SSO with Client Certificates
The following article describes the process of setting up Single-Sign-On (SSO) via Secure Network Communication (SNC) with SAP client certificates. For more information on using SSO with Board Connector (BC), see Documentation: SAP Single-Sign-On.
Requirements
The usage of SSO Certificate requires the correct characteristics of the architecture:
- Implement SAP SSO with X.509 certificates without Secure Login Server, see SAP-Documentation: Authentication Methods without Secure Login Server.
- Implement Microsoft Certificate Store and Active Directory Certificate Templates for SAPGUI/RFC, see Microsoft TechNet: Certificate Template.
- Set up an enrollment agent for Board Connector in AD, see Microsoft TechNet: Establish Restricted Enrollment Agents.
- Install the SAP Secure Login Client on the server that runs Board Connector, see SAP-Documentation: Secure Login Client.
The Secure Login Client ensures that the correct SNC library is available for SSO Certificate. This library is used to open the SAP connection. - The Board Connector service must run under a Windows AD Service account, see Run the Board Connector Service under a Windows Service Account.
- Set up access restrictions for the Board Connector Designer and the BC server, see Restrict Access to Windows AD Users (Kerberos Authentication).
Process
The following graphic illustrates the process of authentication via SSO Certificate:
- The user of the BI tool (caller) triggers an extraction by calling the BC webservice of your Xtract product. The caller uses their Active Directory identity to authenticate against the BC webservice via HTTPS and SPNEGO.
- The BC server checks if a certificate for the caller is available in the Windows Certificate Store. If no certificate is available for the caller, a new certificate is issued by the Windows enrollment agent.
- The BC server requests the Client certificate from the Windows Certificate Store via the Windows API. If a certificate is available, the process continues with step 3. If no certificate is available steps 2b) to 2e) are executed.
- The BC server requests an enrollment agent certificate from the Windows Certificate Store via the Windows API. The enrollment agent certificate can be used to issue client certificates.
- The BC server receives the enrollment agent certificate from the Windows Certificate Store.
- If the requested certificate from 2a) is not found in the Windows Certificate Store, the BC server enrolls a new client certificate for the caller using the enrollment agent certificate.
- The Windows Certificate Store receives the new client certificate from the Active Directory Services via MSRPC.
- The BC server requests the Client certificate from the Windows Certificate Store via the Windows API. If a certificate is available, the process continues with step 3. If no certificate is available steps 2b) to 2e) are executed.
- The BC server receives the client certificate of the caller from the Windows Certificate Store.
- The BC server configures the SAP Secure Login Client via the Windows Registry.
- The Secure Login Client receives the caller's client certificate as specified by the BC server in step 4 from the Windows Certificate Store.
- The Secure Login Client uses the client certificate of the caller to authenticate the caller's identity via SNC against SAP.
- The BC server extracts data with the identity and privileges of the caller.
- The BC server loads the extracted data from 7 to the tool that triggered the extraction.
Setting up SSO and SNC with Client Certificates
Create a new SAP source system in Board Connector to set up SSO with client certificates:
- Navigate to [Server > Manage Sources] in the main menu of the Designer. The window "Manage Sources" opens.
- Click [Add] to create a new SAP source.
- Open the tab General and enter the connection details of your SAP system.
- Open the tab Authentication and activate the option SNC.
- Enter the path to the 64bit version of the SAP Crypto Library in the field SNC library, e.g.,
C:\Program Files\SAP\FrontEnd\SecureLogin\lib\sapcrypto.dll
. The SAP Crypto Library is installed as part of the SAP Secure Login Client. - Enter the SNC partner name of the SAP system in the field SNC partner name. This is the same partner name as the SNC name used to set up the SAP GUI.
- Activate the option Enroll certificate on behalf of caller (Certificate SSO).
- Enter the technical name of the Active Directory Certificate Template used to authenticate SAP users.
- Enter the thumbprint of the certificate of the enrollment agent. If you don't know the name or thumbprint, consult the IT department that manages the Active Directory Certificate Services.
- Click [Test Designer Connection] to test your connection settings.
- Click [OK] to confirm your input.
Tip
Create new extractions in the test environment with an SAP connection that uses Plain Authentication. Change the SAP source when moving the extraction to the productive environment.
Related Links
- SAP Help: Secure Network Communications
- SAP Help: Secure Login Client
- SAP Help: Logging on with Secure Login Client Using SNC
Written by: Fritjof Mayer, Valerie Schipka