Skip to Content
author's profile photo Former Member
Former Member

NW SSO 2 - Secure login client - logon using client certificate


Our customer has existing PKI (client certificates) which they want to use to logon to Secure Login Server using “heavy” Secure Login Client (not web client) for employees.

Their reasons are:

  1. They want to have two factor authentication (PIN for X.509)
  2. Somebody had this idea…
  3. They want to check CRL for existing PKI certificates
  4. They have a bunch of “old” ABAP systems they don’t want to upgrade to version supporting CRL check directly on SNC handshake

Based on documentation I’ve told them, that UME authentication is possible. Finally I’ve found in installation guide, that only basic authentication is supported with UME and Secure Login Client which is installed locally on the PC.

I think that following questions are for developer of Secure Login Client.

  1. Is it possible to use another client certificate (I don’t know which object/framework is used for SSL comunication) to establish communication between Secure Login Client and Secure Login Server over HTTPS?
  2. Would it be possible to use new value for parameter pseType to make Secure Login Client to not prompt for username/password and just establish SSL with client certificate?

PS: I’m currently trying to configure workaround using Kerberos (SPNego) configuration but with Authentication configured for X.509 certificate.

Best Regards,

Honza Vrzak

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Posted on Dec 12, 2013 at 08:43 AM

    Dear Jan,

    Technology Used for Secure Communication between Secure Login Client and Secure Login Server is HTTPS (SSL). More details about Secure Communication you will be able to find here.

    pseType is a parameter for authentication type and it is part of the client policy parameters of the Secure Login Client. This parameter takes two values promptedlogin (Using this profile, the user will be requested to enter the user credentials) and windowslogin (Using this profile, the user credentials will be provided automatically and this is only available for Microsoft Windows authentication). The default value is windowslogin. More details about Client Policy Parameters of the Secure Login Client you will be able to find in the Secure Login for SAP NetWeaver Single Sign-On Implementation Guide.

    Regarding authentication mechanisms available for Secure Login Client:

    The Secure Login Client is integrated with SAP software to provide single sign-on capability and enhanced security. Secure Login Client can be used with Kerberos technology, an existing public key infrastructure (PKI), or together with the Secure Login Server for certificate-based authentication without having to set up a PKI.

    The Secure Login Client can use the following authentication methods:

    · Smart cards and USB tokens with an existing PKI certificate (Secure Login Server and authentication server are not necessary.)

    · Microsoft Crypto Store with an existing PKI certificate (Secure Login Server and Authentication Server are not necessary.)

    · Microsoft Windows Credentials (The Microsoft Windows Domain credentials (Kerberos token) can be used for authentication. The Microsoft Windows credentials can also be used to receive a user X.509 certificate with the Secure Login Server.)

    · User name and password (several authentication mechanisms) - The Secure Login Client prompts you for your user name and password and authenticates with these credentials using the Secure Login Server in order to receive a user X.509 certificate.

    All of these authentication methods can be used in parallel. A policy server provides authentication profiles that specify how to log on to the desired SAP system.

    More details about authentication mechanisms available for Secure Login Client will be able to find in the Secure Login for SAP NetWeaver Single Sign-On Implementation Guide.

    With the AS Java, you can use certificate revocation lists (CRLs) to make sure that a given certificate has not been revoked by the issuing Certificate Authority (CA).

    Certificate revocation lists (CRLs) check for SNC is part of the Secure Login technology and runs independently of the business system versions.

    Certificate revocation is available for the following use cases:

    · User authentication using the Secure Sockets Layer (SSL) protocol and X.509 client certificates.

    In this case, the check is integrated into the login module ClientCertLoginModule . If the user's certificate has been revoked, the user is denied access to the server.

    · Outgoing connections to other servers that use HTTPS, if the HTTPS Connection Factory is used to establish the connection, for example, connections that use the Destination service.

    In this case, the check is performed by the HTTPS Connection Factory. If the target server's certificate has been revoked, the connection is not established.

    For more details, please check Enabling Certificate Revocation.

    1. Regarding “two factor authentication (PIN for X.509)” my proposal is to discuss this in a conference call because we would like to understand better the scenario of your customer. I already sent you a message requesting for more details.

    Best Regards,

    Donka Dimitrova

    Product Expert,

    SAP NetWeaver SSO

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.