Authentication and Single Sign-On with SAP Business Client

This chapter explains authentication and single sign-on (SSO) mechanisms with the SAP Business Client.

Firstly, some explanation of the technicalities of the SAP Business Client and a short introduction to SAP’s own product for SSO, SAP Single Sign-On is necessary.

SAP Business Client brings together web-based and Dynpro-based applications, potentially running on multiple systems, in one single shell. Therefore, SAP Business Client must adopt a combination of different authentication techniques to abstract the user from multiple logins and offer a seamless end-user experience.

SAP Business Client is shipped in two variants:

SAP Business Client for Desktop
A Microsoft Windows/.NET-based application that needs a local installation. It uses SAP GUI for Windows to run Dynpro-based transactions, and integrates Web applications using the MS Internet Explorer control in its shell.
SAP NetWeaver Business Client 3.6 for HTML
A browser-based version using HTTP/s for connecting to a SAP NetWeaver Application Server for ABAP backend. SAP GUI transactions are rendered using the SAP GUI for HTML.

For SSO functionality, SAP ships its own product, SAP Single Sign-On, that allows you to implement standard, token-based SSO to the web browser and the SAP GUI for Windows. It also offers a password manager for Enterprise Single Sign-On.

Let us now focus on the question of authentication and SSO with SAP Business Client for Desktop – for SAP NetWeaver Business Client 3.6 for HTML, the standard web SSO mechanisms, as listed below, apply.

Authentication Options

The SAP Business Client approach to authenticate a user against a system is to use the ICF logon, a browser-based authentication. When the user, during the course of his work, calls a web-based application, authentication is handled by the standard Microsoft Internet Explorer control that the SAP Business Client embeds for rendering Web content. For a Dynpro screen, however, authentication is handled by the embedded SAP GUI for Windows.

What are the options of authentication mechanisms with SAP Business Client? The following initial authentication mechanisms are used in SAP products and apply to SAP Business Client authentication depending on the scenario you are running:

Authentication Mechanism	Description
User ID and Passwords	This is the easiest mechanism, of course, but you need to roll-out and offer password reset and recovery functionality for your end-users, and it is strongly recommended that you have implemented encryption of the communication path (https) or you have your end-users send the passwords in clear text, making sniffing them extremely easy.
X.509 Client Certificates	An X.509 Client Certificate requires a Public Key Infrastructure (PKI), which issues and handles the whole certificate management for your users. You have the option to implement SAP Single Sign-On instead, which generates certificates on the fly without the need to implement and deploy a costly PKI.
SAML Assertions	SAML assertions are a modern standard for web-based and cross-domain SSO. You need a so-called Identity Provider to issue SAML assertions for your users; this is also part of SAP Single Sign-On.
SAP Logon Tickets	Logon tickets are an SAP proprietary mechanism. In the form of a digitally-signed cookie they offer authentication and SSO. You can generate Logon Tickets with SAP Business Client, with the SAP Enterprise Portal, or with SAP Single Sign-On. Note Logon Tickets are no longer recommended by SAP unless you need to implement SSO for lower SAP NetWeaver Application Server releases (<7.00).
SPNEGO and Kerberos	SPNEGO with Kerberos is the web variant for Kerberos, and for which you need SAP Single Sign-On to implement.

Recommendations for Single Sign-On

The options for SSO depend on the scenario that you have implemented with SAP Business Client. The table below describes the available options:

Scenario	SSO Method Recommendation
SAP Business Client for Desktop embedding Web applications only	X.509 certificates, SAML assertions, SPNEGO with Kerberos, or Logon Tickets
SAP Business Client for Desktop embedding Dynpro applications (SAP GUI for Windows) only	SNC + X.509 certificates, SNC + Kerberos or Logon Tickets
SAP Business Client for Desktop embedding both Dynpro and Web applications	SNC + X.509 certificates, SNC + Kerberos or Logon Tickets

To summarize:

If you are running only web applications with the SAP Business Client, then you can use the standard web SSO mechanisms as listed in the above table.
If you have to access SAP Dynpro applications through the SAP Business Client for Desktop scenario, and you want this to be secured through encryption, then you must configure SNC (Secure Network Communication), encrypting the communication path, and use either X.509 certificates or Kerberos for SSO. For both options, SAP offers a product, SAP Single Sign-On, that can generate X.509 certificates and/or support Kerberos.
If you have a hybrid implementation, that is, some of your users are using SAP Business Client for Desktop and other users are using SAP NetWeaver Business Client 3.6 for HTML to access the same systems, then SAP strongly recommends that you leverage SAP Single Sign-On as you can implement X.509 and Kerberos for both SAP Business Client variants).

For more information on SAP Single Sign-On, search for SAP Single Sign-On in the SAP Help Portal (http://help.sap.com) or on SCN (https://scn.sap.com).