on 09-15-2014 11:47 AM
Dear colleagues.
In our scenario not-domain user need to reach ABAP BSP (ITS) application without entering password for ABAP WAS.
Is there any option to use SAP Netweaver Single singon-on 2 server to create redirection URL?
Regards
Vladimir
To make sure I understand... You want to have a user logon without being asked for user id and password, but the user is not in an Active Directory domain user. Is this correct ? If so, when do you plan to authenticate this user so you know who they are ? Please explain the flow of events you want the user to perform during logon to their device/workstation through to logon to the ABAP BSP.
Thanks
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You can do this without any additional products. The standard NetWeaver ABAP software supports client certificate user authentication, so you can configure this per the NetWeaver documentation and install the user's certificate into their browser. You would need to find a way to renew the certificate when it expires, and if the same workstation is used by multiple users, you would have to find a way to know which user is logged onto the workstation so that it is not possible for one user to logon to SAP using the certificate of another user.
As far as I am aware, the Secure Login Server (SLS) provided with the SAP NW SSO 2 product can only issue a certificate after the user has authenticated, so it knows which user to issue the certificate for. For example, it can use SPNEGO to authenticate the domain user logged onto the workstation and issue a certificate for this user. In your case you are not having any user authentication before the logon, so this is why I was asking how user is going to be authenticated.
Yes, I understand. As I mentioned, you can issue a certificate and store it in browser (like you do with SMP). However, the SLS product is designed to issue short lived certificates and in order to know which certificate to issue it need to authenticate the user using some other method first. If it was possible for SLS to issue a certificate for a user without them authenticating first, then it would be possible for one user to get a certificate issued for another user and this would cause security issues.
Yes, correct. When using SLS, this product is designed to issue short lived certificates, so requires authentication each time the certificate is issued. If you want to use certificates that are long lived then you need to issue them using your certificate authority enrolment and store them in browser like I suggested earlier. Then you need to find a way to renew them when they expire.
No, I don't think so. The SLS is designed to issue short lived certificates after authenticating a user, and is not a full function CA. If you want to issue certificates that are long term and store them in browser so they persist between workstation reboots etc. then you need to use a CA such as Microsoft Certificate Authority.
Hi Vladimir,
SAP SSO issues certificates and deliver it automatically to the PC of the user (short living certificates -> 24 h standard), so it can be used for SSO. It is not a traditional CA. In a traditional CA you have to take care about the certificate lifecylcle which can be very costly but you can use the certificate for a longer timer. SAP SSO works with short living certificates, so you do not have to take care about the lifecylcle of the certificate.
So if you really want to have a "password free" solution, you have to use long lived certificates but take a care about the lifecycle (maintain certificates which are not valid anymore and distribute this information to all related systems, ..... ). Otherwise you have a security problem.
So it is really all about the use case (deployment, security requirements, ...), but you know now the options and you can decide dependig on the use case.
Another option is of course SAP Logon Tickets or SAML. But both also reguire an initial authentication without an AD.
Regards
Matthias
With SAP SSO you do not have long living certificates. So there is not a full blown lifecycle management necessary. After the configured time the certificate is useless and not valid for the next 2 years like long term certificates.
But again, it depending on your use case and security requirements.
Regards
Matthias
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.