Part 3 – NWBC Authentication & Single-Sign-On (SSO)
This is the third in a series of posts I hope to write on the topic of NetWeaver Business Client. I am writing these posts from my own view point as a long time NetWeaver Portal consultant and I am trying to compare concepts that I am familiar with from the Portal with similar concepts in the NWBC. You can find out more about my motivation for writing this series of post by reading The NetWeaver Business Client (NWBC) – A Portal Consultants Guide. My goal is to show the way things are done in NWBC to other people already familiar with the Portal.
Just like with the NetWeaver Portal it is very important in order to provide the best user experience that users can easily and securely access the system and any other system that they may need to jump off into.This holds true for NWBC as well. The first step is usually providing access based on something the user has already done (e.g. like log on to their desktop) or something they have installed (e.g. like a client certificate). The next sections will describe some options that apply to both NWBC and Portal.
In the portal the most common method I’ve seen used to authenticate a user is by implementing Kerberos based authentication using Active Directory. Based on the user’s Kerberos token they are either granted or denied access to the Portal.
The SPNEGO login module has been available for as long as I can recall on the NetWeaver Portal Java stack, but the equivalent wasn’t available on the ABAP side until the release of SAP NetWeaver SSO 2.0. Remember that the NWBC can connect to either a portal or an ABAP system, but the scenario I am discussing here is when NWBC connects to the ABAP system directly. With SAP NetWeaver SSO you now have the ability to do Kerberos authentication directly against the ABAP stack. This document http://scn.sap.com/docs/DOC-40178 is a great guide on implementing Kerberos based SSO on the ABAP stack.
So first of all SAML stands for “Security Assertion Markup Language“. I first used it in anger to provide Single-Sign-On from an on-premise SAP Portal to SuccessFactors in the cloud. It provides a means to do cross-domain SSO, so can be used both inside and outside your own security domain. SAML is a web based protocol so isn’t suitable for NWBC in the scenario where you have both Web and GUI transactions running side by side in your NWBC role. This has already been discussed in Authentication and Single Sign-On with SAP NetWeaver Business Client (NWBC) I don’t want to rehash all this here but you should only consider using SAML in pure web based scenarios.
Sometimes referred to as client certificates, you can use X.509 certificates in both the Portal and NWBC. I like to think of X.509 certs as doing exactly what you do when you connect to a secure website, just in reverse. Instead of the website having an SSL certificate that “proves” the site is legitimate, in this case you have a certificate to prove who you are. You can use you certificate to authenticate yourself to multiple sites. If you use the SAP Passport service you are using this kind of certificate. One of the overheads associated with using X.509 is that you need to provision a certificate to each and every user (a so called Public Key Infrastructure PKI), this certificate provisioning can be a bit of a pain I hear (not having done it myself). Since X.509 is a very common standard you should check with your IT department and see if they already provision certificates to users – if they do that makes your job easier. I also hear that SAP NetWeaver SSO 2.0 has nice feature that lets you provision short lived X.509 certs very easily to your users.
SAP Logon Tickets
I wasn’t sure whether to include SAP Logon Tickets here, in one sense they aren’t really providing the initial authentication like the other options here, but they are capable of providing SSO between systems. So once you have a valid SAP Logon Ticket you are good to go, but you need to get one first. You should be careful however because if you enable SNC for GUI transactions this stops the SAP Logon Tickets from working this SAP Note explains it well.
Well there you have it, I have on purpose not gone into lots of detail here – again my goal is to help portal consultants understand the SSO options in NWBC.
As always I really like to get your feedback, so please add your comments and thoughts below. Thanks!