Single Sign-On and data protection for SAP GUI in an Enterprise Portal scenario
SAP GUI and Enterprise Portal
Many customers use transaction iViews in the SAP Enterprise Portal to launch the SAP GUI for Windows. This allows them to provide role-based access to SAP GUI transactions to their end users. In addition the Portal is also able to issue logon tickets, which in the past were sometimes used for SAP GUI single sign-on to an ABAP backend system.
Need for change
The described way of integrating SAP GUI access with the Portal has two drawbacks:
- Using the logon ticket for single sign-on is an outdated approach, as modern single sign-on technologies based on industry standards are more secure and more flexible to integrate
- Logon tickets can only be used for authentication. They do not allow SAP GUI to protect the data transmission against network sniffers
Entering SNC with SAP Single Sign-On
Using Secure Network Communication (SNC) based on SAP Single Sign-On for secure authentication and data protection has become a best practice for SAP customers world-wide. The product supports Kerberos and X.509 certificates as security tokens, which are superior to logon tickets. Implementing the solution for the standalone SAP GUI for Windows is pretty straight forward. Doing the same for SAP GUI for Windows launched from a Portal transaction iView is also easy, if you know which parameters to set.
How do I combine the 2 scenarios?
Let’s assume you have an iView in the Portal that successfully launches a SAP GUI for Windows connection. Let’s also assume that you already have successfully configured SAP Single Sign-On for SAP GUI and the respective ABAP backend system. Now you want to bring the two scenarios together.
To do this, you just need to set 4 parameters in the Portal configuration for the System object.
In the User Management section of the “Basic” properties you need to set the Logon Method to X509CERT. Please note that this is required even if you are not using X.509 certificates for SNC at all, but rather Kerberos.
In addition there are 3 properties in the list of all parameters that you need to set:
- SNC Mode = 1 –> This activates SNC for this system.
- SNC QOP = 9 –> This implies that the maximum security level of SNC should be used. The value 9 includes both single sign-on and data protection.
- SNC Partner Name –> This is the SNC name of the ABAP backend system, which is what we need here. The parameter “SNC Name” refers to the Portal itself and is not relevant in this scenario.
These are the same settings as in SAP Logon, where you find them on the “Network” tab for the connection:
With these settings in place, SAP GUI for Windows launched from the Portal will use the same SNC connection settings as the standalone SAP GUI for Windows, providing you with single sign-on and secure data transfer, powered by SAP Single Sign-On.
Please note: SAP GUI authenticates to the ABAP backend using the credentials that are part of the SNC security token, for example the authenticated Windows user. This is independent of the Portal session, where the end user could have used a different identity to authenticate.
Hi Christian, nice blog.
In many portal scenarios one single system definition is used both for RFC backend communication and for GUI-Shortcuts. Both share the same attributes in the system definition. Could you elaborate what needs to be done additionaly to be able to use the same system definition for both RFC and GUI?
Hello and thanks for the description,
I have the following conbination and i would like to see if it is possible to have it while using the X.509 certificate :
Connection directly to SAP GUI : i want to have the "Maximum security settings available" with SNC without the need of SSO.
from the portal : i want to have a connection from an iView to SAP GUI with the method "X509CERT" with SSO method.
Is it possible to have such conbination?