Solved: SSO: ITS

Former Member · ‎07-19-2007

Hello,

We are trying to setup SSO for SAP System. Our architecture looks like this:

3rd party logon mechanism(via web) --> ITS --> Web Dispatcher --> WAS (BSP's)

We did extensive research and found that ITS might enable us to do that. But we are not clear if SNC is a must (Which we don't want to do). The documenation is not clear. The current URL without SSO points to Web Dispatcher which get us the bsp pages from the WAS.

Following is what we want to achieve:

1. Users will logon to the 3rd party logon mechanism via web(software is installed with APACHE 2.0)

2. once users are authenticated we need to pass the ID via HTTP header or any other method available to logon to SAP BSP Pages.

Currently users can logon to 3rd party software which redirects to the BSP application and requests user id and password.

We are wondering if anyone has done this sort of setup.

Thanks,

Former Member · ‎07-19-2007

Couple of questions.,

1. What version you are in

2. Whats the thrid party authentication tool you use

In Netweaver settings can be accomodated to allow third party authentication tools like Siteminder to pass the login information as header information.

There are quite a few settings @ netweaver level to enable HeaderVariableModule. This has to be done using Visual Admin tool.

Steps

1. Include the header variable class

2. Add this header module to the authentication ticket.

Include the header variable class

-

In the Visual Administrator, choose Security Provider.

Choose the User Management tab and choose Manage Security Stores.

The currently active user store and the login modules for that user store are displayed.

Choose Add Login Module.

A dialog box prompting you to choose an editor for the login module option appears.

Choose OK.

A dialog box prompting you to add a login module appears.

Fill in the fields as follows:

Field name

Class Name - com.sap.security.core.server.jaas.HeaderVariableLoginModule

Display Name - HeaderVariableLoginModule

Choose OK.

The HeaderVariableLoginModule now appears in the list of login modules for the active user store.

This is case sensitive.

Add this header module to the authentication ticket.

-

In the Visual Administrator, choose Security Provider.

Choose Policy Configurations ® Authentication.

For each template or application that is to support header variable authentication:

Add the login module HeaderVariableLoginModule to the login module stack.

Set the option Header to the name of the header variable that contains the user ID. The default value is REMOTE_USER (this changes based on the third party tool you use)

Sample Example

EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

HeaderVariableLoginModule OPTIONAL {ume.configuration.active=true, Header=}

CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

BasicPasswordLoginModule REQUISITE {}

CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

Check this link for details

http://help.sap.com/saphelp_nw04s/helpdata/en/68/5ddc40132a8531e10000000a1550b0/content.htm

Regards,

Muthu Kumaran KG

Former Member · ‎07-19-2007

Couple of questions.,

1. What version you are in

2. Whats the thrid party authentication tool you use

In Netweaver settings can be accomodated to allow third party authentication tools like Siteminder to pass the login information as header information.

There are quite a few settings @ netweaver level to enable HeaderVariableModule. This has to be done using Visual Admin tool.

Steps

1. Include the header variable class

2. Add this header module to the authentication ticket.

Include the header variable class

-

In the Visual Administrator, choose Security Provider.

Choose the User Management tab and choose Manage Security Stores.

The currently active user store and the login modules for that user store are displayed.

Choose Add Login Module.

A dialog box prompting you to choose an editor for the login module option appears.

Choose OK.

A dialog box prompting you to add a login module appears.

Fill in the fields as follows:

Field name

Class Name - com.sap.security.core.server.jaas.HeaderVariableLoginModule

Display Name - HeaderVariableLoginModule

Choose OK.

The HeaderVariableLoginModule now appears in the list of login modules for the active user store.

This is case sensitive.

Add this header module to the authentication ticket.

-

In the Visual Administrator, choose Security Provider.

Choose Policy Configurations ® Authentication.

For each template or application that is to support header variable authentication:

Add the login module HeaderVariableLoginModule to the login module stack.

Set the option Header to the name of the header variable that contains the user ID. The default value is REMOTE_USER (this changes based on the third party tool you use)

Sample Example

EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

HeaderVariableLoginModule OPTIONAL {ume.configuration.active=true, Header=}

CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

BasicPasswordLoginModule REQUISITE {}

CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}

Check this link for details

http://help.sap.com/saphelp_nw04s/helpdata/en/68/5ddc40132a8531e10000000a1550b0/content.htm

Regards,

Muthu Kumaran KG

tim_alsop · ‎07-19-2007

> We did extensive research and found that ITS might

> enable us to do that. But we are not clear if SNC is

> a must (Which we don't want to do). The documenation

> is not clear. The current URL without SSO points to

> Web Dispatcher which get us the bsp pages from the

> WAS.

The only case where SNC is required when using external ITS is when a PAS module is used, that is requesting SSO2 ticket form back-end SAP system. The request needs to be secure so it has to be secured using an SNC connection, otherwise it might be possible for anybody on network to send a request to SAP system asking for an SSO2 logon ticket for any user - clearly that would not be very secure

I hope the use of HTTP header variable login module in SAP system meets your needs.

One thing to note - you will have to redirect to the BSP app once you have created the SSO2 ticket using the HTTP header login module because the login module runs in Java stack and BSP app runs in ABAP stack. Maybe you haven't even installed Java engine yet - if not, you will need to consider this when planning this implementation.

Good luck,

Tim

Former Member · ‎07-20-2007

Hello Guys,

Sorry for not including the versions. We are using 4.7-200, WD 7, ITS 6.20, 3rd Party tool (TurePass). The system is current with the latest patches.

Users are loging into TruePass, once they authenticate it redirects them to BSP via Web Dispatcher where users need to login using their 4.7 account. So the double sign-on is working.

We are not planning to install Java stack, portal nor any other tool. Therefore we are constrained to figure out a solution that has to make do with what we have. The sole purpose of ITS is for SSO, we are not using it for anything else and it will be remove if it does not help with SSO.

Thanks

WolfgangJanzen · ‎07-20-2007

Well, an SAP NetWeaver Application Server ABAP (NWAS ABAP) does unfortenately not allow you to deploy new authentication mechanisms (-> no pluggability concept).

So, indeed, you require either an (external) ITS (latest available version: 6.20) where you can use PAS (Pluggable Authentication Service) but then require SNC (for the RFC connection between the ITS Agate and the NWAS ABAP) - or you use an NWAS Java where you can deploy your own (custom / partner) JAAS login module.

In both cases, the NWAS ABAP needs to be instructed to perform a http redirect to a webbased service (either PAS or a Servlet on the NWAS Java) which performs the authentication and then triggers a 2nd http redirect (back to the originally called NWAS ABAP web-based service / application).

According to your description, however, you seem to be looking for something different: If I understood you correctly, you intend your users to authenticate twice - once at TruePass and in addition at the NetWeaver server (using UID/PWD, I assume). Is that right? Or do you intend to utilize the TruePass authentication and "skip" the 2nd one? Please clarify.

Former Member · ‎07-20-2007

Hello Wolfgang,

We want the user to logon only once. Once the user is logged on to Truepass she should start using the BSP application.

We are limited to use only ABAP WAS, WD and if necessary ITS for SSO. We are not in a position to use Portal, JAVA stack or any other tool.

We also looked into using X.509 but it poses a security issue for us and inconvenience for the user due to requirement of mutual authentication.

So we are not sure what are the options or solution that are avaible to us with ITS or anyother mechanism for our architecture.

Thanks,

WolfgangJanzen · ‎07-23-2007

Well, as described in my previous posting, in that case you can use an external ITS (6.20) where you deploy the PAS (Pluggable Authentication Service) in conjunction with an NWAS ABAP (where the BSP application is running). You then have to customize the ICF service settings (of the BSP application) to trigger an http redirect to the PAS service (running on the external ITS) in case of missing / invalid logon data (-> logon error handling).

Frankly speaking I do not understand why you consider X.509 client certificates to cause a security issue. I would understand if you'd have stated that this approach is not suitable for you since you have to setup your own PKI (Public Key Infrastructure). The user can simply use X.509 client certificates which have been provided by such an PKI - so, the "inconvenience" argument is also not valid.

But anyway, all that is not really related since you've made up your mind to use TruePass for authentication.