SAP MI supports the Single Sign-On mechanism using SAP logon tickets that is provided by the SAP NetWeaver Application Server. Consequently, the security recommendations and guidelines for user administration and authentication that are described in the SAP NetWeaver Application Server Security Guide are also valid for SAP MI. Currently, however, SAP MI only supports the Single Sign-On technology based on SAP logon tickets.
The following requirements must be satisfied to enable authentication with Single Sign-On in SAP MI:
· The SAP MI Server Component (SAP NetWeaver AS) is configured to support SAP logon tickets (see Authentication and Single Sign-On).
· The SAP MI Client Component Client is configured for Single Sign-On.
When using Single Sign-On, the following scenarios are configurable:
· One User - SAP MI-Oriented
The device is used by a single user only. The user starts the SAP MI Client Component on the mobile device. The component requests a ticket that is used for the initial logon and for synchronization from the system that issues tickets.
The user must authenticate his or her ID in this scenario at the ticket issuing system. This can, for example, be done by entering the user ID and password for this system. The logon data is verified in SAP MI using the SAP logon ticket. Password handling settings are consequently ignored in SAP MI and the user has no access to password management.
In the initial logon, which must be performed online, the user data from the logon ticket is used to create a user in the SAP MI Client Component.
· One User – SAP MI Access from a Ticket-Issuing System, for Example, SAP Enterprise Portal
The device is used by a single user only. The user starts SAP MI on their mobile device as a service running in the background without a user interface.
To work with SAP MI, the user opens the SAP MI Client Component user interface from a link (for example, in the SAP Enterprise Portal).
If the system has been configured appropriately, when the user logs onto the system issuing tickets, there is already a logon ticket available if the user interface of the SAP MI was started. It does not, therefore, need to be requested.
· Multiple Users
The device is used by multiple users. The user starts SAP MI on their mobile device as a service running in the background without a user interface.
To work with SAP MI, the user opens the SAP MI user interface from a link (for example, in SAP Enterprise Portal).
If there is no ticket, users can start the SAP MI from the browser below the configured start address and log on with their user name and password. The system uses settings already in SAP MI for handling passwords and the user can use password management in SAP MI.
Before a user can use a SAP logon ticket, a user name and password must be created for this user in the SAP MI Client Component.