This Document Provides Answers to Frequently Asked Questions About: What is the difference between authentication and Single Sign-On? In computer security, authentication is the process by which a computer, computer program, or another user attempts to confirm that the computer, computer program, or user from whom the second party has received some communication is, or is not, the claimed first party. Single Sign-On is the subsequent automated authentication for additional systems after the user has logged on once. In this case, the authenticating system passes the user information to the subsequently called system. This is done in the background; that is, the user does not need to authenticate himself or herself again after his or her first logon. What options are there for authentication for the SAP Web Application Server? Web Based Authentication Methods:
SAP GUI for Windows
SNC is an integration layer with which a partner product for user authentication can be included in the SAP system landscape. SNC can only be used with SAP protocols (DIAG, RFC, SAP ITS AGate/WGate), and not with the Internet protocol HTTP. This means that it cannot be used with SAP GUI for HTML; only SAP GUI for Java und SAP GUI for Windows can be secured using SNC. Pluggable Authentication Service (PAS) can be used for Web-based access - see below. In addition to the integration of a third-party product, you can also use existing authentication infrastructures, for example for Microsoft Windows NT or Microsoft Windows 2000 through SNC. For an overview of the partner products certified by SAP for this interface (which is based on the Generic Security Services [GSS] standard), see Security Partners. The user logs on to the partner product; the SNC user name is then mapped to the SAP user name. The SAP system accepts the logon information, and additional authentication is not required. Security mechanisms of different strengths can be used, such as, such as Public-Key cryptography or Kerberos, depending on the product you are using. SAP provides mapping libraries free of charge for Microsoft Windows NT and Microsoft Windows 2000. These do not contain any cryptographic functions themselves, but rather access the relevant Microsoft Security Provider APIs. These can be used instead of a partner product. For more information, see http://service.sap.com/security > Security in Detail > Secure System Management SAP WebGUI
What options are there for single sign-on for SAP GUI? The procedure used for Single Sign-On depends on the SAP GUI in use. SAP GUI for HTML (Available with SAP Web AS and SAP ITS)
SAP GUI for Java
SAP GUI for Windows
Must a user have the same password in all systems that are part of an SSO landscape? No. The passwords can be different in the different systems; this does not affect the setting up of Single Sign-On in any way. After a year, Single Sign-On suddenly no longer works. What could the reason for this be? This error can occur due to an expired server certificate on the system that issues the SAP Logon Tickets. Certificates for servers, which are signed by a Certification Authority (CA) such as the SAP Trust Center Service (SAP_CA), are usually valid for a year. Although the SAP Logon Tickets for SSO are still issued after this period, an error message is triggered by the receiving system when it checks the certificates. "Self-signed" certificates, which are not issued by a CA, but by the server itself, usually have a significantly longer validity period. To avoid the certificates expiring in future, a new report has been created that provides warning in good time before the expiration of the validity of installed certificates. For more information about this, see SAP Notes 572035 (Warning about expired security certificates) and SAP Notes 499386 ("Invalid logon ticket" for CA certificates) - SMP login required.. How do SAP logon tickets work? Can they also be used to include non-SAP products in an SSO environment? SAP Logon Tickets generate SSO for SAP solutions with Web-based access, that is, for applications that are based on SAP Web Application Server or SAP ITS. An SAP Logon Ticket is used only for the purposes of SSO and cannot be used for initial authentication. To obtain a Logon Ticket, the user must first logon using a different procedure, such as a user name and a password or a digital certificate. The Logon Ticket is contained in a cookie that is forwarded to the user’s Web browser by the issuing system. It is forwarded from the user’s browser to the subsequently called systems that are integrated into the SSO landscape. The user logs on only once. The ticket itself contains the user name, a timestamp, information about the issuing system, and a certain validity period, which can be configured using a system profile parameter , and which can range from a few minutes to several hours. To protect the authenticity and the integrity of the ticket, it is digitally signed by the issuing system. The prerequisite for the use of SAP Logon Tickets is the use of identical user names in the systems that issue and accept the ticket. The SAP Enterprise Portal is an exception to this rule; in this case, an external user name can be specified in the ticket itself. The advantage of SAP Logon Tickets over an SSO solution using digital certificates is that the (person-related) Public-Key Infrastructure, which is required to administer digital certificates and can be cost-intensive, is not required. Logon Tickets that have already been checked can be buffered for the duration of their validity, which improves performance. To avoid it being stolen through interception, the ticket should be protected using SSL. Many external systems can also be configured to accept and verify SAP Logon Tickets. You can do this using a library provided by SAP, which is then integrated into the external software. The following SAP systems can issues SAP Logon Tickets: systems as of SAP Basis 4.6C (see SAP Note 358469), SAP Web Application Server 6.10 and above, SAP Enterprise Portal 5.0 and above. SAP systems as of SAP Basis 4.0 can accept SAP Logon Tickets (see SAP Note 177895). Are authentication and SSO connected with Central User Administration (CUA)? No. Central User Administration simply centralizes the administration of user and role data across a large number of SAP systems. The data contained there only applies after the user has already logged on; authentication and, if appropriate, Single Sign-On have therefore already taken place. Setting up a CUA therefore does not affect authentication and SSO procedures in any way; however, it does provide the basis for the use of SAP Logon Tickets due to the assignment of uniform cross-system user names. Implementing CUA also does not provide any form of password synchronization between the central and child systems. Initial passwords are an exception to this rule, and it is also possible to reset passwords. This can be done both in the local child systems and in the central system (with distribution to selected systems). Are authentication and SSO connected with LDAP user data synchronization (LDAP Connector, LDAPMAP)? No. Since SAP Basis 4.6, SAP systems have had an LDAP Connector, which allows connection to an LDAP directory. However, only individual accesses to the LDAP directory are possible in this version. Data synchronization between SAP R/3 and the LDAP directory was standardized with SAP Web AS 6.10, and mass synchronization is possible. The data synchronization applies only to user and role data, however. Authentication and SSO functions are provided neither using the LDAP Connector nor through transaction LDAPMAP. For information about transferring an external authentication to the LDAP directory, see Is it possible to connect products from external vendors to implement authentication and SSO outside the SAP system?. How do authentication and SSO work in the SAP NW Portal? The SAP Netweaver Portal offers the same possibilities for user authentication as SAP Netweaver AS Java. In Addition Account Aggregation ist supported. With this procedure, a portal user (or a user group) is associated with the user name and password for an application. This allows SSO even for applications that cannot accept SAP Logon Tickets. The administrator, or the user can perform the required mapping using a graphical interface. The portal stores the data in the portal database. For security reasons, all password information is encrypted using a triple DES algorithm. For more information about authentication and SSO in the SAP Enterprise Portal, see Solution in Detail: Security in the mySAP Enterprise Portal. Does SAP offer a Trust Center? Yes. For more information, see the SAP Service Marketplace using the alias TCS. SAP offers client certificates, server certificates, for example, for Secure Socket Layer, and router certificates for service connections through SAPRouter. Where is the SAP Passport physically stored? Passports are stored wherever the browser stores its certificates. In the case of Microsoft Internet Explorer, this is the registry. You can usually also replace the browser storage using a third party product, for example a smart card or a central Personal Security Environment (PSE) server. SAP Passports - where can I learn more about it? On SAP Service Marketplace at htttp://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000282722& you find a detailed description of the process in the presentation "SAP Passports - How to get started". To test SAP passport functionality in your SAP Workplace, please generate a Certificate Request (CR) and send message on component BC-SEC to SAP via SAP Net R/3 Frontend (OSS) or SAP Service Marketplace. We will send you the necessary certificate for your Registration Authority (RA). Does SAP also support newer standards, such as SAML or the Liberty Alliance Project? Security Assertion Markup Language (SAML) With SAP Web Application Server 6.30, the SAP J2EE Engine can accept SAML tickets for logon in the browser artifact scenario. For more information about SAML, see http://www.oasis-open.org. For information about SAML in the SAP context, and about other security standards, see http://service.sap.com/security > Security in Detail > Security Standards. Liberty Alliance Project SAP is a sponsor of Liberty Alliance Project, an initiative to establish a standard for federated digital identities on the Web. Its aim is to use specifications to develop open standards that can be used internationally across industries. For more information about the Liberty Alliance, see http://www.projectliberty.org/ . Where can I find more information about documentation about this topic? For documentation, manuals, and other information material, see the SAP Service Marketplace at:
For SAP Notes about this topic, see http://service.sap.com/security > SAP Security Notes. SAP Notes about SNC and the following SAP Notes are of particular interest: |
Thursday, April 10, 2008
FAQ - Single Sign On
FAQ - Single Sign On
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment