In general, Secure Login Server 3.0 responds with REST objects that need to be parsed and interpreted by your client. Your client requests don´t contain REST or JSON, but HTTP headers and forms.
Secure Login Client 2.0; Secure Login Client 3.0; Product. SAP Single Sign-On 2.0; SAP Single Sign-On 3.0 Keywords. SLC, NW SSO SLC, Secure Login, KBA, BC-IAM-SL. This page is not a recommendation to uninstall SAP Secure Login Client (x64) by SAP AG from your PC, nor are we saying that SAP Secure Login Client (x64) by SAP AG is not a good application for your PC. This page only contains detailed instructions on how to uninstall SAP Secure Login Client (x64) in case you decide this is what you want to do.
In a previous blog, I have announced that we plan to publish the REST API that allows you to implement your own Secure Login Clients. Here we go.
In general, Secure Login Server 3.0 responds with REST objects that need to be parsed and interpreted by your client.
Your client requests don´t contain REST or JSON, but HTTP headers and forms.
WORKFLOW
First, let´s get a better understanding of the required steps and the information that is exchanged between your Secure Login REST Client and Secure Login Server:
SERVER REST SPECIFICATION
The REST objects used by Secure Login Server 3.0 depend on the current status of the authentication:
CLIENT FORM VALUES SPECIFICATION
Download Sap Logon
Your client has to return all requested input fields with the specified names and user values in URL encoded form.
The syntax is:
Only in the initial request, your client may also give some desired certificate name properties which can be considered by Secure Login Server for the generation of the returned certificate template REST object. This is helpful for automated requests for servers or unattended clients, e.g. in a Certificate Lifecycle Management scenario.
The following properties are supported:
CERTIFICATE TEMPLATE AND REQUEST
Secure Login Server has to receive a correct and complete PKCS#10 certificate signing request from your client. Especially if a Remote CA is used, Secure Login Server is unable to change and re-sign the request.
To allow your client to create such complete PKCS#10, Secure Login Server tells you which certificate attributes you have to add. This is done once the authentication loop is completed. Secure Login Server now sends a certificate template REST object.
You have two choices for your implementation:
- You take over the DER encoded ASN.1 blobs. This is only possible if you use a security or crypto toolkit for your own client that supports ASN.1 construction.
- You take over the string representatives and construct the respective X.509 certificate extensions. This also requires toolkit capabilities, but usually it´s a higher level API.
If your Secure Login Server version is lower than 3.0 SP01 PL01, your ASN.1 DER encoding must match exactly with the blob you have received.
Sap Secure Login Client 3.0 Download
Beginning with PL01, the comparison algorithm is more tolerant and accepts a different order of extensions as well as different string encodings in name attributes.
NODEJS SAMPLE REST CLIENT
This tiny NodeJS program is able to illustrate all kinds of Secure Login Server 3.0 authentication mechanisms, except SPNEGO. You should run Secure Login Server 3.0 SP01 or later.
If you like to implement your own client, try to get the sample running with your server first. You can learn a lot, with full access to all HTTP requests and responses.