cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Different Authentication methods for different interfaces/channels (SOAP) PI 7.11

Former Member

on ‎08-07-2014 7:35 PM

0 Kudos

SAP PI 7.11
Is there a way to have different type of authentication methods for different interfaces (SOAP adapter sender) ?

For instance,

Interface A - Basic Authentication

Interface B - Kerberos/SPNego

Interface C - Digest

All with SOAP Sender Communication Channels.

I have tried to add Basic and SPNego on the authentication stack of the XISOAPAdapter and play around with the different Flags, when I send a request I get a response to use Basic and Negotiate (www-authenticate), but the client always chooses to send a NTLM token instead the user/pass in the header for a Basic auth. I cannot request the clients to force the auth method to basic beacuse they already have thier interfaces in production env.

So I need to know if there is a way to have different auth methods for the same component or maybe I need to find a way to duplicate (custom adapter) SOAP Adapter ??

Thanks in advance.

Federico.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎08-12-2014 2:52 PM
0 Kudos

Hi Federico,

Let me try and save you some pains. I have spend some time on this, and even though SAP hates telling us what it cannot do, I finally got an OSS message confirming that the SAP PO SOAP adapter does NOT support Keberos/SPNegos/NTLM in any way or form.

True, you could consider using the SAP Axis adapter, but beware cause it only support NTLM v1. And any Microsoft server after 2008 (i think) will only allow NTLM v2 - which is not supported by the SAP Axis adapter.

I also got SAP to confirm that when it comes to SOAP, you can only choose between Basic Authentication or Client certificate authentication. The latter being best practice and very secure. But also a bit of a pain, cause it require a more complex governance within the organization, which might not be in place.

Best of luck. And please let me know, if you somehow reach a different conclusion than me.

Regards,

Emil

Show replies
Show replies
Former Member
‎08-12-2014 3:25 PM
0 Kudos

Hello Emil,

  Thank you for your response.

We have SAP PI 7.11 and we did get it to work with SPNego (Kerberos token) for an SSO interface from a .Net web client using an ActiveDirectory User. It was NOT an easy task, but it worked.

The problem we are facing is that when we setup the Authentication Stack for the XISOAPAdapter component in the NWA as instructed by SAP to support BASIC Auth AND SPNego, the old .Net clients that do not FORCE the Basic Auth try to connect with an NTLM Token (and this doesn't work)

After their first request they receive a response from PI with:


www-authenticate: Basic realm="XISOAPApps"

www-authenticate: Negotiate

Then they choose to send NTLM Token instead of the Basic. This very simple to fix, by forcing the .Net client to send Basic or Kerberos. But we can not change the client side as they are in production env. for some time now, and we have over 200 interfaces with several applications, the impact is quite big...if you know what I mean...

So I thought that maybe it was possible to do some Z XISOAPAdapter component parallel to the original and have two different Auth Stacks.

We have opened an OSS with SAP and we are exchanging msgs for some time now. I'll let you all know how this ended...

Regards.

PS: Would be great to read thoughts on this topic ! thx !

Former Member
‎08-13-2014 8:49 AM
0 Kudos

Hi Federico,

Ok , I can see that you have dug deep into this.

I did try at some point to work on the Authnetication and SSO configuration in NWA. My own conclusion was that I just couldnt get it to work with the PO AAE SOAP adapter - i suspect that whole SSO config is closer integrated with the netweaver frontend, where I could get it to work just fine.

If you do get it to work or if SAP provide a solution, I would very much like to hear about it. Cause I am now telling my customers that it is not possible, and I would appreciate a heads up in case I am wrong.

Later,
Emil 

Former Member
‎08-09-2014 2:38 PM
0 Kudos

Hi.

Unless I am mistaken, in SOAP sender communication channel you can`t set authorization method. Basic auth is provided by default. If you`ll find a way to change default method you`ll change it for SOAP adapter completely, but I doubt this feature will ever be provided by SAP.

You can try Axis with handlers.

Regards,

Sergey.

Show replies
Show replies
Former Member
‎08-11-2014 3:59 PM
0 Kudos

I know it can't be done from the communication channel, but maybe from the Authentication Stack ...

Or is there some way to duplicate the Auth Stack for XISOAPAdapter for diferent interfaces?

iaki_vila
Active Contributor
‎08-08-2014 8:00 AM
0 Kudos

Hi Federico,

As far as i know you can use the basic authentication and the digest authentication.

This is possible with the sender AXIS SOAP adapter, you can get it choosing the in the SOAP adapter the transport protocol Servlet Axis.

Please check this link Configuring the Sender Axis SOAP Adapter - Configuring the SOAP Adapter in the Integration Directory...

Regards.

Show replies
Show replies
Former Member
‎08-08-2014 3:15 PM
0 Kudos

No. Maybe I wasn´t clear enough...

We already have 100+ interfaces implemented and running OK in production env. with Basic Auth. Now we need to implement SPNego, so we can't change the auth stack without affecting the already implemented interfaces.

All WebServices (SOAP Sender Adapter).

I know this isn't some simple task, but I was hoping some guru could enlighten me.


There should be some way to have multiple auth methods for the same adapter type.


Thanks in advance.

Ask a Question