01-11-2012 8:02 AM
Hi,
we are running an application in WebDynpro ABAP on NW 7.31.
The applicaton shall be usable by everyone in the company with minimal effort. Everyone has a client certificate installed in their browsers and we want to do pretty much SSO using the X509 certificates.
But as far as I understand, this works only, once a user account has been created with the correct information (OU, CN etc. specified). Is there any way, we can get around this and to avoid the manual user creation process? Ideally, we want every user to visit our site and to be logged in on the first time already.
Licensing is not an issue and security is also secondary... it is just essential to be as low effort as possible for the end-user to get into our application and to still be somehow "distinguishable" (not completely anonymous). It would be also sufficient if the application runs under a generic user account, but somehow we would need to understand the user ID from the certificate. In other programming languages / web servers this should not be very complex, but I just don't find a way in AS ABAP.
Regards,
Bruno
01-11-2012 12:24 PM
Hi,
Here is just an idea from what I did for a somewhat similar requirement.
Hundred of users had to call a BSP application in an R/3 4.7 system. It was not possible to create a SAP R/3 account for these people but we wanted to control who was allowed to access the BSP and we wanted to know who used the BSP.
Here is my workaround.
The SAP BSP application runs with a generic user configured in SICF.
There is a SAP Web Dispatcher in front of SAP R/3 for HTTP load balancing.
We installed IIS web servers doing NTLM authentication and we programmed a small ASP application.
The URL for the application is answered by the IIS ASP application.
The IIS servers use NTLM to authenticate the windows user and check if this users is part of the Windows group authorised to run tha application.
The IIS application calls a special login BSP on R/3 which sends a specific uncrypted cookie.
The IIS application sends a redirect to the user browser and the cookie.
The URL from the redirect calls the BSP application with the windows user as a parameter and sends the cookie to the BSP application.
The BSP application checks the cookie and if it is OK, displays the application for the user.
The SAP web dispatcher filters the access to the login BSP with the IP addresses of the IIS servers.
The SAP web dispatcher creates a special HTTP log file which contains the Windows user of the BSP application.
This workaround is kind of tricky but has been running successfully productively for 5 years with 500 users.
Hope this helps.
Olivier
01-11-2012 12:28 PM
In your case, it might be possible to run the application with a generic abap user but to extract the user from the X.509 certificate and to genrate a http log file containing the user.
Olivier
01-11-2012 3:33 PM
Hi Olivier,
that would be a perfect solution for me, I wonder how I can get to the X509 certificate though from ABAP coding.
Regards,
Bruno
01-11-2012 5:14 PM
Hi Bruno,
I've never worked on the subject but I would try in this way :
Use a SAP Web Dispatcher in front of the ABAP system and use it to terminate the SSL connection.
Use the web dispatcher parameter icm/HTTPS/client_certificate_header_name
to send the client certificate in a header field.
Then set an HTTP log file on the ABAP ICM using the LOGFORMAT option with the parameter
%i Name of a request header field, e.g. %{user-agent}i
Check [http://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/442541e0804bb8e10000000a42189b/frameset.htm] for details.
Good luck because I don't know if my idea is good...
Regards,
Olivier
01-11-2012 6:44 PM
In this case all you want is authenticated access with generic authorizations. Why not use a self-registration scenario? (see the documentation on FM BAPI_USER_CREATE1).
If the user does not exist, then the user ID is created and assigned a generic reference user with limited access to use the application, or sufficient to request more correct access.
Licensing is not an issue and security is also secondary...
Or make a public anonymous service out of it?
Cheers,
Julius
01-11-2012 8:19 PM
Hi Julius,
thanks for the input. I thought a little more about the issue today and think that I was a little on the wrong track.
Probably it is better to have the user account either auto created via LDAP sync or some kind of simple self registration, like you mentioned. Basically I just need to get a user account into the system, that will be mapped to the user's client certificate. My goal is to make use of the client certificate, so to reduce the complexity for end users to register. Still some experiments necessary, but I have already good hints
Regards,
Bruno
01-11-2012 8:26 PM
Out of curiosity, how many users do you have?
Also, have you considered SAML instead?
Cheers,
Julius
01-11-2012 8:32 PM
Potentially thousands... And some less, if it is complex to register
About SAML: No I didn't and actually I do not have any clue what exactly this is or does. But will read now about it Thanks