Skip to Content
Technical Articles

RFID-Based Identification of SAP Applications Using Employee Badges

The typical case of identification with RFID tokens is a hardened kiosk PC on the
shop floor. The PC’s Windows account belongs to an Active Directory domain. Production
workers use it to easily log on to a kiosk application (SAP GUI or
browser-based), for example to order material. Short-lived certificates are
valid for the length of each session. Easy access to the kiosk application is
granted by the RFID tokens. The workers need not type user names or passwords.
After they finish ordering, they simply close the application and remove their
RFID token. This triggers a logoff

RFID identification is available from SAP Single Sign-On 2.0 SP04. For further
details, see SAP Note 1970286. You can find the complete documentation here

What you need is Secure Login Client, an RFID reader, and an SAP NetWeaver
Application Server for Java (see the prerequisites). Moreover, you need to configure the kiosk application for certificate-based
authentication. To enable the use of RFID tokens in a scenario like this, your administrators
need to configure a number of systems (see Configuring
Identification with RFID Tokens


An employee called Mary Miller wants to use a kiosk PC on the shop
floor, quickly order material in a SAP GUI application and continue with her
daily work like many of her colleagues.


Of course, the kiosk PC’s Windows account has a
technical user in a domain in Active Directory. Mary Miller is in the same
domain in Active Directory. The technical user is authenticated in this domain with
CN=KIOSKUSR001@DOMAIN.COM with Kerberos or with an X.509 certificate (arrow 1).

For more information, see Configuring
Kiosk PC Authentication at a Domain


Mary Miller has an RFID token with the UID DDEE4455
(arrow 2). Her user account “Mary Miller” belongs to the
organizational unit “OU2” in a Microsoft Windows domain called

She places her RFID token on the RFID reader and
the reader transmits the UID DDEE4455 to the Secure Login Server. The Secure
Login Server finds her UID in the configured attribute in Active Directory and retrieves
further attributes from this directory entry, such as a given name, last name,
and organizational unit. It issues an X.509 certificate with the following
elements in the user’s subject name (arrow 3):

CN=Mary Miller


The Secure Login Client receives this X.509
certificate, which is only valid for this session, and Mary Miller uses it to
log on to her SAP GUI application (arrow 4), where she orders the material.

You must be Logged on to comment or reply to a post.
  • Martin, good day!

    I have a simple question about that scheme of authentification. We have a restriction not to create user account in the AD domain controller. Instead we will use AD LDS for the storing of the RFID IDs. Will the scheme work as desired?

    • LDS (or ADAM) should also work, as we only perform authentication and attribute read operations. Just configure the required host, port, search base, and system account in your SLS LDAP Destination.

      — Stephan

  • This is great, could really use this in our warehouse shop floor.

    Downside is the need for Java system, is there any alternative without need for Java ?

    • No. Secure Login Server runs on AS JAVA only. However, if you´re also interested in our 2factor / one-time password solution with mobile support, it´s worth running this NetWeaver stack for SSO.

      — Stephan

  • I will like to know if this can work for an in house developed ERP solution? What is needed for this solution to work? we currently have an ERP solution developed in house that we want to integrate the use of RFID as authentication.