2.3.07 Single Sign-On

Purpose

Organizations managing SAP environments had to handle multiple usernames and passwords for logging into various SAP systems and applications. Companies have adopted a standardized approach using Microsoft Active Directory with Kerberos to address this challenge. Implementing Single Sign-On (SSO) on SAP GUI for desktops within the domain is relatively straightforward.

But, how can SSO access be extended to Android devices not part of the Active Directory domain?

Liquid UI offers a solution by supporting Single Sign-On for user authentication on Android devices. This eliminates the need for IT administrators to manage numerous usernames and passwords, reducing the administrative burden. With the Single Sign-On feature, Liquid UI users can conveniently log in to SAP using their domain username and password. This streamlined approach ensures that users only need to remember one single login credential to access SAP, enhancing the overall user experience.

Architecture

Mechanism

• Enter Domain credentials on Liquid UI for Android native SAP logon screen.
• The credentials are transmitted to the Liquid UI Server and then to Microsoft Active Directory.
• Upon receiving the request, Active Directory sends a Kerberos token to the Liquid UI Server.
• Liquid UI Server forwards the Kerberos token to the SAP Application Server (ABAP). The server validates the token and authenticates the user credentials by logging into SAP ECC.

Liquid UI supports Single Sign-On to allow users to log in to SAP ERP systems using any of the following four methods:

1. Domain credentials
   

   Configurations:

   • Valid Windows Domain Login Credentials
   • Kerberos Configuration on SAP ECC (Transaction: RZ10)
   • Liquid UI Server v3.5.549.0 and above
   • The Liquid UI Server should be on the same domain.
   • Kerberos DLL is distributed as part of the Liquid UI Server installation. Older Version: Make sure that you have Kerberos library (32bit:gsskrb5.dll, 64bit:gx64krb5.dll) files under the Liquid UI Server (or GuXTWSServer) folder.
   • Configure Liquid UI Server with sapproxy.ini file
   • Configure Secure Network Communication in SAP GUI (if doesn't exist)
   • Login to Liquid UI for Android using Windows Domain Credentials
    
2. Portal
   

   Configurations:

   • Configure Liquid UI Server with sapproxy.ini file
    
3. Key-certificate pair
   

   Configurations:

   • Valid Windows Domain Login Credentials
   • Liquid UI Server v3.5.561.0 and above
   • The Liquid UI Server should be on the same domain
   • Obtaining Certificate
   • Import the certificate into Liquid UI Server and SAP System
   • Import the key-certificate pair into the SAP Server
   • Import Synssl.dll, version 2.0.0.0 and later
   • Configure Liquid UI Server with sapproxy.ini file
   • Login to Liquid UI for Android using Windows Domain Credentials
    
4. Key-certificate pair with Cyber safe
   

   Configurations:

   • Valid Windows Domain Login Credentials
   • Liquid UI Server v3.5.584.0 and above
   • The Liquid UI Server should be on the same domain
    
   • Generating certificate using openssl.exe
   • Import the certificate into Liquid UI Server and SAP System
   • Import the key-certificate pair into SAP Server
   • Install and configure Cyber Safe on Liquid UI Server
   • Configure Liquid UI Server with sapproxy.ini file
   • Check SSO running successfully.
   • Login to Liquid UI for Android using Windows Domain Credentials

The users can create a Domain name on the “Secure Network Communications” (SNC) and use this domain name for multiple logins. Liquid UI Server authenticates users through Windows Active Directory for Liquid UI for Android. The users will now have to remember only one set of passwords, with only one username database to manage.

Liquid UI Server facilitates advanced features such as two-factor authentication and interchangeable support for Kerberos, key-certificate pairs, and more to fulfill even the most complex customer requirements of SAP ERP.