Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Which authentication scheme to use to allow users to access ep7 with SSO

Former Member
0 Kudos

Hello,

I wish users to access EP7 iviews,webdynpro applications etc..

from their web browser without having to logon with a username and password.

on the server side, I understand, that I have to configure the J2EE engine to use SSL.

However on the client side I am confused on whether I have to use the Logon Ticket or Client Certificate authentication scheme.

I would appreciate some advise on which parameters I should consider for choosing the correct scheme? What are the pro's and con's for each scheme?

Thanks

Boaz

8 REPLIES 8

tim_alsop
Active Contributor
0 Kudos

Esther,

If you don't want a user to logon with a username and password, what do you want to use to identify them ? You need some form of authentication, otherwise you will not be able to know one user from another

It is common to use Windows authentication (e.g. using the credentials obtained when a user logs onto their windows desktop). This can be implemented in NetWeaver using the SPNEGO protocol, and no authscheme changes are required - you just configure the login module on ticket stack and then all logons to the NetWeaver applications will be able to take advantage of Single SignOn using credentials obtained when user logs onto Windows workstation.

Thanks,

Tim

Former Member
0 Kudos

Hello

I think using SPNEGO would be difficult to maintain in my case since my EP7 is a doublestack with ABAP UME. Also windows usernames are different from ABAP usernames.

I wish to use one of the authentication schemes I mentioned in my question.

Thanks

Boaz

0 Kudos

Esther,

If you want to use SPNEGO protocol, and you want to use ABAP as user store via UME and your users in AD are different to users in ABAP, then I have a solution for you... I represent a company who sells a product, that you might want to look at and consider. It uses SPNEGO protocol, but has mapping capability which does not require configuration in AD, and it also doesn't require you to change your UME data source to use LDAP/AD.

From the way you have described your requirements I cannot see how they will be met using authschemes. The authschemes in NetWeaver allow you to define different methods of logon, but each method of logon must be linked to an auth stack, and the auth stack needs to use a login module. So, if you do not use a login module that supports SPNEGO protocol, what authentication method do you want to use instead for SSO ? If you want to use certificates, then you need to buy a product which allows your user to authenticate using a certificate on workstation, but since user has already authenticated when they logged onto workstation it is much better to use those credentials than to get the user to authenticate again ... This is why the SPNEGO login modules are better - they won't require any client software. As I mentioned above, you could use the SAP supplied SPNEGO login module, or you could consider the one from my company which means you can use the ABAP data source and support name mapping.

Thanks,

Tim

Former Member
0 Kudos

Hello

Could someone please answer my original question without trying to sell me a product.

Thanks

0 Kudos

Esther,

I apologise if you didn't like me mentioning a non-SAP solution. I was trying to make you aware of the options available.

Anyway, I will not add any more feedback this post and when somebody else responds you will perhaps understand that the authscheme is not going to help you.

Thanks,

Tim

Former Member
0 Kudos

Hi,

The question is a little bit incorrect or at least not clear enough.

The EP uses the file authschemes.xml in order to maintain the authentication scheme. This could be configure per iView. The default EP authscheme is finally pointing to the security authentication stack "ticket" (Visual Admin -> Server -> Services -> Security -> "ticket" policy configuration template). By default this template is using password authentication. In the authschemes there is no scheme called "Logon Ticket". But there is a scheme called "clientlogon". This scheme by default points to the security policy configuration "client_cert", thus effecting the SSL client certificate authentication.

So back to your question.

"However on the client side I am confused on whether I have to use the Logon Ticket or Client Certificate authentication scheme."

First, the client side is the browser. The browser definitely does not "understand" what is an authentication scheme. This is server side configuration. Second, the Logon Ticket is not a method that could be used for initial authentication. This is a SSO mechanism for accessing the other systems within your landscape when you have already been authenticated initially on EP. The available authentication mechanisms for initial logon are: password, SSL client certificate, Header variable (requires third-party solution), SPNego/Kerberos token, SAML token. Finally, the configuration of the EP authentication type should be done at the Security Service level rather than authschemes.

As far as I see, you should stick to the SSL client certificate authentication option. Then the users must provide SSL client certificate in order to logon onto EP. Of course, they will need to access the EP via SSL. You can find the configuration guide here: http://help.sap.com/saphelp_nw70/helpdata/EN/62/881e3e3986f701e10000000a114084/frameset.htm

Kind regards,

Tsvetomir

Former Member
0 Kudos

Hello Tsvetomir,

Thank you very much for clearing this issue for me.

In the link you mentioned there is the following:

Users need to receive their client certificates from a Certification Authority (CA) as part of a public-key infrastructure (PKI). If you do not have an established PKI then you can use a Trust Center Service to obtain certificates.

There is an article in serivce.sap.com/security called "Authentication and Single Sign-on". There is a section called "obtaining a X.509 certificate".

It states there that a Digital certificate can be obtained using the SAP Trust Center Service for SAP users only, free of charge, Portal server acts as Registration Authority (RA).

In service.sap.com/tcs I see they charge 260EUR for a SSL server certificate.

So I am a little confused and would appreciate some clarification on this point.

Thanks

Boaz

0 Kudos

Hi Boaz,

I do not see any reason to use external authority and pay additional money. Let me explains some details.

SSL is client-server protocol. Each part holds private key, public key, and identity certificate (called shortly just certificate). In your scenario, the SSL server side is the AS Java and the client side is the user browser. For the server side you will need to configure the SSL service at J2EE Dispatcher node. I believe you have already done that.

Regarding the client side, you will need to address your enterprise PKI implementation. Usually, the company maintains its own CA and signed all the users' identity certificates. Then the users' certificates are installed (manually or automatically) into the browser. There are also some third-party solutions for that, i.e. an OS service automatically inserts the certificate into the OS rootkit. So finally, every enterprise user has its own certificate that is already installed into the browser. Then the users accesses the AS Java system via HTTPs, providing her certificate. AS Java must be configured against SSL client authentication as it is explained in the SAP online documentation (the link was already provided). Of course, the SSL service also must be configured against mutual authentication. As the client certificates are all signed by your enterprise CA, you will need to setup that enterprise CA certificate into the SSL service. All that is explained as a prerequisite step in the same document.

Kind regards,

Tsvetomir