Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Configuration steps for JavaScript Web Client on Secure Login Server

Go to solution
asif_rahmetulla
Participant

on ‎2022 May 23 9:37 PM

2,435

Hello all,

We are trying to configure JavaScript Web Client such that it can redirect to a web service in backend SAP system after getting authenticated and issued X.509 certificate using Secure Login.

The steps described in section Providing X.509 Certificates to Secure Login Client Using JavaScript Web Client | SAP Help Portal, of SAP Single Sign-On implementation guide were followed, however, we are looking for blog that would describe the configuration steps clearly.

Appreciate your assistance

Regards,

Asif

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
asif_rahmetulla
Participant
‎2022 Jun 01 7:46 PM

Hello all,

Adding to the comments to clarify what is needed

We are looking for sample configuration with necessary authentication profiles and user profile group needed for setting up JavaScript Web Client to access backend system using web browser.

As per the Single Sign-On 3.0 implementation guide, we have setup couple of authentication profiles and a dedicated user profile group as follows:

1- Web Adapter Profile with type "Web Adapter Profile" as described in https://help.sap.com/docs/SAP_SINGLE_SIGN-ON/df185fd53bb645b1bd99284ee4e4a750/c6bedaedd5664216b4cacd...

2- Local Security Hub Profile as described in https://help.sap.com/docs/SAP_SINGLE_SIGN-ON/df185fd53bb645b1bd99284ee4e4a750/4d5868ea250a497b9cf26f...

3- Secure Login Web Client Profile

a) In "Authentication Configuration" tab, selected "Java Script Web Client" as Authentication Form and using LDAP authentication for login policy configuration in order for the Web Client Profile to initiate authentication

b) For "Certificate management" tab, selected "User Sub CA" as the CA for issuing certificate

c) For "Enrollment configuration" tab, provided the URL to redirect as "https://FQDN_backendhost/sap/bc/gui/sap/<web_service_name>

and used "Web Adapter" & "Local Security Hub" in the Web Adapter Configuration

4- Created user profile group containing "Local Security Hub" and "Web Adapter" profiles. In the Web Adaptor profile we referenced the JavaScript Web Client profile for SAPGUI initiated browser SSO. However, not sure if this was required.

5- We downloaded the user profile group on the Secure Login Client and tested web client as follows:

a) In the Secure Login Client, double click on the Web Adapter profile

b) Get prompted for user / password by the SAP Single Sign-On. After entering the credentials we do see message "creating certificate" and then "key successfully imported" message and the page gets redirected to URL provided in the JavaScript Web Client profile.

However, we get prompted again for user / password by the backend system to access the web service.

Questions:

a) We are unable to add the "Secure Login Web Client" authentication profile to this user profile group. How can we have the Secure Login Web Client authentication profile added to the user profile group so that it is available on the Secure Login Client?

b) We would appreciate sample configuration that we can reference for enabling Secure Login Web Client (with web adapter mode) to allow browser based access to the backend system using SAP SSO.

Regards,

Asif

View Entire Topic
Tobias_Lejczyk
Product and Topic Expert
Product and Topic Expert
‎2022 Jun 24 1:44 PM
0 Likes

Hi Asif,

for me, this sounds like a missing configuration between the SAP Gui and the ABAP Backend.

It seems that the fetching of the certificate already works perfectly ("key successfully imported" and the redirect to the configured page). Does your Web Adapter Profile in your Secure Login Server contain a certificate afterwards? Is it green? Then this part already worked.

For the access to the system: did you configure client certificate based authentication at your backend system? You need to trust the CA (in your case probably the SLS CA), set the "verifiy client" option to 1 or 2 for the icm/server_port (either globally via icm/HTTPS/verify_client or via VCLIENT in the port itself), forward the certificate if you are running a reverse proxy, and finally map the user (usually done via transaction CERTRULE, don't forget to activate login/certificate_mapping_rulebased).

After that configuration you should be prompted in your browser for a certificate and the SLC certificate is shown there.

Just FYI: The Secure Login Web Client profile is not added to a user profile group. It is referenced in the Web Adapter profile, but it is just there to handle the interaction between the browser and the Secure Login Server. Hence it is not imported into the Secure Login Client and thus not added to the user profile group.

Best regards,
Tobias

Show replies
Show replies
Ask a Question