Single Sign-On with Client Certificates 

Use

The AS ABAP enables you to configure the use of client certificates for SSO when users access the system from a SAP GUI.

For SAP GUI authentication with client certificates, the security context for authentication is made available from the GSS API of the AS ABAP system. Therefore, to enable the use of client certificates for SSO, the AS ABAP system must be configured to use SNC.

Integration

The use of client certificates for logon with the SAP GUI makes use of public cryptography and the AS ABAP personal storage environment (PSE) for establishing the user identity. The client certificate information, however, is used only for authenticating SAP GUI users. Transport layer security, the integrity and confidentiality of the authentication credentials is enabled by the SNC used on the AS ABAP.

Prerequisites

●     To enable SAP GUI SSO with client certificates, users must possess valid client certificates. SAP GUI users can receive client certificates from an established Public-Key Infrastructure.

●     The SAP GUI client computers and the AS ABAP systems must use an external security product that enables the creation of a Personal Storage Environment (PSE). The use of an external security product is enabled by Secure Network Communications (SNC).

You can use external security products for client certificate authentication that are certified by the SAP Partner Program. For more information about the SAP certified security products, see service.sap.com/security.

Activities

To enable users and AS ABAP systems to use SSO with client certificates, you have to:

...

       1.      Prepare the central instance.

       2.      Configure the SAP Logon for SSO.

       3.      Import the user’s public-key certificates to the AS ABAP.

 

See also:

Configuring SNC for Using the SAPCRYPTOLIB on the AS ABAP