Using Client Certificates for User Authentication (SAP Library - User Authentication and Single Sign-On)

Using Client Certificates for User Authentication

Use

In addition to using SSL for encrypting connections, you can use SSL and X.509 client certificates for client or user authentication. The authentication takes places using the underlying protocols and no user intervention is necessary, which also provides for a Single Sign-On environment.

Integration

Public-Key Infrastructure / Trust Center Services

Users need to receive their client certificates from a Certification Authority (CA) as part of a public-key infrastructure (PKI). If you do not have an established PKI then you can use a Trust Center Service to obtain certificates.

SSL

When using client certificates, users are authenticated using the SSL protocol. Therefore SSL is necessary for the connections where user authentication takes place. The SSL authentication can be used when users access the SAP J2EE Engine directly or for those scenarios where they access the server via an intermediary proxy.

For more information, see Structure link Using SSL With an Intermediary Server.

Prerequisites

· Users possess valid client certificates and have imported them into their Web browsers.

· The SAP J2EE Engine is configured to support HTTPS connections and SSL.

Features

· Strong authentication is provided using the SSL protocol and PKI technology.

· Users can also produce digital signatures using the client certificates. Therefore, higher levels of trust and non-repudiation for business transactions are also possible.

· Passwords are no longer used for authentication purposes.

· Users can use their certificates for access other intranet or Internet services.

Configuration

· For scenarios where users access the SAP J2EE Engine directly or via an intermediary that tunnels the connection, see Configuring the Use of Client Certificates for Authentication.

· For scenarios where users access the SAP J2EE Engine via an intermediary server that terminates the connection, see Configuring the Use of Client Certificates via an Intermediary Server.

· If you are using authentication with client certificates in the portal, you can configure what happens when users log off from the portal. By default they are redirected to the default logon screen after they log off. If the portal is set up to use client certificates, they are automatically logged on again, so it is impossible for them to log off the portal. To prevent this, you can redirect them to a screen other than the default logon screen after they log off the portal. For more information, see SAP Note 696294.