Integration into Single Sign-On Environments 

SAP NetWeaver Mobile uses logon tickets to support the Single Sign-On mechanism that is provided by SAP NetWeaver Application Server. Consequently, the security recommendations and guidelines for user administration and authentication that are described in the security guide of SAP NetWeaver Application Server also valid for SAP NetWeaver Mobile. Currently, however, SAP NetWeaver Mobile only supports the Single Sign-On technology based on SAP logon tickets.

Prerequisites

The following requirements must be satisfied to enable authentication with Single Sign-On in SAP NetWeaver Mobile:

·        Data Orchestration Engine (DOE) is configured to support SAP logon tickets.

More information: Authentication and Single Sign-On, SAP NetWeaver Application Server ABAP Seurity Guide

·        Mobile client is configured with Single Sign-On.

Single Sign-On Scenarios

When using Single Sign-On, the following scenarios are configurable:

·        One User. User accesses the mobile client for laptops

The device is used by a single user. The user starts the mobile client for laptops on the client device. The client requests a ticket from a ticket issuing system; the ticket is used for initial logon and for synchronization. The user must authenticate his or her ID at the ticket issuing system.

For example, in a typical scenario:

...

                            a.      The user starts the mobile client and enters the user ID and password.

                            b.      The mobile client verifies the data using the SAP logon ticket.

                            c.      On verification, the mobile client for laptops ignores further password handling settings, that is, the client does not prompt the user for ID or password.

In the initial logon, which must be performed online, the user data from the logon ticket is used to create a user in the mobile client.

·        One User. User accesses a Ticket-Issuing System (SAP NetWeaver Portal)

The device is used by a single user only. The user starts the mobile client for laptops on the mobile device as a service. The service runs in the background, without a user interface.

To work with the client, the user accesses the client user interface from a link in the ticket issuing system (for example, the SAP NetWeaver Portal).  If a logon ticket is available, the user interface of the client starts.

Before a user can use an SAP logon ticket, a user name and password must be created for this user in the mobile client.

·        Multiple Users

The device is used by multiple users. Each user starts the mobile client for laptops as a service. The service runs in the background, without a user interface.

To work with the client, the user accesses the client user interface from a link in the ticket issuing system (for example, the SAP NetWeaver Portal).  If a logon ticket is available, the user interface of the client is started.

If a logon ticket is not available, users can start the mobile client from the browser below the configured start address, and log on. The ticket issuing system uses settings present in the client for handling passwords; the user can use also use the client’s password management features.

Before a user can use an SAP logon ticket, a user name and password must be created for this user in the mobile client.

More Information

·        In mobile client for laptops, you have to configure few parameters to enable SSO.

More information: Parameters for Single Sign-On

·        After enabling SSO on the mobile client, you must log on to the client through the portal server.

More information: Using Single Sign On