Show TOC

Server Side Application ScenarioLocate this document in the navigation structure


This section provides an overview of the supported authentication methods for server side application scenarios including technologies such as, PHP, Microsoft ASP, or Microsoft .NET.

The server hosting the server side code is trusted by SAP Gateway. For this scenario, SAP Gateway supports multiple authentication options, including the following:

  • Short-lived X.509 client certificate

    The certificate is generated on the fly without the PKI infrastructure.

    If the HTTPS request is terminated by a reverse proxy, for example, SAP Web Dispatcher, the proxy and SAP Gateway should implement forwarding of the client certificate in the HTTP header.

  • Unsolicited SAML 2.0 bearer assertion

    Requires an additional system IdP and STS for generating a SAML assertion. As an alternative, generate an assertion by the server side code.

    The assertion is sent to SAP Gateway directly in a POST request (IdP-initiated SSO POST Binding).

The figure below is an overview of the data flow for the request from a server side application to create an entry in SAP ERP through SAP Gateway.

Figure 1: Server side scenario

The following is an explanation of the figure above:

  • Consumer

    The consumer accesses a Web application having server-side code. For example, PHP.

  • Connectivity Layer

    Reverse proxy acts as a connectivity solution for external consumers.

  • SAP Gateway

    Web Server hosts Web application with server-side content.

    The application connects to SAP Gateway behind the scenes. A short-lived X.509 client certificate is generated on the fly for a specific user. The user identity is part of the certificate's subject.

    Business Layer

    SAP Gateway uses Trusted RFC Connection to access backend services with a named user.