Liquid UI - WS Reference Library

2.3.7 Single Sign On


Purpose

In a default SAP setup, organizations used to manage different usernames and passwords to logon to SAP systems. Companies have standardized this using the Windows Active Directory with Kerberos. It is quite easy to setup Single Sign-On on SAP GUI on a desktop which is on the domain, but what about iOS device, which are not on the Active Directory domain?

Liquid UI supports Single Sign-On (SSO) for user authentication on iOS.  It eliminates the need for IT for managing thousands of username and passwords. With Single Sign-On feature, Liquid UI users can enter domain username and password to login to SAP. The users will now have to remember only one set of login credentials to gain access to SAP.

Liquid UI supports Single Sign-On to allow users to logon to SAP ERP systems using following three methods:

  1. Domain credentials

    Prerequisites

  2. @portal\Username
  3. Key-certificate pair

    Prerequisites

    • Valid Windows Domain Login Credentials
    • Liquid UI Server v3.5.561.0 and later
      • The Liquid UI Server should be on the DOMAIN
    • Import Synssl.dll, version 2.0.0.0 and later into GuixtWSServer folder

    • Import the key-certificate pair into GuixtWSServer and install the keypair

    • Configure Liquid UI Server with sapproxy.ini file

    • Configure the connection in Liquid UI for iOS

The users can create Domain name on the “Secure Network Communications” (SNC) and use this domain name for multiple logins. Liquid UI server authenticates users through Windows Active Directory for our Liquid UI for iOS. The users will now have to remember only one set of password, and you have only one username database to manage.

Each method has different configurations with Liquid UI Server. Refer Single Sign-On Configuration article to know in detail.

Liquid UI Server supports advanced features such as two-factor authentication along with interchangeable support for Kerberos, key-certificate pair, and etc. to fulfill even the most complex customer requirements of SAP ERP.


Liquid UI for iOS

Liquid UI provides Single Sign-On with unified logon to SAP ERP system based on Windows Active directory using Kerberos Authentication.


Architecture

Mechanism

  • Enter Domain credentials on Liquid UI for iOS native SAP logon screen.
  • The credentials are transmitted to the Liquid UI Server and then to Microsoft Active Directory.
  • The Active Directory upon receiving the request, sends Kerberos token to the Liquid UI Server.
  • Liquid UI Server forwards the Kerberos token to SAP Application Server (ABAP). The server validates the token and authenticates the user credentials by logging into SAP ECC.