Ok, let I ask my question  in different way.

I have a workstation that is not a part of domain (AD).

I need the open the URL to ABAP BSP without  entering user/password.

Which options I have  and how SAP NW SSO2 server can help me here?

Thank you

Vladimir

If workstation is not joined to domain, the user will have logged onto the workstation using a local user account. Are you wanting to link this local Windows user id to the SAP user id so the user doesn't get asked to authenticate again ?

Do you want the user to be asked to be able to enter AD account and password when they open the URL for the ABAP BSP ?

No. I am expect for any certificate that I can import into a browser.

You can do this without any additional products. The standard NetWeaver ABAP software supports client certificate user authentication, so you can configure this per the NetWeaver documentation and install the user's certificate into their browser. You would need to find a way to renew the certificate when it expires, and if the same workstation is used by multiple users, you would have to find a way to know which user is logged onto the workstation so that it is not possible for one user to logon to SAP using the certificate of another user.

Thank you!

Bu of I already have SAP NW SSO 2 , can it help me ( or simplify the process  ) with creating such certificates?

As far as I am aware, the Secure Login Server (SLS) provided with the SAP NW SSO 2 product can only issue a certificate after the user has authenticated, so it knows which user to issue the certificate for. For example, it can use SPNEGO to authenticate the domain user logged onto the workstation and issue a certificate for this user. In your case you are not having any user authentication before the logon, so this is why I was asking how user is going to be authenticated.

There is no authentication. It should be certificate, like one we have for SAP SMP, for example.

Yes, I understand. As I mentioned, you can issue a certificate and store it in browser (like you do with SMP). However, the SLS product is designed to issue short lived certificates and in order to know which certificate to issue it need to authenticate the user using some other method first. If it was possible for SLS to issue a certificate for a user without them authenticating first, then it would be possible for one user to get a certificate issued for another user and this would cause security issues.

Hi,

you can use SAP SSO with SLS. The users don't have to be in an AD. So the users can be in SAP or in an LDAP. The user has to type in one time user and password, get a certificate and the SSO is available.

Regards

Matthias

When you generated your certificate for SMP you will have provided authentication details, e.g. your s-user id and password and based on that authentication the SMP was able to issue your certificate for SMP SSO.

Thank you

What is SLS?

You are right. But in SMP I need to enter user and password once to receive the certificate until it expired.

SLS = Secure Login Server. This is the product included with SAP NW SSO 2 that issues certificates after user has authenticated.

Yes, correct. When using SLS, this product is designed to issue short lived certificates, so requires authentication each time the certificate is issued. If you want to use certificates that are long lived then you need to issue them using your certificate authority enrolment and store them in browser like I suggested earlier. Then you need to find a way to renew them when they expire.

Can NW SSO2 Server be such a certificate authority or not?

No, I don't think so. The SLS is designed to issue short lived certificates after authenticating a user, and is not a full function CA. If you want to issue certificates that are long term and store them in browser so they persist between workstation reboots etc. then you need to use a CA such as Microsoft Certificate Authority.

Hi Vladimir,

SAP SSO issues certificates and deliver it automatically to the PC of the user (short living certificates -> 24 h standard), so it can be used for SSO. It is not a traditional CA. In a traditional CA you have to take care about the certificate lifecylcle which can be very costly but you can use the certificate for a longer timer. SAP SSO works with short living certificates, so you do not have to take care about the lifecylcle of the certificate.

So if you really want to have a "password free" solution, you have to use long lived certificates but take a care about the lifecycle (maintain certificates which are not valid anymore and distribute this information to all related systems, ..... ). Otherwise you have a security problem.

So it is really all about the use case (deployment, security requirements, ...), but you know now the options and you can decide dependig on the use case.

Another option is of course SAP Logon Tickets or SAML. But both also reguire an initial authentication without an AD.

Regards

Matthias

Thank you.

SAP SSO works with short living certificates, so you do not have to take care about the lifecylcle of the certificate.

I think you meant I have

With SAP SSO you do not have long living certificates. So there is not  a full blown lifecycle management necessary. After the configured time the certificate is useless and not valid for the next 2 years like long term certificates.

But again, it depending on your use case and security requirements.

Regards

Matthias