Single sign-on (SSO) technology seems to have evoked SAP’s interest as an access control mechanism. In his recent article on the SAP Network Blog, Mr Andre Fischer, a Senior Product Specialist for SAP NetWeaver Enterprise Search, investigates SSO technology vis-à-vis SAP applications. He states that SAP users who wish to harness SSO technology to their SAP system landscape should first be aware of the different underlying technology stacks, such as ABAP or Java, the NetWeaver release, and user agents (SAP NetWeaver Business Client, Browser, SAP GUI, or Web Service Client) that are being used to access an SAP system.
In the write up, Mr Fischer studies two SSO scenarios – the ideal and the real scenarios. Based on his analysis, he concludes that X.509 certificates and SAP logon tickets are the best solutions for SSO technology.
Regarding SAP logon tickets, he emphasizes that “this works well for browser-based access where an SAP NetWeaver portal is used that is configured to support integrated Windows Authentication. Such a portal can also act as the ticket issuing instance for SAP logon tickets for .NET Web Service Clients though this scenario does not work out of the box using standard WCF bindings since the .NET client has to perform an additional service call to the SAP logon ticket issuing system.”
SAP logon tickets are browser cookies that are set by an application such as the SAP Enterprise Portal, and are subsequently sent by the browser to other applications in the same domain. These applications can parse the cookie, extract the SAP user name from the cookie and log on the user. As SAP logon tickets are the key to access SAP systems, they need to be protected against several attacks that can exploit cookies, e.g. cookie hijacking and cookie theft. Also, cookies are restricted to just one domain; the browser sends them only to the domain with the application (e.g. Enterprise Portal) that sets the cookie. SAP logon tickets have other restrictions as well – they can be used for SSO to SAP applications. However, the support for other enterprise applications is very limited. All SAP applications accepting the SAP logon ticket have to use the same SAP user names for the users, because there is only one SAP user name contained in the cookie (one for the issuing system and one for all accepting systems).
However, these cookie-specific weaknesses can be avoided by using X.509 certificates for SSO. SECUDE has the solution to provide X.509 certificates to all SAP users and to enable secure SSO to both Web and SAP GUI-based applications.
With Secure Login, you will be able to handle certificate-based authentication in your SAP and non-SAP applications with policy-driven flexibility and without PKI. It is a client–server solution and supports many scenarios as per your current and future needs.
The Secure Login Server (SLS) acts as an online Certificate Authority. After successful user authentication against the SLS, it issues an X.509 client certificate on the fly as per the policy in effect and returns them to the Secure Login Client (SLC), but never stores them. The SLC executes your business application with the temporary client certificates, which are available to the SAP GUI and the Web browser.
X.509 certificates are more secure than SAP logon tickets as they cannot be stolen. They are more powerful, as they work cross-domain for Web and SAP GUI applications.
In fact, X.509 certificates are more secure than SAP logon tickets as they cannot be stolen. They are more powerful, as they work cross-domain for Web and SAP GUI applications. Also, the solution enables the secure client–server communication (SNC for the SAP GUI). By default, the communication between the SAP GUI is not encrypted. Hence, passwords, the SAP logon ticket, and critical business data go through the line unprotected.
Another advantage is that the Secure Login solution is based on the X.509 industry standard. This provides the user an edge in out-of-box implementation and guarantees interoperability with other enterprise applications. Finally, Secure Login leverages several authentication methods, such as RSA SecurID authentication, Active Directory/Kerberos, or credentials stored in an SAP system or any SQL DB.
Secure Login solution is based on the X.509 industry standard. This provides the user an edge in out-of-box implementation and guarantees interoperability with other enterprise applications.
The most interesting feature of Secure Login is that it does not require you to setup a Public Key Infrastructure (PKI), thus saving you the costs and troubles associated with it. But in case you already have one, it can be easily integrated with the Secure Login solution.
So you need not refrain anymore from using the built-in security capabilities delivered with your SAP systems because of the high entry barrier of setting up a PKI. Secure Login provides not only the means of single authentication (SSO) making the way free to your SAP systems, but also makes the communication secure between the user and the server through an encrypted transport channel using certificates. It leverages Secure Network Communications integrated into the SAP NetWeaver® Application Server ABAP® for SAP GUI access to all SAP® Business Suite applications, and uses SSL with client certificate authentication for all Web-based applications that support this authentication method (all SAP applications do so).
Secure Login works for all SAP applications on all platforms, and supports both Web clients (e.g. browser and NWBC) and SAP GUI. As many applications support client certificate-based authentication, the solution provides SSO even beyond SAP. Secure Login integrates with most enterprise applications (such as Oracle, for instance) as smooth as with SAP, leading you forward to Enterprise SSO.
Applications that do not support authentication using client certificates can be accessed through SECUDE’s Secure SignOn, a password-based SSO solution that can handle Windows, terminal, Java, Web, and other applications (as well as Windows Office documents that are password-protected).
For more information on Secure Login, please visit http://www.secude.com/SecureLogin.
You can read the complete article at http://weblogs.sdn.sap.com/pub/wlg/18549