This section provides an overview of the supported authentication methods for intranet application scenarios including client and front-end technologies such as, Microsoft .NET, and Java.
For this scenario, SAP Gateway supports multiple authentication options, including the following:
SAML 2.0 Browser SSO
Requires an additional system, the Identity Provider (IdP), for example, SAP Identity Management (SAP IDM) or Microsoft Active Directory Federation Service (AD FS).
You can leverage Windows Integrated for IdP authentication. The code side should behave “like a browser” in handling of HTTP redirects, forms, and cookie processing.
X.509 client certificate Certificates can be distributed in one of the following ways:
PKI infrastructure for regular certificates.
SAP NetWeaver SSO product for generation of short-lived certificates.
Secure credentials caching is needed. Password can be locked out as result of DDoS attack.
The figure below is an overview of the Desktop application scenario using SAP Gateway in a technical system landscape.
The following is the explanation for the illustration above:
Consumer is any desktop application directly communicating with the SAP Gateway system
One of the following options are used for SAP Gateway authentication:
X.509 client certificates distributed using SAP NetWeaver SSO or PKI
SAML assertions issued by IdP
SPNego tokens issued by domain controller
SAP Gateway uses Trusted RFC Connection to access backend services with a named user.