cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Fingerprint authentication

former_member619734
Explorer

on ‎07-16-2019 4:57 PM

0 Kudos

Hi,

I have a winforms application which receives the employee number whenever an employee passes their finger on a fingerprint sensor. Then, a fiori application launches on the browser and shows data about that employee.

In order to make the fiori app work properly, I need to authenticate the user which is trying to access the app (the employee who passed the finger in the sensor).

I have been researching if there is any way of authenticating this with SSO, but It doesn't seem possible since it requires the user to login with user and password to generate the logon ticket.

Is there another way to authenticate a user in SAP without the user and password, when I have the PERNR of the user?

Thank you.

Show replies
Show replies
tim_alsop
Active Contributor
‎07-17-2019 7:49 AM
0 Kudos

Is the winforms application running on a Windows workstation or on a Windows Server that the user logs into from their workstation ?

former_member619734
Explorer
‎07-17-2019 1:20 PM
0 Kudos

The winforms application will be running on a windows computer, as a kiosk. Whenever an employee slides the finger on the fingerprint sensor, it will open a fiori application on the browser.

Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Colt
Active Contributor
‎07-17-2019 1:27 PM
0 Kudos

Dear Mora,

if you look at my previous answer again, it becomes clear that the "login" with Fingerprint would have to trigger a login in Windows for this to work. Alternatively an integration of the manufacturer in functions of SAP SSO 3.0 would be possible, but there are no known interfaces for this. More details are indispensable otherwise no reliable assistance can be provided here. Thank you for understanding.

Cheers Colt

Show replies
Show replies
former_member619734
Explorer
‎07-17-2019 4:33 PM
0 Kudos

Colt,

There will be a kiosk which will have a winforms application running on the background, which will be listening to the fingerprint sensor. Whenever an employee passes the finger on the sensor, the winforms application will receive the personnel number of that employee, and then, a browser will open with SAP Launchpad url.

After this, I need to authenticate the employee without using any username or password. The only data that I have from the employee, is the personnel number.

Colt
Active Contributor
‎07-16-2019 5:18 PM
0 Kudos

Hi Mora,

guess you are talking about a kiosk system or similar scenario? By using PC/SC or Wave ID-compliant RFID devices, this is already possible. Works by matching the card ID with a attribute stored in the AD and based on that, a client component installed on the PC receives a personalized SSO certificate. Backend are configured for CBA. As soon as you remove the RFID device the certificate is removed from the cert-store and logoff can be triggered.

Sounds like in your case, it "could" be done with Kerberos. However, this presupposes that the fingerprint authentication process triggers a windows logon. If this is not the case, it is impossible to gather a kind of personalized SSO-token based on the Fingerprint ID information. If that somehow works, then only through a credential provider which offers integrations for authentication using passwords, PINs, smartcards or Windows Hello (Fingerprint, Face, and Iris recognition). Or additional software products/wappers, which may have standardized interfaces to support such scenarios receiving a personalized Token like X.509, Kerberos Ticket or SAML Assertion. I am not aware that SAP SSO 3.0 has integrations with biometrics. So i would try to go for OS logon with fingerprint and then SSO based on Kerberos/SPNEGO.

Cheers Colt

Show replies
Show replies
former_member619734
Explorer
‎07-17-2019 1:20 PM
0 Kudos

Thanks for your reply!

The point of the fingerprint sensor is to not have to insert any credentials, only logon using the fingerprint so it's faster (since it's a kiosk). My issue with using SSO is that I couldn't find any way to generate a valid ticket to be used on the browser cookies.

Do you think it's possible to map some kind of hash for each user based on the fingerprint data, and authenticate that user whenever that data is received from the fingerprint sensor?

Ask a Question