on 06-30-2016 1:55 PM
Hi experts,
We have the requirement to create an portal/launchpad for kiosk pc's where the authentication happens via a badge reader. (note: the Windows OS is accessible for everyone, no logon needed on OS side (so no Kerberos can be used like in this blog .)
We have our own SAP IDP and somebody will write some Windows Service for on the kiosks that polls the badge reader and when somebody badges this will trigger the process of authentication (windows script or dotnet app running in background on the kiosk).
From our idp to the Fiori launchpad on our ABAP Gateway we can identify with saml2.0 tickets (no problem here: standard SAP solutions (works like a charm!))
Now here is the problem:
We need to find a way to map the badge to a saml2.0 ticket through the IDP.
(here is where the guessing and deduction starts after reading a lot of documentation)
We will need a "Authentication Context"
Map this with a logonmodule.
We are thinking of using the PGP Authentication Context with the "PrincipalMappingLoginModule"
Why?
Some question about this:
Is this setup correct? (windows service ->script -> PGP -> PrincipalMappingLoginModule -> IDP ->SAML2.0 -> launchpad.)
Do you have any other solutions/setups you can think of? Easier to setup/maintain? More secure?
There will be a short session timeout (2-3min) on the saml ticket and also we want to implement a Single Log-Out Service (SLO) to make it even more secure.
Every suggestion is welcome.
Thank you,
Jérémy
Hi Jérémy,
are you aware of the RFID based user identification support in SAP Single Sign-On?
See http://scn.sap.com/community/sso/blog/2015/05/06/rfid-based-identification-of-sap-applications-using... for details.
This is based on X.509 certificates. However, you still have the option to use the certificate to authenticate to the IdP and get a SAML assertion, if you don't want to implement the whole scenario with certificates (which of course also would be possible).
Best regards,
Christian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jérémy,
RFID based authentication is described in the Secure Login Implementation Guide at http://help.sap.com/download/sapsso30/secure_login_impl_guide_en.pdf
Authentication to the Identity Provider is then a second step. If you use the SAP Identity Provider from SAP Single Sign-On, then you can use the AS Java login module for client certificate based authentication to authenticate to the IdP and receive the SAML assertion. This is described in the documentation for SAP NetWeaver AS Java, e.g. at Using X.509 Client Certificates on SAP NetWeaver Application Server Java.
Best regards,
Christian
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.