User Authentication and Single Sign-On
SAP NetWeaver Single Sign-On
Authentication Concepts
Authentication for SAP GUI
User ID and Password Authentication for SAP GUI
Client Certificate Logon for SAP GUI
Kerberos for SAP GUI Authentication
Windows NT LAN Manager (NTLM) Authentication
Authentication for Web-Based Access
Basic Authentication (User ID and Password)
Logon Tickets
X.509 Client Certificates
SAML 1.x
SAML 2.0
SSO with SAML 2.0
SLO with SAML 2.0
Identity Federation
Common Domain and Identity Provider Discovery
Kerberos Authentication
Header Variables
Authentication for Web Services
Authentication at HTTP Transport Level
Authentication at SOAP Message Level
SAML Token Profile
WS Security UsernameToken
Authentication for Communication Between Systems
Authentication Assertion Tickets
Authentication Infrastructure
AS ABAP Authentication Infrastructure
AS Java Authentication Infrastructure
Declarative and Programmatic Authentication
Login Modules
Managing Login Modules
Creating the Configuration File for Login Modules
HTTP Sessions and Security Sessions on SAP NetWeaver AS for Java
Policy Configurations and Authentication Stacks
Creating Authentication Stack Templates for Policy Configurations
Editing the Authentication Policy of SAP NetWeaver AS for Java Components
Configuring Authentication Properties
Setting a Logon Policy for a Policy Configuration
User Mapping and the AS Java
Application Server Java as a SAML 2.0 Provider
Integration in Single Sign-On (SSO) Environments
Single Sign-On for the SAP GUI
Logon and Password Security for SAP GUI
Password Rules
List of Customizing Switches for Generated Passwords
Logging Off Inactive Users
Single Sign-On for SAP Shortcuts
Integrating SAP GUI for Windows in a Portal iView
Single Sign-On with Client Certificates
Preparing the Central Instance
Activating SSO on the SAP Logon
Single Sign-On with Microsoft Kerberos SSP
Preparing the Primary Application Server Instance
Configuring the SAP Front End
Configuring the SAP Logon
Mapping Windows Users to SAP Users for Kerberos SSO
Single Sign-On with Microsoft NT LAN Manager SSP
Starting the Windows LM Security Support Provider Service
Configuring the Application Server
Configuring SAP GUI and SAP Logon for Single Sign-On
Mapping Windows Users to SAP Users for NTLM SSO
Single Sign-On for Web-Based Access
Using User ID and Password Authentication
Logon Using Basic Authentication.
Logon Using User ID and Password on the AS Java
Configuring User Mapping with User ID and Password on an AS Java
Using Rules for User Mapping in Basic Password Login Module
Using Logon Tickets
Using Logon Tickets with AS ABAP
Using Logon Tickets with AS Java
Configuring the AS Java to Issue Logon Tickets
Specifying the Client to Use for Logon Tickets
Replacing the Key Pair to Use for Logon Tickets
Configuring the AS Java to Accept Logon Tickets
Checking or Updating the Certificates of Trusted Systems
Testing the Use of Logon Tickets
Sample Login Module Stacks for Using Logon Tickets
Configuring the Validity Period of Logon Tickets
Accepting Logon Tickets Issued by the AS Java
Using X.509 Client Certificates
Using X.509 Client Certificates on SAP NetWeaver Application Server for ABAP
Logging On with SSL Certificate
Configuring the AS ABAP to Use X.509 Client Certificates
Assigning Users an Existing Certificate for Single Sign-On with SSL
Using X.509 Client Certificates on SAP NetWeaver AS for Java
Configuring the Use of Client Certificates for Authentication
Modifying Client Certificate Authentication Options
Using Stored Certificate Mappings
Maintaining the User's Certificate Information
Maintaining Certificate Mappings Automatically
Using Rules Based on Client Certificate Subject Names
Using Rules Based on Client Certificate V3 Extensions
Using Rules for User Mapping in Client Certificate Login Module
Defining Rules for Filtering Client Certificates
Using Client Certificates via an Intermediary Server
Enabling Certificate Revocation
How the Certificate Check Revocation Service Works
Modifying Additional Settings
Checking Certificates Manually
Removing or Updating CRL Cache Entries
Using SAML Browser Artifacts
Configuring AS Java as a SAML Destination Site
Adjusting the Login Module Stacks for Using SAML
Using SAML with the AS ABAP
Establishing a Connection Between SAP NetWeaver Application Server for ABAP and SAP NetWeaver AS for Java
Activating SAML for Resources in the AS ABAP
Logon via SAML
Mapping SAML Principals to AS ABAP User IDs
Using SAP NetWeaver for a SAML Source Site
Changing the Startup Mode for the SAML Service
Configuring the Portal as a SAML Source Site
Accessing an Application that Accepts SAML Assertions
Example: Accessing Web Dynpro Application in a Portal Using SAML
The SAML Test Application
Setting Up the SAML Test Application
Using the SAML Test Application
SAML Parameters
Inbound Partner Parameters
Outbound Partner Parameters
General SAML Settings
Using SAML 2.0
Adding an Identity Provider to Your Network
Configuring AS ABAP as a Service Provider
Configuring AS Java as a Service Provider
Enabling the SAML Service Provider
Configuring Front-Channel Communication
Configuring Back-Channel Communication
Configuring Support for Enhanced Client or Proxy
Identity Federation
Configuring Federation Type Persistent Users
Configuring Federation Type Persistent Users (Advanced)
Configuring Federation Type Virtual Users
Mapping SAML 2.0 Attributes
Configuring a User Mapping
Example of Transient Federation
Trusting an Identity Provider
Updating the Configuration of a Trusted Provider
Selecting the Keystore View for SSL for the Service Provider
Using Predefined User Attributes in SAML
Adding Custom User Attributes for SAML
Managing Name IDs
Protecting Resources with SAML
Setting SAML 2.0 Policies for Authentication
Securing SAML Bindings
Enabling HTTP Access to SAML Endpoints
Influencing the Identity Provider Used by the Service Provider
Identity Provider Discovery Read Service of AS Java
Accessing the Metadata XML of a SAML Service Provider of an AS Java
Enabling Access to the SAML 2 Metadata XML File URL
Adding Digital Signatures to Metadata
Adding Contact Data to the Metadata XML
Including Legacy Systems in Your SAML 2.0 Landscape
Enabling Service Providers to Share Persistent Name IDs
Mapping Relay States to Applications
Configuring the Default Application Path
Adding Custom Authentication Contexts
Configuring the Validity Period for SAML Messages
Setting the Proxy Count
Disabling IdP-Initiated and SP-Initiated SSO and SLO
Overriding the Service Provider Configuration With URL Parameters
Disabling the SAML Service Provider
Using Kerberos Authentication
Starting the SPNego Configuration Application
Configuring Kerberos Authentication
Configuring Key Distribution Centers
Configuring the UME for Kerberos Mapping
Accessing AS Java with Kerberos Authentication
Adding Kerberos Realms
Changing User Mapping for Kerberos
Changing Service User Keys and Encryption Types
Legacy SPNego Configuration for Kerberos Authentication
Migrating Legacy SPNego Configuration
Switching to Legacy Mode
Configuring Kerberos Authentication in Legacy Mode
Configuring KDCs for Legacy Mode
Configuring the UME when Using ADS Data Sources for Kerberos
Configuring the UME when Using Non-ADS Data Sources
Configuring Additional Kerberos Realms
Changing the User Resolution Mode for Kerberos Authentication
Adding Key Distribution Centers
Changing the Kerberos Principal Name for a Kerberos Realm
Troubleshooting
SPNego Configuration Application
Using Header Variables
Accessing Back-End Systems with a Different User ID
Integrating Third-Party Login Modules
Single Sign-On for Web Services
Using Transport Level Authentication
Using Message Level Authentication
Message-Based Authentication with WS-Security
Configuring Single Sign-On with SAML Token Profiles
Configuring Trusted Partners and Attesters for SAML
Preparing the SAML-Token-Profile-Issuing WS Consumer AS ABAP
Exporting the AS ABAP Certificate
Preparing the SAML-Token-Profile-Issuing WS Consumer AS Java
Exporting the AS Java Certificate
Preparing the WS Provider AS ABAP for Accepting SAML Token Profiles for Validation with the SAML 2 Infrastructure
Trusting a Security Token Service
Protecting Web Services with SAML
Preparing the WS Provider AS ABAP for Accepting SAML Token Profiles for Validation with the Ticket PSE
Setting Up the WS Provider AS Java to Accept SAML Token Profiles
Configuring the Trust Relationship for SAML Token Profiles Without Logon Ticket Configuraiton for Validation with the Ticket PSE
Single Sign-On with an External Security Token Service
STS Scenario with Symmetric Key for Message Protection (Signature, Encryption, and Authentication)
STS Scenario with Symmetric Key for Endorsing Signature (Authentication Only)
STS Scenario with Asymmetric WS Consumer Key for Endorsing Signature (Authentication Only)
Configuring Single Sign-On with an External Security Token Service
Configuring SSO/STS Scenario SAML Holder-of-key in the WS Provider AS ABAP
Configuring SSO/STS Scenario SAML Holder-of-key in the WS Consumer AS ABAP
Single Sign-On for Interaction between Systems
Maintaining Remote Destinations
Displaying, Maintaining, and Testing Destinations
Entering Destination Parameters
Connection Types
Maintaining Trust Relationships between SAP Systems
Destination Service
Maintaining HTTP Destinations
Maintaining RFC Destinations
Single Sign-On for Java Remote Method Invocation
Authentication for RMI-P4 Clients
Using P4 Protocol Over a Secure Connection
Security for RMI-IIOP Applications
Configuring the AS Java for IIOP Security
Single Sign-On for Resource Adapters and JCA
Developing Authentication Enhancements
Authentication Enhancements for SAP NetWeaver Application Server for ABAP
System Logon
User-Specific Changes
Creating Error Pages
Authentication Enhancements with SNC
Developing Authentication Enhancements on the AS Java
Single Sign-On to Non-SAP Systems and Applications