Authentication Using Client Certificates (SAP Library

Authentication Using Client Certificates

Purpose

If you require a high level of security, you can use certificate-based authentication through the Secure Sockets Layer (SSL) protocol in your Enterprise Portal. The actual authentication takes place by the SSL protocol between Web browser and Web server, during the so-called SSL handshake. SSL authentication and X.509 certificates use Internet standard technology that provides a higher level of security and eliminates the need for passwords altogether.

After successful authentication, the Enterprise Portal extracts the user information from the client certificate. A parser is used to extract this information. You can either use the default parser provided with the Enterprise Portal or define your own. For more information, see Defining Parser for Client Certificate. The user information returned by the parser must match a portal user in the corporate LDAP directory, as the Portal Server issues an SAP logon ticket for this user.

Certificate-based authentication provides a high level of security for applications with highly sensitive company data. However, it also requires the company to invest in a public key infrastructure (PKI).

Prerequisites

In order to use authentication with client certificates, the following needs to be set up:

Users have obtained valid X.509 client certificates as part of a public key infrastructure and have imported them into their Web browsers. One method of obtaining client certificates is through the SAP Trust Center Service. For more information, see Obtaining SAP Passport (Client Cert.) from SAP Trust Center.

The browser and Portal Web server are configured to communicate using SSL.

The Portal Web server is configured to trust the Certification Authority (CA) that issued the user certificates.

The Portal Web server is configured to accept client certificates.

Users must log on to the portal using https.