This section provides an overview of the supported authentication methods for both Internet and intranet scenarios including client and front-end technologies such as, HTML5, Microsoft Silverlight, and Flex.
Note that such client applications require a Web server in order to host content that is not provided by SAP Gateway.
For this scenario, SAP Gateway supports multiple authentication options, including the following:
SAML 2.0 Browser SSO
Requires an additional system, the Identity Provider (IdP) for example SAP Identity Management (SAP IDM) or Microsoft Active Directory Federation Service (AD FS).
X.509 Client Certificate
Requires PKI infrastructure. If HTTPS request is terminated by a reverse proxy, such as, the SAP Web Dispatcher, the proxy and SAP Gateway should implement certificate forwarding in the HTTP header.
Secure credentials caching is needed. The application should support change of initial and expired user password.
User password can be locked out, as result of Denial of service (DoS) attack.
Portal single sign-on (SSO)
Leveraging an external authentication provider, for example, Enterprise Portal (EP). SAP Gateway trusts SAP Logon tickets issued by the SAP NetWeaver Enterprise Portal, based on the user’s credentials in the portal.
Secure credentials caching on the client side is required.
The figure below is an overview of the Web application scenario using SAP Gateway.
The following is the explanation of the figure above:
Consumer is any client side Web application Consumer application communicates with the customer’s environment via reverse proxy.
Reverse proxy acts as server side proxy used for avoiding same-origin policy restrictions.
Web server hosts Web application content. Both SAP Gateway and IdP support SAML2.0 SSO profile with artifact redirect binding.
SAP Gateway trusts SAML assertions signed by the IdP certificate.
SAP Gateway uses Trusted RFC Connection to access backend services with a named user .