on 09-04-2009 8:51 AM
Hi,
Here is the scenario I am facing:
I have a .Net application to which I logged based on LDAP.
I would like to call - at the user's requests - a SAP screen by leveraging the ABAP Integrated ITS on ECC.
Since I have a Kerberos Ticket, I would like to use SPNego and a NW Java stack in order to "convert" this Kerberos ticket into a SAP Logon Ticket and access the ABAP stack.
My idea was to use the Logon Error Pages from ICF service webgui (Integrated ITS on ABAP stack) in order to redirect to the Java stack, get the SAP Logon Ticket, and then go back to authenticate on the ABAP.
Does this seem a relevant scenario to you, experts ?
I have been pointed to this resource : where the SAP .Net Connector is used to grab the SAP Logon Ticket.
string ticket = SAP.Connector.SAPConnection.GetSAPSSOTicket(connStr, 2);
Could you please help me putting all this together ?
In my opinion, either you do it from the .Net side or from the ABAP side:
- on the .Net side: should I test the existence of the SAP Logon Ticket and then - if necessary - use the above code to retrieve a SAP Logon Ticket while passing the Kerberos Ticket
- on the ABAP side: the redirection would be sufficient? How will I be able to go back from the Java stack once the SAP Logon Ticket is obtained ?
Thanks in advance for your help.
Best regards,
Guillaume
Edited by: Guillaume Garcia on Sep 4, 2009 9:54 AM
Hi Guillame,
I wouldn't go for a solution that is based on the .NET connector since it is a deprecated solution (see SAP Note "SAP NCO Release and Support Strategy", SAP Note Number: 856863). In addition it requires to install run time components on the user's frontend.
Using the Logon Error Pages from ICF service webgui (Integrated ITS on ABAP stack) in order to redirect to the Java stack, get the SAP Logon Ticket, and then go back to authenticate on the ABAP is a solution if we are talking about a dual stack installation where both stacks are running on one server due to security aspects.
Did you also had a look at my virtual SAP TechEd session regarding autoenrollment of X.509 certificates ?
This way you could achieve SSO at the Integrated ITS on the ABAP stack out of the box since X.509 certificates are a supported authentication method.
Best regards,
André
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Guillame,
Have you attempted the recommendation below? Andre, is the SIM208 session available in electronic format? We are struggling with implementing SSO through NWBC with a dual stack where both stacks are on same server. We are close and have maybe all the pieces but cannot put the puzzle together. Any help would be greatly appreciated. My contact information is below.
Thanks,
Mark
910-228-1697
Hi Guillame,
I wouldn't go for a solution that is based on the .NET connector since it is a deprecated solution (see SAP Note "SAP NCO Release and Support Strategy", SAP Note Number: 856863). In addition it requires to install run time components on the user's frontend.
Using the Logon Error Pages from ICF service webgui (Integrated ITS on ABAP stack) in order to redirect to the Java stack, get the SAP Logon Ticket, and then go back to authenticate on the ABAP is a solution if we are talking about a dual stack installation where both stacks are running on one server due to security aspects.
Did you also had a look at my virtual SAP TechEd session regarding autoenrollment of X.509 certificates ?
SIM208 SSO for SAP NetWeaver Leveraging X.509 Certificate Auto Enrollment in Microsoft Active Directory
This way you could achieve SSO at the Integrated ITS on the ABAP stack out of the box since X.509 certificates are a supported authentication method.
Best regards,
André
Guillame,
Have you attempted the recommendation below? Andre, is the SIM208 session available in electronic format? We are struggling with implementing SSO through NWBC with a dual stack where both stacks are on same server. We are close and have maybe all the pieces but cannot put the puzzle together. Any help would be greatly appreciated. My contact information is below.
Thanks,
Mark
910-228-1697
Hi Guillame,
I wouldn't go for a solution that is based on the .NET connector since it is a deprecated solution (see SAP Note "SAP NCO Release and Support Strategy", SAP Note Number: 856863). In addition it requires to install run time components on the user's frontend.
Using the Logon Error Pages from ICF service webgui (Integrated ITS on ABAP stack) in order to redirect to the Java stack, get the SAP Logon Ticket, and then go back to authenticate on the ABAP is a solution if we are talking about a dual stack installation where both stacks are running on one server due to security aspects.
Did you also had a look at my virtual SAP TechEd session regarding autoenrollment of X.509 certificates ?
SIM208 SSO for SAP NetWeaver Leveraging X.509 Certificate Auto Enrollment in Microsoft Active Directory
This way you could achieve SSO at the Integrated ITS on the ABAP stack out of the box since X.509 certificates are a supported authentication method.
Best regards,
André
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.