Digital Signatures in SAP GUI with One-Time Passwords

Digital signatures are considered one of the key security aspects, next to the data encryption, single sign-on technologies and strong authentication mechanisms, like two-factor authentication, risk-based authentication and dynamic authorizations.

Digital signature ensures that the signatory of a digital document can be identified unambiguously and his or her name is documented together with the signed document, the date, and the time. You can use the digital signature to approve documents or objects in the SAP applications that are set up for its use.

The digital signature is implemented in the SAP system with the help of the component Digital Signatures and Encryption and is based on Secure Store and Forward (SSF) mechanisms (see SSF Administration Tasks) and on public-key technology. You can use digital signatures in SAP systems either together with a security product or without. When you configure digital signatures for SAP solutions without using a security product, your users are prompted to re-authenticate using their AS ABAP passwords.

If you are looking to improve your corporate security, a product, such as SAP Single Sign-On, introduces features that are not directly available with the SAP systems, like for example digital signatures for SAP GUI for Windows, advanced SSO technologies and encryption, strong authentication and risk-based authentication, etc.

You need to consider implementing digital signatures using SAP Single Sign-On when:

• You are already using single sign-on (SSO) technology for SAP systems (there is no active AS ABAP password available for your users) and you need to start now with digital signatures;
• You are using digital signatures and you plan now to implement SSO for your SAP systems (AS ABAP passwords will be replaced with SSO)
• You need to implement digital signatures using two-factor authentication with one-time passwords (OTP) for stronger security
• You need to implement digital signatures using smart cards.
• Other security requirements
  

Digital signatures in SAP GUI with One-Time Passwords scenario is based on several components of the SAP Single Sign-On 2.0 product (license required): Secure Login Server, Secure Login Client, SSO Authentication Library, and also the SAP Authenticator mobile application (or any other passcode generator compatible with RFC6238).  In the diagram below you will be able to find the flow of the process:

For more details about the SAP Single Sign-On product capabilities, see:

SAP Single Sign-On Product Overview