SAP Single Sign-On Configuration for Network Edge Authentication

Network Edge Authentication (NEA) is based on SAP Web Dispatcher and SAP Single Sign-On products. It provides integrated, simple and secure Web access control for SAP solutions.

Prerequisites

  • SSOAUTHLIB.sca for SAP Single Sign-On 3.0 SP01 or higher is installed. For more information, see One-Time Password Authentication Installation and Upgrade Guide.
  • SAP Web Dispatcher version 7.51 SP00 or higher is installed and configured. Make sure that you have set the relative path /nea/v1/authenticate as part of the absolute URL for the AUTH_SERVICE subparameter. For more information, see Network Edge Authentication and SAP Web Dispatcher Configuration for Network Edge Authentication in the SAP Web Dispatcher documentation at http://help.sap.com/nw751abap, Start of the navigation pathApplication Help Next navigation step SAP NetWeaver Library: Function-Oriented View Next navigation step Application Server Infrastructure - ABAP Next navigation step Components of SAP NetWeaver Application Server for ABAPEnd of the navigation path.
  • If you want to use certificates for SSO tokens, for example if you configure X.509 certificate as SSO token type in the SAP Web Dispatcher, you have to install and configure the Secure Login Server, version 3.0 SP01 or higher.

How Does It Work

When a user tries to access a back-end system, the SAP Web Dispatcher forwards the request to the authentication service provided by SAP Single Sign-On. The authentication service triggers the authentication process and after successful authentication, the SSO service issues an SSO token to be used by the SAP Web Dispatcher for accessing the back-end systems. These tokens could be X.509 certificates or logon tickets.

If logon tickets are used as SSO token type, no additional configuration is required for the Network Edge Authentication service. You only need to do the standard trust configuration between the system where the authentication service is installed (as issuer of the logon ticket), and the back-end system (as receiver of the logon ticket).

If X.509 certificates are used as SSO token type, you have to configure an authentication profile in the Secure Login Administration Console, as well as the name of this profile as a value for the property x509_sls_profile_name for the sap.com/sso~nea~ear*nea_v1_authenticate authentication stack on SAP NetWeaver Administrator.

Caution
When configuring the profile for issuing X.509 certificates in the Secure Login Administration Console, you can only use the (AUTH:USERID) variable. The other variables are not supported by the Network Edge Authentication service. If you set any of them, the certificate issuing process will fail.

For more information, see the SAP Web Dispatcher documentation and the Secure Login Implementation Guide.

The authentication stack used for the NEA authentication service is sap.com/sso~nea~ear*nea_v1_authenticate. By default, the NEA authentication service uses the ticket authentication stack template. You can change this setting by reconfiguring the authentication stack of the NEA authentication service. To do so, proceed as follows:

  1. Open SAP NetWeaver Administrator at http(s)://<host>:<port>/nwa.
  2. Choose Start of the navigation pathConfiguration Next navigation step Authentication and Single Sign-On Next navigation step Authentication Next navigation step Components Next navigation step .End of the navigation path
  3. Search for sap.com/sso~nea~ear*nea_v1_authenticate of type Web.
  4. Edit the login modules on the Authentication Stack tab.

    You can set a two-factor or risk-based authentication using the TOTPLoginModule, for example.

For more information on how to configure the TOTPLoginModule, see Configuring TOTPLoginModule and RBALoginModule.