Amar,

ok, so you are coding your own java client app and this app needs to authenticate to EP such that an sso2 ticket is issued ? If this is correct, when the sso2 ticket is issued by SAP, will your client app take care of this ticket for subsequent connections to the SAP system, so that user will not be authenticated every time a URL is accessed ? If I understand correctly, you want to replace the browser (used in my earlier description) with your own client app, such that the user of the client app gets an SSO experience ? Can you confirm if this is correct ?

Thanks,

Tim

Amar,

Since you have already implmented an spnego login module on server, your java client can take advantage of this, but will need to implement the http negotiate protocol in order to securely use the credentials of logged on user. Effectively you would have to code the same as what is implemented in the browser, but it would be coded in java and run on each client machine along with your client app.

I notice you mentioned .net, so can I assume that your java code runs on .net server and the user accesses this app via a browser ? If so, then this could change the way you solve this problem. Please explain more about the .net involvement and whether a user runs your java app using browser or not. Previously I was thinking the java code was running on users workstation outside of the browser.

Thanks,

Tim

Amar,

The SAP CreateTicketLoginModule will not issue an SSO2 ticket unless a login module earlire in the JAAS stack has authenticated the user. This is why I was asking about authentication. Your java code woud have to authenticate to the SAP system using same approach that is used by the browser, and the Java engine will send your client code an SSO2 ticket just like it does if a browser is used.

In future releases of NetWeaver, the SSO2 propriatory ticket will be no longer used and instead SAML will be used. So, perhaps you need to think about using SAML if you are just working on a POC ?

Thanks,

Tim

Amar,

To authenticate to your java stack so that it will issue a ticket, since you have configured spnego login module, you would need to use gss-api, spnego and kerberos protocols in your jave code and follow the RFCs to make sure that you handle the authentication the same way that the browser does it - I can offer you a commercially supported product that woud do this for you and can be called by your java client code.

When your java code is running on .net server, you can use the spnego (e.g. integrated windows auth) capability included in the users browser, and make the .net server just pass these creds from users browser to the sap login module. Hopefully you can see that using java code on workstation outside of browser is much harder than if a real browser is involved.

Another thought ... perhaps you can add another login module to your jaas auth stack, e.g. http header ? Then you can authenticate the user from your java code by passing http header with user id and this user will be used to create the sso2 ticket and and return it to your code. This would be much easier for a POC, but perhaps not secure enough for after POC is complete.

Hope this helps ?

Thanks,

Tim

Amar,

You are digging a hole which is very deep. Making gss-api work with SAP SPNEGO login module will be very hard if you are not using the correct protocols. The GSS token sent to server over HTTP needs to be wrapped in an SPNEGO token using ASN-1, so you need to have SPNEGO support in the GSS library you are using, you also need an ASN-1 encoding/decoder, and you also need the Kerberos infrasturcture used by the GSS library to access credentials from the MS LSA cache. If you are not clear on these things, I suggest you don't try because it will take you a very long time to get it working. THis is why I suggested earlier using commercially supported solution, or changing to use HTTP header instead of spnego for this POC.

Thanks,

Tim

Amar,

I explained how to find commerically supproted products that use spnego in one of my earlier posts. I will give you a hint - I work for such a company

Yes, you need to pass spnego credentials in http header encoded in asn-1 format and containing the gss security token which is created after initialising a security context using the logged on users Kerberos TGT. If you are happy to code this then feel free, but it will take a long time if you are not familiar with this kind of approach and the technology and interfaces involved. I know it looks simple, but it isn't.

For http header, you can store the SAP user id in a custom http header variable name, and then configure the SAP HTTP header login module in your JAAS stack to read this header variable and then create the sso2 ticket from the name found in this variable. Clearly there are security implications of using this approach because you don't want any user to be able to send a http header to SAP and be authenticated ... However, for a POC it might be ok. You can find more info on http header login to SAP portal in SAP help library, where it explains how to add the login module to JAAS stack.

THanks,

Tim

Hi Amar,

please check SAP Note 1243347 - portal User Agents .

Does this solve your problem ?

Best regards,

André