Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ABAP Web Service provider - customize WS Security token consumption

Former Member

‎09-14-2010 4:28 PM

0 Kudos

Hi,

is it possible to customize the processing of inbound WS Security tokens in AS ABAP?

Using a Web Service engine in Java based systems there are often plug points where custom code can be called in order to

- extract a security token from a message

- process the security token (e.g. validate / verify the token)

- log on the user (using JAAS)

This would allow things such as custom WS Security tokens or identity assertion.

I am particularly looking for a way for identity assertion: Assume a Web Service provided would be able to validate trust between itself and a caller (e.g. by a username and password in a signed Username token). The provider can allow the trusted callee to assert an identity under which the provider code is to be executed. This is happening in SAML or when using X.509 certificates over an SNC connection, however, I have no idea how I would achieve the same using custom security tokens or a second Username token in the same message ....

Any thoughts?

Jens

3 REPLIES 3

mathias_essenpreis
Employee
Employee

‎09-17-2010 12:14 PM

0 Kudos

Hi Jens,

Custom token validation is not supported neither in AS Java nor AS ABAP.

Thoughts: I agree it could be helpful for specific tokens like customizing the validation/creation of a SAML assertion for example. As a SAML assertion is exensible be definition this way you would stay on the WS-*-"standards-track" rather than having something prorietary.

Regards,

Mathias

Former Member
In response to mathias_essenpreis

‎09-17-2010 12:50 PM

0 Kudos

Hello Mathias,

thanks a lot for your answer.

Is the conclusion then that the only way of asserting an identity to AS ABAP using SOAP/HTTP is SAML?

By "asserting an identity" I mean that a source system - which is not in possession of an end user's credentials - can tell a target system to execute code on behalf of this end user. The target system trusts the source system and does not validate the end user's credentials.

Using SNC, something like this is possible using X.509 certificates. An ABAP system does not validate if the client is in possession of a matching private key. It trusts the client because of the SNC connection and allows identity assertion.

I agree that SAML assertions are a good way for asserting identities. I am just trying to explore the possible choices.

Where would I find the most readable documentation about AS ABAP's support for SAML (for SOAP)?

Regards,

Jens

mathias_essenpreis
Employee
Employee
In response to mathias_essenpreis

‎01-12-2011 8:42 PM

0 Kudos

Yes, SAML is the way to have standards based Single Sign-On to SAP Web Services.

A good starting point on how to configure SAML in various scenarios is our SDN WIKI:

Single Sign on for Web Services

http://wiki.sdn.sap.com/wiki/display/Security/SingleSignonforWeb+Services