cancel
Showing results for 
Search instead for 
Did you mean: 

Badge reader as entry point on anonymous kiosk pc to start Fiori launchpad

Former Member
0 Kudos

Hi experts,

We have the requirement to create an portal/launchpad for kiosk pc's where the authentication happens via a badge reader. (note: the Windows OS is accessible for everyone, no logon needed on OS side (so no Kerberos can be used like in this blog .)


We have our own SAP IDP and somebody will write some Windows Service for on the kiosks that polls the badge reader and when somebody badges this will trigger the process of authentication (windows script or dotnet app running in background on the kiosk).

From our idp to the Fiori launchpad on our ABAP Gateway we can identify with saml2.0 tickets (no problem here: standard SAP solutions (works like a charm!))


Now here is the problem:

We need to find a way to map the badge to a saml2.0 ticket through the IDP.


(here is where the guessing and deduction starts after reading a lot of documentation)


We will need a "Authentication Context"

Map this with a logonmodule.


We are thinking of using the PGP Authentication Context with the "PrincipalMappingLoginModule"

Why?

  • The badge contains information that we can read with the script/dotnet app and link it to a username in SAP.
  • And we add some PGP to encrypt that just because we can


Some question about this:

  • Where do you enter your PGP key (public and private)?
  • Does the app on the kiosk communicates with this url : https://<server>:<port>/saml2/idp/sso
    • What is the content of that post? (We assume the PGP with the username in it)
  • Do we need to configure the "PrincipalMappingLoginModule"
  • Do we need to change some settings in the properties in Authentication -> Properties

Is this setup correct? (windows service ->script -> PGP -> PrincipalMappingLoginModule -> IDP ->SAML2.0 ->  launchpad.)


Do you have any other solutions/setups you can think of? Easier to setup/maintain? More secure?


There will be a short session timeout (2-3min) on the saml ticket and also we want to implement a Single Log-Out Service (SLO) to make it even more secure.


Every suggestion is welcome.


Thank you,

Jérémy

Accepted Solutions (1)

Accepted Solutions (1)

Christian_Cohrs
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Jérémy,

are you aware of the RFID based user identification support in SAP Single Sign-On?

See http://scn.sap.com/community/sso/blog/2015/05/06/rfid-based-identification-of-sap-applications-using... for details.

This is based on X.509 certificates. However, you still have the option to use the certificate to authenticate to the IdP and get a SAML assertion, if you don't want to implement the whole scenario with certificates (which of course also would be possible).

Best regards,

Christian

Former Member
0 Kudos

Hi Christian,

Do you have any help full documentation about this?

Where we have a X509 certificate we can get a SAML assertion for?

I'm a bit lost in this topic. I could use some help.

Kind regards

Jérémy

Christian_Cohrs
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Jérémy,

RFID based authentication is described in the Secure Login Implementation Guide at http://help.sap.com/download/sapsso30/secure_login_impl_guide_en.pdf

 

Authentication to the Identity Provider is then a second step. If you use the SAP Identity Provider from SAP Single Sign-On, then you can use the AS Java login module for client certificate based authentication to authenticate to the IdP and receive the SAML assertion. This is described in the documentation for SAP NetWeaver AS Java, e.g. at Using X.509 Client Certificates on SAP NetWeaver Application Server Java.


Best regards,

Christian

Answers (0)