Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can a .Net application get the LogonTicket of an authenticated portal SSO scenario?

Go to solution
Former Member

‎05-22-2015 12:28 PM

0 Kudos

A customer use a portal with SSO from windows clients. At the windows client the users login to a AD domain and in the browser they authenticate themself at the portal and work the whole day with this authentication. Now, he will use my application. This is a .Net application and it use the .NetConnector(nco 3.0) for SAP communication. At the time, it has his own login for the nco. The customer asks me, why it didn't use the existing Logon Ticket. The answer is, I don't know how.

Is it possible to get the LogonTicket in my stand alone app, can I use it in the nco (MYSAPSSO2 parameter) and if yes how can I get it?

Many thanks in advanced

1 ACCEPTED SOLUTION

Go to solution
mvoros
Active Contributor

‎05-22-2015 2:24 PM

0 Kudos

Hi,

This should be possible. I have done something similar multiple times before. The latest one was a HTML app that had a custom logon screen. The users entered their username/password. The application server passed it to SAP portal via HTTP parameters. If everything was ok the portal issued a SSO cookie that was used for some consequent calls. It was a workaround to avoid a proper implementation of SSO. The only missing part is to figure out how your standalone app can reuse AD credentials of a user that is running the app. I can't help you with that but i am pretty sure ther must be API for that.

Cheers

4 REPLIES 4

Go to solution
mvoros
Active Contributor

‎05-22-2015 2:24 PM

0 Kudos

Hi,

This should be possible. I have done something similar multiple times before. The latest one was a HTML app that had a custom logon screen. The users entered their username/password. The application server passed it to SAP portal via HTTP parameters. If everything was ok the portal issued a SSO cookie that was used for some consequent calls. It was a workaround to avoid a proper implementation of SSO. The only missing part is to figure out how your standalone app can reuse AD credentials of a user that is running the app. I can't help you with that but i am pretty sure ther must be API for that.

Cheers

Go to solution
Christian_Cohrs
Product and Topic Expert
Product and Topic Expert

‎05-22-2015 3:34 PM

0 Kudos

Hi,

from security and usability perspective, the best solution would be to re-use the Windows authentication (the Kerberos ticket) also for your SNC connection to the backend. However, this requires an SNC capable SSO product such as SAP Single Sign-On.

Logon tickets are no longer recommended for new implementations, as mentioned in OSS note 2117110.

Best regards,

Christian

Go to solution
Former Member
In response to Christian_Cohrs

‎05-28-2015 2:20 PM

0 Kudos

Thank you for your reply.

Our customer won't use SNC for whatever reason. The OSS note says what I shouldn't do but what I can do instead is very wishy-washy. Do you have a suggestion of a forum where I can get detailed information?

Go to solution
tim_alsop
Active Contributor
In response to Christian_Cohrs

‎05-28-2015 3:12 PM

0 Kudos

SNC is the best solution for this, using an SNC library that has Kerberos support so you can use the credentials of the user at the .net application server (delegated). This is actually very easy, very secure and common. I have helped at least 20 or 30 companies implement exactly this, and never had any issues with it. Also, there is a bonus since the session between the .net server and back-end SAP system can be encrypted, after the authentication is complete.