on 10-21-2013 11:34 AM
Hi ,
We would like to integratie SAP Screen Personas in SAP Portal.
Currently, SSP only supports certificate-based SSO and basic authentication.
Does the roadmap foresee the availability of SAP Logon Tickets SSO in the next versions ?
Thanks !
David
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi ,
Thanks for your response.
This note describes general SSO config (with logon tickets) for any ABAP system , but is it also applicable specifically to logon via SAP Screen Personas ?
http://scn.sap.com/community/gui/blog/2013/03/18/qa-transcript-from-sap-screen-personas-webinar-3 describes in section "Security" that this option is not (yet?) supported.
There are many ways to authenticate to an ABAP system using built in methods (certificate or basic auth) or using licensed products from SAP partners. Once authenticated the SSO2 logon ticket is issued, and this can be accepted by AS ABAP to know the SAP user and client. From my point of view I understand (correct me if I am wrong) that Personas is exposed to the user as an ICF service, so any product that handles authentication of users to ICF services should suffice.
Thanks
Tim
Actually, if you want SSO, then you need to buy a product, either the SAP SSO product or an SSO product from a third party. If you want to use what is provided for free, then you need to find a way to use the client certificate authentication which AS ABAP includes. If you have a PKI and each user already has a certificate, you can use that capability. However, I don't know many companies that do this, so I think you will find you cannot do what you want without buying a product. i would recommend you use a product which doesn't use certificates and uses Kerberos instead, so that you can benefit from Active Directory being a Kerberos authentication server. I assume that most users logon to Active Directory when they logon to their workstation, and then they want to logon to Personas (and other apps) without being asked for credentials.
Nicholas,
No, I am not a Basis Consultant. I work for a company that develops and sells authentication products for SAP business applications. This is how I know so much about authentication.
Please note that if you use portal to authenticate user, when the SSO2 ticket is sent to ABAP system, it will not be protected so it can be intercepted by somebody and used to logon as them. So, this method is not the most secure approach. Also, as the logon ticket is issued by Java stack it won't have a SAP client in it, so if you want to use this method to logon to multiple SAP clients on ABAP stack it won't be easy.
Thanks
TIm
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.