Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

*Access to Portal Via Company Website*

Former Member

‎04-22-2010 9:21 PM

0 Kudos

Our company has a website running on oracle which I am addressing here as legacy portal. The employee data is maintainted in SAP and we have recently implemented ECM which is currently being performed through the SAP portal.

We want to introduce the SAP portal link in the legacy portal and avoid the scenario where the user is being challenged to login to the portal.

Our legacy portal is PGP ready and the team pertty much wants to use PGP using which the following will happen.

1. User will login to the legacy portal and click on the link which will direct them to SAP portal

2. We send the user ID and the PGP encrypted password to the SAP portal from the legacy portal

3. Question: How and where do we have to implement the decryption functionality

4. Question: How is the UID and decrypted PWD going to be used to automatically login to the SAP portal

Is there a better and, more importantly, simpler workaround to acheive this objective without PGP?

Appreicate your responses.

Thanks,

Prashanth

Edited by: Prashanth Nanjappa on Apr 22, 2010 10:22 PM

Edited by: Prashanth Nanjappa on Apr 22, 2010 10:24 PM

2 REPLIES 2

Former Member

‎04-22-2010 11:19 PM

0 Kudos

Your approach has several security design weaknesses in it, particularly relying on the fact that the passwords are the same in different systems, and making them (remotely) decryptable.

How does the user authenticate against the legacy portal and is there a Single-Sign-On technology which both portals support? That is actually what you are looking for, ideally re-authenticating the client user based on a common identity provider service.

System trust-chains are not optimal either, but password-chains are by far the worst option...

Cheers,

Julius

Former Member
In response to Former Member

‎04-23-2010 3:18 PM

0 Kudos

Julius,

The user has to login to the legacy portal using UID and PWD. There is no SSO technology that the legacy portal supports and we are not ready to implement one yet. But we still need to make the SAP portal available throgh the legacy portal.

I understand that the security model we are trying to implement is not recommended but we do not have much of an option at this point in time.