Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO to third party in EP 7.0 (SP-21)

Former Member

‎02-23-2011 8:53 PM

0 Kudos

Folks,

Could you please advise if we can do SSO to third party vendor using SAML/SAP logon Ticket in EP 7.0 (SP-21).

Let me explain a bit: We have EP 7.0 (SP-21), after initial logon to portal we can access backend SAP ECC6/BI applications (WebDynpro/ITS..). We would like to bring few third party vendor applications into Portal (content area) as single sign on using SAML/SAP logon Ticket

I had a chance to look into this presentation:

2009 SIM201 Next Generation SSO for SAP Applications with SAML 2.0

http://www.sdn.sap.com/irj/scn/shop?rid=/media/uuid/106df189-4d83-2c10-82a4-c0643a8bf57b

It talks about EP 7.2. Can you advsie if we can do SSO to third party vendor using SAML/SAP logon Ticket in EP 7.0 (SP-21).

Thanks in advance.

Moin.

10 REPLIES 10

mvoros
Active Contributor

‎02-23-2011 10:39 PM

0 Kudos

Hi,

what exactly do you mean by SAML/SAP logon Ticket? There are multiple options for SSO. If the 3rd party application can consume SAP logon ticket (cookie digitally signed by SAP portal) then it shouldn't be a problem at all. I am not sure if SAML 2.0 is supported in 7.0. There is also option SSO with user ID and password. Basically, portal maps user and enters user ID and password on behalf of user.

Cheers

Former Member
In response to mvoros

‎02-24-2011 12:32 AM

0 Kudos

Thanks Martin...

Actually I am exploring the possibilities of using SAML or using MYSAPSSO2 cookie.

The mapping userid/password does not seems to be an option as we have to bring about 15 different internal and external applications with different user ids.

I am more inclined if we can user SAML (Any version 1.0, 1.1 or 2.0) to do SSO with our vendor application. We have one corporate SAML infrastructure in place. I created an URL iView pointing to our corporate "Identity Provider", it redirects to "Service Provider", instead of logging me in it present the logon screen. However, If I change the property to "Display in external window" it launches the pop window and it works fine. It does not work within portal content area.

Any ideas how we can accomplish this or advise if this is not a right approach et'all. If you can help with link to any resource that would be much appreciated.

Thanks in advance.

mvoros
Active Contributor
In response to mvoros

‎02-24-2011 5:01 AM

0 Kudos

MYSAPSSO2 is not a standard. SAP provides library which you can use to parse MYSAPSSO2 cookie. In your case I doubt that all 15 different applications support MYSAPSSO2 or you can modify authentication mechanism to support MYSAPSSO2 cookie.

Definitely, SAML is way to go. It's a standard and it's recommended by SAP. But I am not sure how well it is supported in EP 7.0. You can try to search for release specific documentation and see what your options are.

I've seen presentation about using proxy as a workaround for legacy applications. For example you could put proxy in front of 3rd party application and it would verify MYSAPSSO2 cookie and created SAML assertion.

Cheers

Former Member
In response to mvoros

‎02-24-2011 1:49 PM

0 Kudos

Thanks Martin...

At moment I am looking into the release specific options. Lets see what we have in store for EP 7.0.

Meanwhile if possibel, can you send me the link for the presentation you just mentioned. That will be great!!!

Thanks.

Moin.

mvoros
Active Contributor
In response to mvoros

‎02-25-2011 2:21 AM

0 Kudos

I can't find it. But as far as I remember it was university in Europe (maybe Belgium or Netherlands) and I think their use case was bit different. They had legacy SAP system without support for SAML but were moving towards SAML. So they put proxy in front of SAP which converted SAML into SAP logon cookie.

Cheers

Former Member

‎02-25-2011 10:22 PM

0 Kudos

I think this discussion is fairly futile until you know (and tell us...) which authentication mechanisms your 15 applications support.

What happens when one of them only uses NTLM or a local password routine?

At least with SAML you can make the bet that any application developer or vendor with serious intentions would make it compliant.

Why are you wanting to extract data from a SAML assersion to send a SAP Logon Ticket. I thought the non-SAP apps are your problem?

Cheers,

Julius

former_member182254
Active Participant

‎03-09-2011 8:10 AM

0 Kudos

Hi Moin,

EP 7.0 does not support SAML 2, neither as Service Provider (consume assertions) nor as Identity Provider (issue assertions). If you want to have SSO from EP to 3rd party systems using SAML 2 I would recommend to use an CE 7.2 add-on system. This add-on system could trust the EP and convert the SAP Logon Ticket (MYSAPSSO2 cookie) issued by it to SAML 2 assertion and send it to a 3rd party system. If such solution with an add-on system would work for you I could provide you further technical details.

Regards,

Dimitar

Former Member
In response to former_member182254

‎10-13-2011 6:30 PM

0 Kudos

Hi Dimitar,

I have an third-party application, which provides a saml2-ticket, and i want realize an sso to netweaver 7.3.

If the the user is not regsieterd with saml-ticket on netweaver 7.3 - there will be need a regsitering-dialogue - how can i do that?

Best regards Oliver

mvoros
Active Contributor
In response to former_member182254

‎10-14-2011 6:07 AM

0 Kudos

Hi Oliver,

first, you are hijacking thread which is not nice. You should be able to define redirect when authorization fails. So you redirect to an app that will allow anonymous user to request an account. Not sure where the configure is in Java AS. It's in SICF in ABAP AS.

Cheers

former_member182254
Active Participant
In response to former_member182254

‎10-20-2011 12:26 PM

0 Kudos

Hi Oliver,

You have the following options:

1. The user exists in NW 7.3 but has different user id than the one in the SAML2 assertion provided by the 3rd party system

For this check the following documentation link: [documentation about out-of-band account linking|http://help.sap.com/saphelp_nw73/helpdata/en/a9/e287475d544cdaa63e884180d6c23f/frameset.htm]

- if the email is available on both systems - the one that issues the assertion and NW 7.3 then try to use Email NameID format

- you may also maintain user mapping in NW 7.3 in additional user attribute

2. Same as #1 but you want that the user links both accounts when first logged in with SAML2

For this check the following documentation link: [documentation about interactive account linking|http://help.sap.com/saphelp_nw73/helpdata/en/97/4e80f86ccb43419a545c672a6bb2e3/frameset.htm]

3. The user has not account on NW 7.3 and such has to be created on the fly based on the information (assertion attributes) in the assertion (automatic account creation)

For this check the following documentation link: [documentation about automatic account creation|http://help.sap.com/saphelp_nw73/helpdata/en/97/4e80f86ccb43419a545c672a6bb2e3/frameset.htm]

4. Use temporary in-memory users

For this check the following documentation link: [documentation about identity federation with transient users|http://help.sap.com/saphelp_nw73/helpdata/en/fd/ecb2b33922414e8ad01763c84b3349/frameset.htm]

Could you provide more details about your scenario and which option seems to be relevant to it? Once we can identify which one is relevant we can discuss further details.

Regards,

Dimitar