Show TOC

Authentication and Single Sign-On with NWBCLocate this document in the navigation structure

This chapter explains authentication and single sign-on (SSO) mechanisms with the SAP NetWeaver Business Client.

Firstly, some explanation of the technicalities of the SAP NetWeaver Business Client and a short introduction to SAP’s own product for SSO, SAP Single Sign-On is necessary.

NWBC brings together web-based and Dynpro-based applications, potentially running on multiple systems, in one single shell. Therefore, NWBC must adopt a combination of different authentication techniques to abstract the user from multiple logins and offer a seamless end-user experience.

NWBC is shipped in two variants:
  • NWBC for Desktop

    A Microsoft Windows/.NET-based application that needs a local installation. It uses SAP GUI for Windows to run Dynpro-based transactions, and integrates Web applications using the MS Internet Explorer control in its shell.

  • NWBC for HTML

    A browser-based version using HTTP/s for connecting to a SAP NetWeaver Application Server for ABAP backend. SAP GUI transactions are rendered using the SAP GUI for HTML.

For SSO functionality, SAP ships its own product, SAP Single Sign-On, that allows you to implement standard, token-based SSO to the web browser and the SAP GUI for Windows. It also offers a password manager for Enterprise Single Sign-On.

Let us now focus on the question of authentication and SSO with NWBC for Desktop – for NWBC for HTML, the standard web SSO mechanisms, as listed below, apply.

Authentication Options

The NWBC approach to authenticate a user against a system is to use the ICF logon, a browser-based authentication. When the user, during the course of his work, calls a web-based application, authentication is handled by the standard Microsoft Internet Explorer control that the NWBC embeds for rendering Web content. For a Dynpro screen, however, authentication is handled by the embedded SAP GUI for Windows.

What are the options of authentication mechanisms with NWBC? The following initial authentication mechanisms are used in SAP products and apply to NWBC authentication depending on the scenario you are running:
Authentication Mechanism Description

User ID and Passwords

This is the easiest mechanism, of course, but you need to roll-out and offer password reset and recovery functionality for your end-users, and it is strongly recommended that you have implemented encryption of the communication path (https) or you have your end-users send the passwords in clear text, making sniffing them extremely easy.

X.509 Client Certificates

An X.509 Client Certificate requires a Public Key Infrastructure (PKI), which issues and handles the whole certificate management for your users. You have the option to implement SAP Single Sign-On instead, which generates certificates on the fly without the need to implement and deploy a costly PKI.

SAML Assertions

SAML assertions are a modern standard for web-based and cross-domain SSO. You need a so-called Identity Provider to issue SAML assertions for your users; this is also part of SAP Single Sign-On.

SAP Logon Tickets

Logon tickets are an SAP proprietary mechanism. In the form of a digitally-signed cookie they offer authentication and SSO. You can generate Logon Tickets with NWBC, with the SAP Enterprise Portal, or with SAP Single Sign-On.

Note Logon Tickets are no longer recommended by SAP unless you need to implement SSO for lower SAP NetWeaver Application Server releases (<7.00).
SPNEGO and Kerberos

SPNEGO with Kerberos is the web variant for Kerberos, and for which you need SAP Single Sign-On to implement.

Recommendations for Single Sign-On
The options for SSO depend on the scenario that you have implemented with NWBC. The table below describes the available options:
Scenario SSO Method Recommendation
NWBC for Desktop embedding Web applications only X.509 certificates, SAML assertions, SPNEGO with Kerberos, or Logon Tickets
NWBC for Desktop embedding Dynpro applications (SAP GUI for Windows) only SNC + X.509 certificates, SNC + Kerberos or Logon Tickets
NWBC for Desktop embedding both Dynpro and Web applications SNC + X.509 certificates, SNC + Kerberos or Logon Tickets
To summarize:
  • If you are running only web applications with the NWBC, then you can use the standard web SSO mechanisms as listed in the above table.
  • If you have to access SAP Dynpro applications through the NWBC for Desktop scenario, and you want this to be secured through encryption, then you must configure SNC (Secure Network Communication), encrypting the communication path, and use either X.509 certificates or Kerberos for SSO. For both options, SAP offers a product, SAP Single Sign-On, that can generate X.509 certificates and/or support Kerberos.
  • If you have a hybrid implementation, that is, some of your users are using NWBC for Desktop and other users are using NWBC for HTML to access the same systems, then SAP strongly recommends that you leverage SAP Single Sign-On as you can implement X.509 and Kerberos for both NWBC variants).

For more information on SAP Single Sign-On, search for SAP Single Sign-On in the SAP Help Portal ( or on SCN (