Web Service Authentication from .NET
We are connecting to SAP ABAP web services (Netweaver 7.0) from a .NET application (3.5 framework). It works fine passing the Login and Password explicitly (basic authentication), but we need to connect with different credentials by user and don't have the password available to the program, only the Login. In our case, the user is outside the domain, so we can't rely on Integrated Windows Authentication. We have two different scenarios, one where the application is running inside a Portal iView, and one where the application is running outside the portal entirely.
I see two possible options:
1. SAP Logon Ticket
2. SAML Token
When we run inside the portal, is it possible to get the SAP Logon Ticket and use that to authenticate our connection to the SAP web service? Normally logon tickets are isolated to a single domain, and our .NET application resides in a different domain than our SAP system. I found some help documentation showing how to enable cross-domain logon tickets (essentially setting up the system to generate an additional cookie for the other domain), but that documentation says it will be replaced by sapssoext, and I can't find good documentation on the new approach. Also, I'm not sure of all the steps to get and pass the logon ticket once I am able to get over the cross-domain hurdle. What are the steps to configure a web service to accept a logon ticket instead of basic authentication with login and password?
If using SAP logon tickets is not viable, is SAML our only viable option? As I looked into this, I found that SAML is only supported in the Java stack, and not the ABAP stack until Netweaver 7.1 comes out (October?). Since our web services are fronting ABAP RFCs, I assume that means I can't pass a SAML token to an ABAP web service until Netweaver 7.1 comes out next month (or whenever it acutally comes out). Is that right?
Any help would be greatly appreciated.