Secure Login Web Client (SLWC): Future-Proof Architecture Update
SAP Single Sign-On 3.0 comes with a completely overhauled version of the Secure Login Web Client. The SSO developers built a new Web Client from scratch, doing away with outdated architectural concepts and creating an all-new, future-proof component.
What is the SLWC?
The Secure Login Web Client is a process of the SAP Single Sign-On solution that runs in a browser session (on-premise or cloud) and is capable of triggering authentication for a native client on the user’s desktop. For example, it can accept a SAML 2.0 assertion as security token and in return provision an X.509 certificate for single sign-on of desktop applications such as SAP GUI. The authentication in your browser is handled by an Identity Provider component.
But why is this such a special case that requires its own process? Security tokens used in browsers are not sufficient for SAP GUI authentication on the user’s desktop, because they don’t support adequate encryption of the communication channel – they simply don’t meet the high security requirements for SAP business system access. The SLWC can issue a personalized certificate which fulfills the requirements of all SAP frontends, even if they use Secure Network Communication (SNC) encryption – the authenticated user is granted seamless single sign-on to all SAP desktop applications.
Who uses it?
The SLWC offers a big benefit for customers who run a SAML 2.0 Identity Provider or Portal as their central authentication server.
Why did it need a make-over?
We noticed that the SLWC was gaining popularity as more and more SAP customers are moving to cloud-based environments, and are looking for ways to handle the initial user authentication through a Web application. The old version of the SLWC had some technical and platform-related restrictions and needed to undergo a complete architectural renovation to meet the needs of our customers now and in future SSO scenarios.
The SLWC before…
The previous version of SLWC was based on a Java applet; for some capabilities it used an ActiveX control. Both are phased-out technologies; support for Java applets has already been discontinued in many common Web browsers.
… and after!
The 3.0 version of SLWC no longer depends on Java or ActiveX, relying instead on the Secure Login Client. As a result, SLWC 3.0 is no longer limited to browsers that (still) support Java applets or even ActiveX, which significantly increases the number of browsers our customers can choose from. It’s also faster and leaner than the old version, which was made somewhat cumbersome by the Java applet processes.
For more information, read the documentation on the SAP Help Portal: http://help.sap.com/sso
Hello Regine,
Thank you for the information. Please can you confirm something for me...
With SLWC 3.0 are you saying clients no longer need to belong to a Microsoft AD domain and use Kerberos ? They can now simply use, as is with our case, Microsoft ADFS for SAML 2.0 Web SSO authentication and SLWC 3.0 can issue a x.509 certificate based on the SAML assertion to enable clients to also access SAP GUI without re-authenticating ?
Thanks & regards,
Nelis
He Nelies,
you are right, you can use the SLWC 3.0 to issue x.509 certificates based on SAML assertions.
Regards,
Marcus
Thanks for the confirmation Marcus. I've been waiting patiently for a solution where a Microsoft AD domain is no longer a requirement for SSO using the SAP GUI.
Regine,
So how does the SLWC 3.0 get installed/configured?
Girish
Regine,
I tried to download the SLC 3.0 from the marketplace. Before downloading I get a info that SLC 3.0 is classified as ECCN 5D002 (Export Restrictions). But when I read the documentation in help.sap.com I see that only Secure Login Web Client is is classified as ECCN 5D002.
https://help.sap.com/saphelp_sapsso30/helpdata/en/40/5bbd641a7d4a519ee010828b20516d/content.htm?frameset=/en/50/072db73954439c827d6881c25173dc/frameset.htm¤t_toc=/en/ba/a0222bf5da4ed3a655eaef1e4a3b60/plain.htm&node_id=223
If I don't install/use the SLCW 3.0 do I also have to take care about ECCN 5D002 restrictions ??
Regards
Uwe
Hi Uwe,
please download the Secure Login Client by searching for the product SAP Single Sign-On and then accessing the comprised components. In the context of the product, the SLC does not have an ECCN. The documentation refers to the old SLWC version that was based on a Java app and the download of binary components. As of version 3.0, the recommend approach is to use a locally installed SLC. In that case there is no download anymore.
Best regards,
Christian
Hi, It is not possible to directily establish SAPGUI based SSO using ADFS . But it is indirectly possible using the SWLC with Secure Login Server and using the post authentication methods of SWLC to enable SAPGUI based SSO using ADFS (which serves as SAML Identity provider) .
Is this statement correct?
So the new SSO 3.0 will support Digital Signature on web application?
Hello, I have little experience in SSO and I am a newbie on basis as well.
I wanted to consult you, my company plans to implement a third-party portal and wants to integrate it with SAP. Is this the solution? Would we have to implement SSO 3.0 and use the Secure Login Web Client? Thank you in advance, I need you to guide me to continue studying a possible solution.