08-13-2012 12:50 PM
Hi Colleagues,
I am information gathering about NetWeaver Security Architecture with use case below.
Security Document:
Administrator's Guide for SAP Travel Receipt Capture 2.2.0 ¦ 22.06.2012
“2.4.1 Authorizations
SAP Travel Receipt Capture uses the authorization concept provided by the SAP NetWeaver AS ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP also apply to SAP Travel Receipt Capture"
Summary: Statement is the NetWeaver principle applies here.
Scenerio for Security Token Service
Landscape:
Instanz NetWeaver 7.1 EHP6 with SAP Travel Receipt capture, MOB-APP-TRC
(Security put on NetWeaver)
Active Directory
Interface:
Trusted System connection from NetWeaver to HR
Question:
-What is recommend to do on device, SUP and NetWeaver regarding SSO in the scenerio.
-example:
At this point, do we use Token or certificate?
NetWeaver Authenticating the corporate User with separate Password
-What should end device access SUP?
-example: private Certificate? Registered Manually ?
-How can avoid Man-in-the-middle Attack?
Thank you in advance,
08-13-2012 2:29 PM
Hi Stuart,
actually, it's all in the guide you linked to...
You could configure the landscape to use SSO through logon tickets, but as the guide says it may be preferrable to start with user ID / password instead to have something like a "mobile identity" with the same user ID, but a different password on Gateway.
Registering users in SUP is mostly a matter of preference. You can also configure SUP to allow self-registration, it depends on how you want to manage users and devices.
The MitM topic is also covered on page 52 of the guide.
Hope that helps,
Frank.
08-13-2012 2:29 PM
Hi Stuart,
actually, it's all in the guide you linked to...
You could configure the landscape to use SSO through logon tickets, but as the guide says it may be preferrable to start with user ID / password instead to have something like a "mobile identity" with the same user ID, but a different password on Gateway.
Registering users in SUP is mostly a matter of preference. You can also configure SUP to allow self-registration, it depends on how you want to manage users and devices.
The MitM topic is also covered on page 52 of the guide.
Hope that helps,
Frank.