Purpose
Single Sign-On (SSO) enables users to authenticate and access multiple applications with one set of sign-in credentials. In a default SAP setup, organizations used to manage different usernames and passwords to login to SAP systems. Companies have standardized this using the Windows Active Directory with Kerberos.
Liquid UI supports Single Sign-On (SSO) for user authentication on Liquid UI Server. Using SSO, you can access a wide variety of web, windows, Android, and iOS applications for SAP. This feature reduces password-related help desk calls and improves security and compliance. It eliminates the need for IT for managing thousands of usernames and passwords. With the Single Sign-On feature, Liquid UI users can enter domain usernames and passwords to login to SAP. The users will now have to remember only one set of login credentials to gain access to SAP.
Architecture
Mechanism
- Enter Domain credentials on the Liquid UI Server native SAP logon screen.
- The credentials are transmitted to the Liquid UI Server and then to Microsoft Active Directory.
- The Active Directory upon receiving the request sends Kerberos token to the Liquid UI Server.
- Liquid UI Server forwards the Kerberos token to SAP Application Server (ABAP). The server validates the token and authenticates the user credentials by logging into SAP ECC.
Liquid UI supports Single Sign-On that allows users to logon to SAP ERP systems using any one of the following four methods:
-
Domain credentials
Configurations:
- Valid Windows Domain Login Credentials
- Kerberos Configuration on SAP ECC (Transaction: RZ10)
- Liquid UI Server v3.5.549.0 and later
- The Liquid UI Server should be on the same domain
- Kerberos DLL is distributed as part of the Liquid UI Server installation. Older Version: Make sure that you have a Kerberos library (32bit:gsskrb5.dll, 64bit:gx64krb5.dll) files under LiquidUIServer (or GuXTWSServer) folder.
- Configure Liquid UI Server with sapproxy.ini file
- Configure Secure Network Communication in SAP GUI (if doesn't exist)
- Login to Liquid UI Server using Windows Domain Credentials
-
Portal
Configurations:
-
Key-certificate pair
Configurations:
- Valid Windows Domain Login Credentials
- Liquid UI Server v3.5.561.0 and later
- The Liquid UI Server should be on the same domain
- Obtaining Certificate
- Import the certificate into Liquid UI Server and SAP System
- Import the key-certificate pair into SAP Server
- Import Synssl.dll, version 2.0.0.0 and later
- Configure Liquid UI Server with sapproxy.ini file
- Login to Liquid UI Server using Windows Domain Credentials
-
Key-certificate pair with Cyber safe
Configurations:
- Valid Windows Domain Login Credentials
- Liquid UI Server v3.5.584.0 and above
- The Liquid UI Server should be on the same domain
- Generating certificate using openssl.exe
- Import the certificate into Liquid UI Server and SAP System
- Import the key-certificate pair into SAP Server
- Install Cyber Safe on Liquid UI Server, and configure.
- Configure Liquid UI Server with sapproxy.ini file
- Check SSO running successfully
- Login to Liquid UI Server using Windows Domain Credentials
The users can create a Domain name on the “Secure Network Communications” (SNC) and use this domain name for multiple logins. Liquid UI Server authenticates users through Windows Active Directory for our Liquid UI for Android. The users will now have to remember only one set of passwords, and you will have only one username database to manage.
Each method has different configurations with the Server. Refer to the Single Sign-On Configuration article to know in detail.
Liquid UI Server also supports advanced features such as two-factor authentication along with interchangeable support for Kerberos, key-certificate pair, etc. to fulfill even the most complex customer requirements of SAP ERP.
