Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Configuration steps for JavaScript Web Client on Secure Login Server

Go to solution
asif_rahmetulla
Participant

on ‎2022 May 23 9:37 PM

2,434

Hello all,

We are trying to configure JavaScript Web Client such that it can redirect to a web service in backend SAP system after getting authenticated and issued X.509 certificate using Secure Login.

The steps described in section Providing X.509 Certificates to Secure Login Client Using JavaScript Web Client | SAP Help Portal, of SAP Single Sign-On implementation guide were followed, however, we are looking for blog that would describe the configuration steps clearly.

Appreciate your assistance

Regards,

Asif

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
asif_rahmetulla
Participant
‎2022 Jun 01 7:46 PM

Hello all,

Adding to the comments to clarify what is needed

We are looking for sample configuration with necessary authentication profiles and user profile group needed for setting up JavaScript Web Client to access backend system using web browser.

As per the Single Sign-On 3.0 implementation guide, we have setup couple of authentication profiles and a dedicated user profile group as follows:

1- Web Adapter Profile with type "Web Adapter Profile" as described in https://help.sap.com/docs/SAP_SINGLE_SIGN-ON/df185fd53bb645b1bd99284ee4e4a750/c6bedaedd5664216b4cacd...

2- Local Security Hub Profile as described in https://help.sap.com/docs/SAP_SINGLE_SIGN-ON/df185fd53bb645b1bd99284ee4e4a750/4d5868ea250a497b9cf26f...

3- Secure Login Web Client Profile

a) In "Authentication Configuration" tab, selected "Java Script Web Client" as Authentication Form and using LDAP authentication for login policy configuration in order for the Web Client Profile to initiate authentication

b) For "Certificate management" tab, selected "User Sub CA" as the CA for issuing certificate

c) For "Enrollment configuration" tab, provided the URL to redirect as "https://FQDN_backendhost/sap/bc/gui/sap/<web_service_name>

and used "Web Adapter" & "Local Security Hub" in the Web Adapter Configuration

4- Created user profile group containing "Local Security Hub" and "Web Adapter" profiles. In the Web Adaptor profile we referenced the JavaScript Web Client profile for SAPGUI initiated browser SSO. However, not sure if this was required.

5- We downloaded the user profile group on the Secure Login Client and tested web client as follows:

a) In the Secure Login Client, double click on the Web Adapter profile

b) Get prompted for user / password by the SAP Single Sign-On. After entering the credentials we do see message "creating certificate" and then "key successfully imported" message and the page gets redirected to URL provided in the JavaScript Web Client profile.

However, we get prompted again for user / password by the backend system to access the web service.

Questions:

a) We are unable to add the "Secure Login Web Client" authentication profile to this user profile group. How can we have the Secure Login Web Client authentication profile added to the user profile group so that it is available on the Secure Login Client?

b) We would appreciate sample configuration that we can reference for enabling Secure Login Web Client (with web adapter mode) to allow browser based access to the backend system using SAP SSO.

Regards,

Asif

Accepted Solutions (1)

Accepted Solutions (1)

Tobias_Lejczyk
Product and Topic Expert
Product and Topic Expert
‎2022 Jun 24 1:44 PM
0 Likes

Hi Asif,

for me, this sounds like a missing configuration between the SAP Gui and the ABAP Backend.

It seems that the fetching of the certificate already works perfectly ("key successfully imported" and the redirect to the configured page). Does your Web Adapter Profile in your Secure Login Server contain a certificate afterwards? Is it green? Then this part already worked.

For the access to the system: did you configure client certificate based authentication at your backend system? You need to trust the CA (in your case probably the SLS CA), set the "verifiy client" option to 1 or 2 for the icm/server_port (either globally via icm/HTTPS/verify_client or via VCLIENT in the port itself), forward the certificate if you are running a reverse proxy, and finally map the user (usually done via transaction CERTRULE, don't forget to activate login/certificate_mapping_rulebased).

After that configuration you should be prompted in your browser for a certificate and the SLC certificate is shown there.

Just FYI: The Secure Login Web Client profile is not added to a user profile group. It is referenced in the Web Adapter profile, but it is just there to handle the interaction between the browser and the Secure Login Server. Hence it is not imported into the Secure Login Client and thus not added to the user profile group.

Best regards,
Tobias

Show replies
Show replies

Answers (1)

Answers (1)

asif_rahmetulla
Participant
‎2022 Jul 05 6:15 PM

Hello Tobias,

Thank you for detailed explanation! We followed your recommendation as suggested but still getting prompted for credentials be the backend system.

Questions:

1- Is there a way we can troubleshoot what could be causing this to not work?

Other observations:

1- We are using Microsoft Edge as browser and getting prompted for credentials twice. After the first login prompt the second authentication form reads "secure login web client". Why there are two login prompts and is there a way we can avoid the first one? This does not happen in Chrome.

2- After the successful login, the browser shows list of certificate to choose for accessing backend. Can this be suppressed and use the certificate generated by the web client profile automatically?

3- Activating the parameter login/certificate_mapping_rulebased for certificate based mapping, will it impact with any of the existing authentication for web application access via enterprise portal etc.,?

Regards,

Asif

Show replies
Show replies
Hikmatullah-Mohammadi
Explorer
‎2025 Nov 05 5:52 AM
0 Likes

Hi Asif,

I am facing the same challenge now.

  1. I log in using the web adapter profile in the browser.
  2. The SLC logs in successfully then.
  3. The browser redirects me to the backend (OData).
  4. It displays a list of certificates where I can choose one. After choosing a cert, I get access to the backend.

How can I bypass step 4? I mean, it should be done automatically by the adapter profile I logged in to.

It seems you have successfully implemented this. Could you kindly help me out? 

Thanks a lot!

Hikmat

Ask a Question