User Authentication and Single Sign-On
For user authentication in SAP NetWeaver systems, the following mechanisms are available:
User ID and password
User ID and password is the standard mechanism supported by all SAP NetWeaver systems. However, the verification routines used depend on the underlying technology as follows:
For cases where HTTP is used as the transport protocol, the standard HTTP Basic Authentication and form-based authentication mechanisms are supported.
NoteWhen using Basic Authentication, the user's information is passed to the server over the HTTP connection in a header variable as a base-64 encoded string. With form-based authentication, the information is passed as a URL parameter.
End of the note. NoteWhen using user ID and password authentication in productive environments, the preferred authentication method is form-based authentication.
End of the note.For cases where the SAP protocols (dialog and RFC) are used, SAP routines are used.
RecommendationIn all cases, the user ID and password are only encoded when transported across the network. Therefore, we recommend using encryption at the network layer, either by using the Secure Sockets Layer (SSL) protocol for HTTP connections, or Secure Network Communications (SNC) for the SAP protocols dialog and RFC. For more information, see Network and Communication Security.
End of the recommendation.
Client certificates
Many of the SAP NetWeaver systems also support the use of the SSL protocol and client certificates for user authentication. In this case, the authentication takes places using the underlying protocols and no user intervention is necessary, which also provides for a Single Sign-On environment.
Users need to receive their client certificates from a Certification Authority (CA) as part of a public-key infrastructure (PKI). If you do not have an established PKI then you can alternatively use a Trust Center Service to obtain certificates. The CA you choose to use must be designated as a trusted CA on the Web server.
Integration
Single Sign-On provides for an environment where users are allowed access to multiple systems based on an initial authentication. The available mechanisms for SAP NetWeaver systems include:
Logon tickets
To provide for Single Sign-On to multiple systems, a user can be issued a logon ticket after being authenticated on the SAP system. This ticket can then be presented to other systems (SAP or non-SAP) as an authentication token. Instead of having to provide a user ID and password for authentication, the user is allowed access to the system after the system has verified the logon ticket.
RecommendationWhen using logon tickets for authentication with Web applications, the user's ticket is stored as a non-persistent cookie in the user's Web browser. This cookie contains the information necessary to log the user on to additional systems without having to provide an explicit password authentication. Therefore, you should protect the logon ticket from being compromised or manipulated during transfer by using SSL between Internet-enabled components. See Network and Communication Security.
End of the recommendation.Client certificates
When using client certificates for user authentication, the user is re-authenticated with each request using the SSL protocol. However, no user intervention is necessary, which provides for a Single Sign-On environment for the end user.
Additional mechanisms
Additional mechanisms are also available with SAP NetWeaver, depending on the underlying technology used, for example, using RFC trusted systems between two ABAP servers. For such scenarios, see the security guide for the specific product.
Using External Authentication Mechanisms
In addition, the use of external authentication mechanisms is also supported by the SAP NetWeaver products.
Note
When using external authentication mechanisms, the level of security you have for the authentication depends on the security of the mechanism you use. Therefore, you should inform yourself of any vulnerabilities and if necessary, apply corresponding transport layer security.
The following mechanisms are supported.
Secure Network Communications
With SNC, user authentication and Single Sign-On is supported for connections between the SAP GUI for Windows or SAP GUI for Java and the AS ABAP. In this scenario, the user authentication is performed by an external security product. Supported external security products are certified by the SAP Software Partner Program. SAP also offers SAP NetWeaver Single Sign-On
For more information, see the following:
Using header variables or integrated Windows authentication
The AS Java supports the use of header variables for Single Sign-On. This means that you can delegate user authentication to any external product which authenticates the user and returns an authenticated user ID as part of the HTTP header. Users only have to authenticate once against the external product and can then access applications on the AS Java, such as the portal, with Single Sign-On.
There are security measures to take when using header variables for Single Sign-On. See: Using Header Variables or Integrated Windows Authentication for User Authentication.
Java Authorization and Authentication Service (JAAS)
The AS Java supports the use of external authentication mechanisms using the JAAS specification. In this case, you can include external modules in the AS Java's login module stack.
Security Assertion Markup Language
The Security Assertion Markup Language (SAML) version 2.0 is a standard for the communication of assertions about principals, typically users. The assertion can include the means by which a subject was authenticated, attributes associated with the subject, and an authorization decision for a given resource.
For more information, see SAML 2.0.