Overview of the security mechanisms in GWM
This section provides information about the user management and the authentication mechanisms for use with GWM.
Find an overview of the tools available for user management in GWM and SAP Gateway.
When you install GWM, it is available as an extension for all the users who use the specific computer, however, you must configure and maintain users' credentials for logging onto and connecting to the SAP Gateway system.
By doing so, you enable developers to create Outlook projects, C# projects, and so on, that connect to the SAP Gateway system required by end users.
You can configure and maintain users' information for GWM using one of the following:
By specifying users' credentials in the configuration file for a project.
For more information, see How To Consume the GWM Generated ADM File.
By configuring users' credentials using Group Policy to apply to all the connected computers.
Types of Authentication Mechanisms
The following types of authentication mechanisms can be implemented for using GWM:
Basic authentication is where the user name, and the password are set directly in the code, or by using the adm file.
SAML 2.0 is a standard for the communication of assertions about principals, typically users.
The assertion can include the means by which a subject was authenticated, attributes associated with the subject, and an authorization decision for a given resource.
See http://help.sap.com/saphelp_nw72/helpdata/en/17/6d45fc91e84ef1bf0152f2b947dc35/frameset.htm for more information.
An X.509 client certificate is a digital "identification card" for use on the Internet, also known as a public-key certificate.
A user who accesses the SAP Web Application Server, and presents a valid certificate is authenticated on the server using the SSL protocol.
The information contained in the certificate is passed to the server, and the user is logged into the server based on this information. User authentication takes place in the underlying protocols, and no user ID and password entries are necessary.
See http://help.sap.com/saphelp_nw04s/helpdata/en/b1/07dd3aeedb7445e10000000a114084/frameset.htm for more information.
You can configure GWM to use the Kerberos authentication mechanism.
Before you configure Kerberos authentication for GWM, make sure that SAP NetWeaver AS ABAP (in which SAP Gateway runs) is already configured for Kerberos authentication.
For more information see, Using Kerberos Authentication on SAP NetWeaver AS ABAP
For information about Kerberos, see, Kerberos Authentication
This type of authentication is used exclusively by Azure cloud services and GWM integrated with Azure.
Microsoft Office 365 and Microsoft SharePoint Online applications require OAuth 2.0 tokens for authentication to GWM runtime services. OAuth 2.0 is an open framework that enables secure authorization from desktop and web applications in a simple and standard way. GWM validates the tokens issued by Azure AD and also connects to Azure AD to request other attributes that are not part of the token (that is, for authorization decisions). The attributes are available in GWM as a list of claims.