Liquid UI - WS Reference Library

2.3.7 Single Sign On


Purpose

In a default SAP setup, organizations used to manage different usernames and passwords to logon to SAP systems. Companies have standardized this using the Windows Active Directory with Kerberos. It is quite easy to setup Single Sign-On on SAP GUI on a desktop which is on the domain, but what about Android device, which are not on the Active Directory domain?

Liquid UI supports Single Sign-On (SSO) for user authentication on Android. It eliminates the need for IT for managing thousands of username and passwords. With Single Sign-On feature, Liquid UI users can enter domain username and password to login to SAP. The users will now have to remember only one set of login credentials to gain access to SAP.

Liquid UI supports Single Sign-On to allow users to logon to SAP ERP systems using following three methods:

  1. Domain credentials

    Prerequisites

  2. @portal\Username
  3. Key-certificate pair

    Prerequisites

The users can create Domain name on the “Secure Network Communications” (SNC) and use this domain name for multiple logins. Liquid UI server authenticates users through Windows Active Directory for our Liquid UI for Android. The users will now have to remember only one set of password, and you have only one username database to manage.

Each method has different configurations with Liquid UI Server. Refer Single Sign-On Configuration article to know in detail.

Liquid UI Server supports advanced features such as two-factor authentication along with interchangeable support for Kerberos, key-certificate pair, and etc. to fulfill even the most complex customer requirements of SAP ERP.


Liquid UI for Android

Liquid UI provides Single Sign-On with unified logon to SAP ERP system based on Windows Active directory using Kerberos Authentication.


Architecture

Mechanism

  • Enter Domain credentials on Liquid UI for Android native SAP logon screen.
  • The credentials are transmitted to the Liquid UI Server and then to Microsoft Active Directory.
  • The Active Directory upon receiving the request, sends Kerberos token to the Liquid UI Server.
  • Liquid UI Server forwards the Kerberos token to SAP Application Server (ABAP). The server validates the token and authenticates the user credentials by logging into SAP ECC.