SAP NetWeaver Enterprise Search uses the single sign-on (SSO) mechanisms provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user management and authentication that are described in the SAP NetWeaver Security Guide also apply to SAP NetWeaver Enterprise Search. The supported authentication mechanisms are listed below:
Secure Network Communications (SNC)
SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or remote function calls.
More information: Secure Network Communications (SNC) (documentation in the SAP NetWeaver Security Guide)
SAP Logon Tickets
SAP NetWeaver Enterprise Search supports the use of logon tickets for SSO when using a Web browser as the front-end client. Users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication, instead, he or she can directly access SAP NetWeaver Enterprise Search after it has checked the logon ticket.
More information: Logon Tickets (documentation in the SAP NetWeaver Security Guide)
Client Certificates
As an alternative to user authentication with a user ID and password, those using a Web browser as a front-end client can provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol), therefore no passwords need to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.
Basic authentication in most cases requires that a user and password of the current user is mapped to the target system. This in turn needs a Portal running in case the mapping cannot be delegated to a reference system. A configured user always uses the same static user for authentication against the back-end system regardless of the currently logged in user. While there is no user mapping necessary in this case, all user context is lost when calling the back-end system. It is not even possible to include the name of the user who is currently logged on as an additional parameter in the back-end call because this requires user mapping. The only case where user mapping for the combination of a configured user and user name in a parameter is possible is if the user name on the J2EE engine equals the user name in the back-end system.
Authentication mechanism for searching
The SAP BO search service (BOSS), which is used for searching ERP systems as of ERP 6.0, for example, supports only single sign-on with assertion tickets. For this purpose, you must establish a trusted relationship between SAP NetWeaver Enterprise Search and the BOSS back-end systems. The destination for the BOSS system is created automatically by the system.
More information: Creating a Trusted Relationship with Enterprise Search
Authentication mechanism for navigation to the search result
Navigation to the search result is available only for the SAP GUI user interface. The search usig the SAP BO search service uses solely SSO, therefore SSO can also be used for the back-end navigation.
Authentication mechanism for searching
The SAP BO legacy search, which is used for searching older R/3 systems, such as 4.6C or 4.70, supports only SSO with assertion tickets. See above: SAP BO Search Service
Authentication mechanism for navigation to the search result
See above: SAP BO Search Service
Authentication mechanism for searching
The SAP BI search, which is used for searching BI systems as of release 7.0, supports only single sign-on with assertion tickets. The destination for the BI system is created automatically by the system. In addition, a trusted relationship must be established between SAP NetWeaver Enterprise Search and the BI back-end system.
More information: Creating a Trusted Relationship with Enterprise Search
Authentication mechanism for navigation to the search result
The navigation to the search results is done using the SAP NetWeaver Portal for the back-end system. The search uses SSO, therefore SSO can also be used for the back-end navigation.
Authentication mechanism for searching
A file search that searches in repositories without authorization checking, supports both configured users and single sign-on.
The file search with authorization check supports only single sign-on and requires a connection to the respective MS Active Directory Server (LDAP).
Authentication mechanism for navigation to the search result
The security settings of the global security guidelines in the MS Active Directory apply.
Authentication mechanism for searching
The KM search supports single sign-on and authentication using user and password. SSO again requires a trusted relationship between SAP NetWeaver Enterprise Search and the portal system on which KM is running.
Note
SSO is supported for KM systems as of release NW 7.0 (2004s) SPS12.
More information:
Authentication mechanism for navigation to the search result
Navigation to the search results uses single sign-on.
Authentication mechanism for searching
Executing a search against the configured Web service supports anonymous, configured user, or SSO access. For SSO, the same prerequisites must be fulfilled as for all other connector types that can use SSO.
The Search UI supports all authentication mechanisms that the Web Dynpro ABAP framework supports.
The Web Service API supports all authentication mechanisms that the ABAP ICF framework supports.