Hi ,

Thanks for your response. 

This note describes general SSO config (with logon tickets) for any ABAP system , but is it also applicable specifically to logon via SAP Screen Personas ?

http://scn.sap.com/community/gui/blog/2013/03/18/qa-transcript-from-sap-screen-personas-webinar-3 describes in section "Security" that this option is not (yet?) supported.

SSO via Logon Tickets works in Personas now. We have customers that are currently using this mechanism.

Do you know how they setup SSO logon tickets for Peronas?

There are many ways to authenticate to an ABAP system using built in methods (certificate or basic auth) or using licensed products from SAP partners. Once authenticated the SSO2 logon ticket is issued, and this can be accepted by AS ABAP to know the SAP user and client. From my point of view I understand (correct me if I am wrong) that Personas is exposed to the user as an ICF service, so any product that handles authentication of users to ICF services should suffice.

Thanks

Tim

Thanks Tim. Do you know if there are any resources detailing how to setup Personas SSO using standard SAP? ie not third party products

Actually, if you want SSO, then you need to buy a product, either the SAP SSO product or an SSO product from a third party. If you want to use what is provided for free, then you need to find a way to use the client certificate authentication which AS ABAP includes. If you have a PKI and each user already has a certificate, you can use that capability. However, I don't know many companies that do this, so I think you will find you cannot do what you want without buying a product. i would recommend you use a product which doesn't use certificates and uses Kerberos instead, so that you can benefit from Active Directory being a Kerberos authentication server. I assume that most users logon to Active Directory when they logon to their workstation, and then they want to logon to Personas (and other apps) without being asked for credentials.

Do you know if it is possible to implement personas SSO via an SAP portal? We SSO to our ECC systems through the portal so it may be possible to do this for personas.

Yes, you can logon to portal and portal will issue an SSO2 ticket which you can use to logon to Personas on ABAP stack.

Thanks again Tim. You've been very helpful. Are you a Basis Consultant?

Nicholas,

No, I am not a Basis Consultant. I work for a company that develops and sells authentication products for SAP business applications. This is how I know so much about authentication.

Please note that if you use portal to authenticate user, when the SSO2 ticket is sent to ABAP system, it will not be protected so it can be intercepted by somebody and used to logon as them. So, this method is not the most secure approach. Also, as the logon ticket is issued by Java stack it won't have a SAP client in it, so if you want to use this method to logon to multiple SAP clients on ABAP stack it won't be easy.

Thanks

TIm

Thanks for sharing your knowledge Tim. Very helpful!

KR,

Clement