This chapter explains authentication and single sign-on (SSO) mechanisms with the SAP NetWeaver Business Client.
Firstly, some explanation of the technicalities of the SAP NetWeaver Business Client and a short introduction to SAP’s own product for SSO, SAP Single Sign-On is necessary.
NWBC brings together web-based and Dynpro-based applications, potentially running on multiple systems, in one single shell. Therefore, NWBC must adopt a combination of different authentication techniques to abstract the user from multiple logins and offer a seamless end-user experience.
A Microsoft Windows/.NET-based application that needs a local installation. It uses SAP GUI for Windows to run Dynpro-based transactions, and integrates Web applications using the MS Internet Explorer control in its shell.
A browser-based version using HTTP/s for connecting to a SAP NetWeaver Application Server for ABAP backend. SAP GUI transactions are rendered using the SAP GUI for HTML.
Let us now focus on the question of authentication and SSO with NWBC for Desktop – for NWBC for HTML, the standard web SSO mechanisms, as listed below, apply.
The NWBC approach to authenticate a user against a system is to use the ICF logon, a browser-based authentication. When the user, during the course of his work, calls a web-based application, authentication is handled by the standard Microsoft Internet Explorer control that the NWBC embeds for rendering Web content. For a Dynpro screen, however, authentication is handled by the embedded SAP GUI for Windows.
User ID and Passwords
This is the easiest mechanism, of course, but you need to roll-out and offer password reset and recovery functionality for your end-users, and it is strongly recommended that you have implemented encryption of the communication path (https) or you have your end-users send the passwords in clear text, making sniffing them extremely easy.
|X.509 Client Certificates||
An X.509 Client Certificate requires a Public Key Infrastructure (PKI), which issues and handles the whole certificate management for your users. You have the option to implement SAP Single Sign-On instead, which generates certificates on the fly without the need to implement and deploy a costly PKI.
SAML assertions are a modern standard for web-based and cross-domain SSO. You need a so-called Identity Provider to issue SAML assertions for your users; this is also part of SAP Single Sign-On.
|SAP Logon Tickets||
Logon tickets are an SAP proprietary mechanism. In the form of a digitally-signed cookie they offer authentication and SSO. You can generate Logon Tickets with NWBC, with the SAP Enterprise Portal, or with SAP Single Sign-On.
Note Logon Tickets are no longer recommended by SAP unless you need to implement SSO for lower SAP NetWeaver Application Server releases (<7.00).
|SPNEGO and Kerberos||
SPNEGO with Kerberos is the web variant for Kerberos, and for which you need SAP Single Sign-On to implement.
|Scenario||SSO Method Recommendation|
|NWBC for Desktop embedding Web applications only||X.509 certificates, SAML assertions, SPNEGO with Kerberos, or Logon Tickets|
|NWBC for Desktop embedding Dynpro applications (SAP GUI for Windows) only||SNC + X.509 certificates, SNC + Kerberos or Logon Tickets|
|NWBC for Desktop embedding both Dynpro and Web applications||SNC + X.509 certificates, SNC + Kerberos or Logon Tickets|
For more information on SAP Single Sign-On, search for SAP Single Sign-On in the SAP Help Portal (http://help.sap.com) or on SCN (https://scn.sap.com).