Figure: Insecure access to SAP Landscape for external users
Figure: Secure access using Secure Login Web Client
Key features of this scenario
In a kiosk PC scenario, usually one hardware is shared between several users. No Windows authentication will be performed on this PC. The internet browser application will be used to perform user authentication against a central user repository (e.g. a central portal).
Examples for this use case scenario are hospitals or factory production lines, a fast user switch is very important (easy to use and manage).
User Authentication Workflow
Figure: Reuse central user authentication in Secure Login Web Client
Key features of this scenario
In this scenario, SAP NetWeaver Portal is the central application (landing page) for employees. SAP NetWeaver Portal will be used to collect desired user information at a central point. Therefore information will be provided from several SAP Backend Systems (AS ABAP / AS Java) and non-SAP Backend Systems.
Secure Login Web Client is able to reuse existing SAP NetWeaver Portal user authentication in order to provide an X.509 user certificate. The user needs to authenticate once against the SAP NetWeaver Portal and all subsequent user authentications will be managed using SAP NetWeaver Single Sign-On.
Figure: Reuse SAP NetWeaver Portal user authentication in Secure Login Web Client
Key features of this scenario
For several use cases the Secure Login component offers different integration scenarios.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
40 | |
25 | |
17 | |
13 | |
7 | |
7 | |
7 | |
6 | |
6 | |
6 |