SSO for SAP and Non-SAP applications without Enter...

Former Member · ‎11-29-2007

Dear all,

Is it possible to implement SSO for both SAP and non-SAP applications without involvement of EP at all?

I have gone through this link.

<a href="http://help.sap.com/saphelp_nw04s/helpdata/en/e5/4344b6d24a05408ca4faa94554e851/frameset.htm">http://help.sap.com/saphelp_nw04s/helpdata/en/e5/4344b6d24a05408ca4faa94554e851/frameset.htm</a>

But I still i am not able to get the precise answer on how to enable SSO for both SAP and non-SAP applications without EP.

We have decided not to implement EP in first phase of SAP implementation. But we need to enable SSO for other SAP and Non-SAP applications.

A detailed description on how to deal this kind of scenarios will be helpful.

Thanks.

WolfgangJanzen · ‎11-29-2007

This topic has been discussed, previously.

Maybe it's worth that you use the search function to take a look on previous threads, first.

Well, in general you could use X.509 client certificates for SSO - that might be the preferred way to integrate 3rd party server components.

You could also configure one SAP system to issue SAP Logon Tickets and configure all other systems to trust that ticket issuer. The integration of 3rd party components is then a bit more cumbersome (there is no tool support to establish the required trust relationship); you need to use the sapssoext library (as well as the sapseculib / sapcryptolib).

Former Member · ‎11-29-2007

Thanks for the suggestion and the answer.

What exactly you mean by 3rd party server components?

Can I use logon tickets instead of X.509 client certificates for SSO (without EP case)?

Thanks

WolfgangJanzen · ‎11-29-2007

> What exactly you mean by 3rd party server components?

Non-SAP web application servers

> Can I use logon tickets instead of X.509 client certificates for SSO (without EP case)?

Theoretically yes. But in practice you might face problems regarding user / identity mapping: the ticket contains an SAP userID which you might have to map to a local userID (provided your non-SAP web application server has his own user management solution). NetWeaver Application Servers can be configured to use the same user management (-> DualStack: UME is configured to use the ABAP user management) to avoid such problems.

Former Member · ‎12-11-2007

A client of our's uses SAP Enterprise Portal, and is using the SAP SSO, which is implemented with tickets, and requires the use of SAPSECULIB. My company provides an application for this client, and our application in hosted in our data center for the client, as a Software as a Service application, obviously across the internet. Our client, which owns a SAP license, has asked that we support the SAP SSO as a non-SAP SSO application. The client user's SSO ticket will be created from SAP EP, and then passed across the internet to our application, and we are to use that SSO ticket as an authentication ticket to our application. I beleive I know how to do this work technically, having reviewed the SAP document named: "Dynamic Library for Verifying SSO Tickets in Third-Party Software" Specification Version 2.00 December 2005.

My question is, does my company have the right to use the SAPSECULIB? Where is the official download and license download, that indicates we can download this library, and use it to support a SAP customer? We do not own a SAP license. Thank you for your help. I have searched many places in SAP support.

WolfgangJanzen · ‎12-11-2007

Well, where did you get the SAP document from?

If you have access to http://service.sap.com then you can also download SAPSECULIB and SAPSSOEXT. But that usually requires that you are a SAP customer ...

PS: hopefully you are using https to transmit the data across the internet.

SSO for SAP and Non-SAP applications without Enterprise Portal