Using Client Certificates for User Authentication (SAP Library - User Authentication and Single Sign-On)

Using Client Certificates for User Authentication

Use

In addition to using SSL for encrypting connections, you can use SSL and X.509 client certificates for authenticating client or user access requests to the J2EE Engine.

When using client certificates, authentication takes places transparently for the user with the underlying SSL security protocol. Therefore, you can use authentication with client certificates to integrate the J2EE Engine in a Single Sign-On environment.

Integration

Public-Key Infrastructure / Trust Center Services

Users need to receive their client certificates from a Certification Authority (CA) as part of a public-key infrastructure (PKI). If you do not have an established PKI then you can use a Trust Center Service to obtain certificates.

For more information about PKI, see Structure link Public-Key Technology.

SSL

When using client certificates, users are authenticated at the communication protocol level using the SSL protocol. Therefore, configuring the use of SSL is necessary for the connections where user authentication takes place. The J2EE Engine enables you to use SSL, respectively user authentication with certificates, when users access the J2EE Engine with or without an intermediary gateway proxy server.

For more information, see Structure link Using SSL With an Intermediary Server.

Prerequisites

● Users possess valid X.509 client certificates

● The user’s client certificates are imported into their client system’s Web browsers.

● The J2EE Engine is configured to support HTTPS connections and SSL. For more information, see Structure link Configuring the Use of SSL on the J2EE Engine.

Features

· The security of the authentication credentials is provided using the SSL protocol and PKI technology.

· Users can also produce digital signatures using the client certificates. Therefore, higher levels of trust and non-repudiation for business transactions are also possible.

· Passwords are no longer used for authentication purposes.

· Users can use their certificates for secure access to other intranet or Internet services.

Configuration

● For scenarios where users access the J2EE Engine directly or via an intermediary that tunnels the connection without terminating it, see Configuring the Use of Client Certificates for Authentication.

● For scenarios where users access the J2EE Engine via an intermediary server that terminates the connection, see Using Client Certificates via an Intermediary Server.

● If you are using authentication with client certificates in the portal, you can configure what happens when users log off from the portal. By default they are redirected to the default logon screen after they log off. If the portal is set up to use client certificates, they are automatically logged on again, so it is impossible for them to log off the portal. To prevent this, you can redirect them to a screen other than the default logon screen after they log off the portal. For more information, see SAP Note 696294.