This section provides an overview of the supported authentication methods for server side application scenarios including technologies such as, PHP, Microsoft ASP, or Microsoft .NET.
The server hosting the server side code is trusted by SAP Gateway. For this scenario, SAP Gateway supports multiple authentication options, including the following:
Short-lived X.509 client certificate
The certificate is generated on the fly without the PKI infrastructure.
If the HTTPS request is terminated by a reverse proxy, for example, SAP Web Dispatcher, the proxy and SAP Gateway should implement forwarding of the client certificate in the HTTP header.
Unsolicited SAML 2.0 bearer assertion
Requires an additional system IdP and STS for generating a SAML assertion. As an alternative, generate an assertion by the server side code.
The assertion is sent to SAP Gateway directly in a POST request (IdP-initiated SSO POST Binding).
The figure below is an overview of the data flow for the request from a server side application to create an entry in SAP ERP through SAP Gateway.
The following is an explanation of the figure above:
Consumer
The consumer accesses a Web application having server-side code. For example, PHP.
Connectivity Layer
Reverse proxy acts as a connectivity solution for external consumers.
SAP Gateway
Web Server hosts Web application with server-side content.
The application connects to SAP Gateway behind the scenes. A short-lived X.509 client certificate is generated on the fly for a specific user. The user identity is part of the certificate's subject.
Business Layer
SAP Gateway uses Trusted RFC Connection to access backend services with a named user.