User Authentication and Single Sign-On

User Authentication

For user authentication in SAP systems within the SAP NetWeaver platform, the following mechanisms are available:

?     User ID and Password

User ID and password is the standard mechanism supported by all SAP NetWeaver systems. However, the verification routines used depend on the underlying technology as follows:

0     For cases where HTTP is used as the transport protocol, the standard HTTP Basic Authentication and form-based authentication mechanisms are supported.

When using Basic Authentication, the user’s information is passed to the server over the HTTP connection in a header variable as a base-64 encoded string. With form-based authentication, the information is passed as a URL parameter.

When using user ID and password authentication in productive environments, the preferred authentication method is form-based authentication.

0     For cases where the SAP protocols (dialog and RFC) are used, SAP routines are used.

In all cases, the user ID and password are only encoded when transported across the network. Therefore, we recommend using encryption at the network layer, either by using the Secure Sockets Layer (SSL) protocol for HTTP connections, or Secure Network Communications (SNC) for the SAP protocols dialog and RFC. For more information, see Network and Communication Security.

?     Client Certificates

Many of the SAP NetWeaver systems also support the use of the SSL protocol and client certificates for user authentication. In this case, the authentication takes places using the underlying protocols and no user intervention is necessary, which also provides for a Single Sign-On environment.

Users need to receive their client certificates from a Certification Authority (CA) as part of a public-key infrastructure (PKI). If you do not have an established PKI then you can alternatively use a Trust Center Service to obtain certificates. The CA you choose to use must be designated as a trusted CA on the Web server.

Integration Into Single-Sign On Environments

Single Sign-On provides for an environment where users are allowed access to multiple systems based on an initial authentication. The available mechanisms for SAP systems within the SAP NetWeaver platform include:

?     Logon Tickets

To provide for Single Sign-On to multiple systems, a user can be issued a logon ticket after being authenticated on the SAP system. This ticket can then be presented to other systems (SAP or non-SAP) as an authentication token. Instead of having to provide a user ID and password for authentication, the user is allowed access to the system after the system has verified the logon ticket.

When using logon tickets for authentication with Web applications, the user's ticket is stored as a non-persistent cookie in the user's Web browser. This cookie contains the information necessary to log the user on to additional systems without having to provide an explicit password authentication. Therefore, you should protect the logon ticket from being compromised or manipulated during transfer by using SSL between Internet-enabled components. See Network and Communication Security.

?     Client Certificates

When using client certificates for user authentication, the user is re-authenticated with each request using the SSL protocol. However, no user intervention is necessary, which provides for a Single Sign-On environment for the end user.

?     Additional Mechanisms

Additional mechanisms are also available with SAP NetWeaver, depending on the underlying technology used, for example, using RFC trusted systems between two ABAP servers. For such scenarios, see the security guide for the specific product.

Using External Authentication Mechanisms

In addition, the use of external authentication mechanisms is also supported by the SAP NetWeaver products.

When using external authentication mechanisms, the level of security you have for the authentication depends on the security of the mechanism you use. Therefore, you should inform yourself of any vulnerabilities and if necessary, apply corresponding transport layer security.

The following mechanisms are supported.

?     Secure Network Communications

With SNC, user authentication and Single Sign-On is supported for connections between the SAP GUI for Windows or SAP GUI for Java and the SAP Web AS (ABAP Engine). In this scenario, the user authentication is performed by an external security product. Supported external security products are certified by the SAP Software Partner Program. For more information, see the SNC User’s Guide available on the SAP Service Marketplace at

?     Using Header Variables or Integrated Windows Authentication

The SAP Web Application Server Java supports the use of header variables for Single Sign-On. This means that you can delegate user authentication to any external product which authenticates the user and returns an authenticated user ID as part of the HTTP header. Users only have to authenticate once against the external product and can then access applications on the Web AS Java, such as the portal, with Single Sign-On.

There are security measures to take when using header variables for Single Sign-On. See: Using Header Variables or Integrated Windows Authentication for User Authentication.

?     Java Authorization and Authentication Service (JAAS)

The J2EE Engine supports the use of external authentication mechanisms using the JAAS specification. In this case, you can include external modules in the SAP J2EE Engine's login module stack. For more information, see Authentication on J2EE Engine.

?     Security Assertion Markup Language

The J2EE Engine also supports the use of SAML assertions for user authentication. For more information, see Authentication on J2EE Engine.