Dear Jan,
Technology Used for Secure Communication between Secure Login Client and Secure Login Server is HTTPS (SSL). More details about Secure Communication you will be able to find here.
pseType is a parameter for authentication type and it is part of the client policy parameters of the Secure Login Client. This parameter takes two values promptedlogin (Using this profile, the user will be requested to enter the user credentials) and windowslogin (Using this profile, the user credentials will be provided automatically and this is only available for Microsoft Windows authentication). Thedefault value is windowslogin. More details about Client Policy Parameters of the Secure Login Client you will be able to find in the Secure Login for SAP NetWeaver Single Sign-On Implementation Guide.
Regarding authentication mechanisms available for Secure Login Client:
The Secure Login Client is integrated with SAP software to provide single sign-on capability and enhanced security. Secure Login Client can be used with Kerberos technology, an existing public key infrastructure (PKI), or together with the Secure Login Server for certificate-based authentication without having to set up a PKI.
The Secure Login Client can use the following authentication methods:
· Smart cards and USB tokens with an existing PKI certificate (Secure Login Server and authentication server are not necessary.)
· Microsoft Crypto Store with an existing PKI certificate (Secure Login Server and Authentication Server are not necessary.)
· Microsoft Windows Credentials (The Microsoft Windows Domain credentials (Kerberos token) can be used for authentication. The Microsoft Windows credentials can also be used to receive a user X.509 certificate with the Secure Login Server.)
· User name and password (several authentication mechanisms) - The Secure Login Client prompts you for your user name and password and authenticates with these credentials using the Secure Login Server in order to receive a user X.509 certificate.
All of these authentication methods can be used in parallel. A policy server provides authentication profiles that specify how to log on to the desired SAP system.
More details about authentication mechanisms available for Secure Login Client will be able to find in the Secure Login for SAP NetWeaver Single Sign-On Implementation Guide.
With the AS Java, you can use certificate revocation lists (CRLs) to make sure that a given certificate has not been revoked by the issuing Certificate Authority (CA).
Certificate revocation lists (CRLs) check for SNC is part of the Secure Login technology and runts independently of the business system versions.
Certificate revocation is available for the following use cases:
· User authentication using the Secure Sockets Layer (SSL) protocol and X.509 client certificates.
In this case, the check is integrated into the login module ClientCertLoginModule . If the user's certificate has been revoked, the user is denied access to the server.
· Outgoing connections to other servers that use HTTPS, if the HTTPS Connection Factory is used to establish the connection, for example, connections that use the Destination service.
In this case, the check is performed by the HTTPS Connection Factory. If the target server's certificate has been revoked, the connection is not established.
For more details, please check Enabling Certificate Revocation.
1. Regarding “two factor authentication (PIN for X.509)” my proposal is to discuss this in a conference call because we would like to understand better the scenario of your customer. I already sent you a message requesting for more details.
Best Regards,
Donka Dimitrova
Product Expert,
SAP NetWeaver SSO