The typical case of identification with RFID tokens is a hardened kiosk PC on the
shop floor. The PC’s Windows account belongs to an Active Directory domain. Production
workers use it to easily log on to a kiosk application (SAP GUI or
browser-based), for example to order material. Short-lived certificates are
valid for the length of each session. Easy access to the kiosk application is
granted by the RFID tokens. The workers need not type user names or passwords.
After they finish ordering, they simply close the application and remove their
RFID token. This triggers a logoff.
What you need is Secure Login Client, an RFID reader, and an SAP NetWeaver
Application Server for Java (see the prerequisites). Moreover, you need to configure the kiosk application for certificate-based
authentication. To enable the use of RFID tokens in a scenario like this, your administrators
need to configure a number of systems (see Configuring
Identification with RFID Tokens).
An employee called Mary Miller wants to use a kiosk PC on the shop
floor, quickly order material in a SAP GUI application and continue with her
daily work like many of her colleagues.
Of course, the kiosk PC’s Windows account has a
technical user in a domain in Active Directory. Mary Miller is in the same
domain in Active Directory. The technical user is authenticated in this domain with
CN=KIOSKUSR001@DOMAIN.COM with Kerberos or with an X.509 certificate (arrow 1).
For more information, see Configuring
Kiosk PC Authentication at a Domain.
Mary Miller has an RFID token with the UID DDEE4455
(arrow 2). Her user account “Mary Miller” belongs to the
organizational unit “OU2” in a Microsoft Windows domain called
She places her RFID token on the RFID reader and
the reader transmits the UID DDEE4455 to the Secure Login Server. The Secure
Login Server finds her UID in the configured attribute in Active Directory and retrieves
further attributes from this directory entry, such as a given name, last name,
and organizational unit. It issues an X.509 certificate with the following
elements in the user’s subject name (arrow 3):
The Secure Login Client receives this X.509
certificate, which is only valid for this session, and Mary Miller uses it to
log on to her SAP GUI application (arrow 4), where she orders the material.