Hi,

The reason why you need a JAVA stack, is not so you can use the SAP portal, it is because SAP decided to use a standards based "pluggable authentication" technology (called JAAS). If they had provided pluggable authentication into ABAP stack of NetWeaver it would be considered propriatory, so the flexibility of using a standards based solution was preferred. There are also many solutions that are available that are using JAAS so adding additional authentication to Java stack is easier and better because of this, compared to what it would have been like if they had put something into ABAP. Also, the overhead of running a Java stack as an add-in to an existing ABAP system is low.

In my expereince, most companies deploy a JAVA engine as an add-in and use this for authentication to ABAP web enabled applications.

Thanks,

Tim

Roger,

Thankyou for explaining your requirements in more detail. You are right that you will need a Java stack installed on your network, in which you can configure a login module that supports the SPNEGO protocol. Then, when a user logs onto their workstation the Kerberos credentials will be used to authenticate them to the SAP application. This is possible because the Kerberos protocol support is already included in Internet Explorer or Firefox web browsers.

The Java engine is required because this is where the login module is installed and configured. Once the user has been authenticated you would redirect the HTTP request back to the ABAP stack, where your application resides. The Java stack would issue an SSO2 logon ticket which would mean the authentication only occurs the first time they access the application, then other page requests will use the logon ticket (as a cookie) to identify the user. The logon ticket is digitally signed using a certificate, so that it can be verified and trusted.

Thanks,

Tim

> I did not mean to imply either directly or indirectly that a super user would be generating a URL that would work for other users using the super user's account.

I'm glad to hear that ...

> The idea was that each user after authenticating to the SAP server initially would be validated and allowed SSO access (no SAP username and password required) to a WEB URL call to a SAP ABAP-only server based on his generated logon ticket after his initial validation to the SAP server.

Yes, you can obtain a SAP Logon Ticket in exchange to valid logon data from an NWAS ABAP. But notice: before you can get a SAP Logon Ticket you need to logon, first. And you can only use an authentication mechanism supported by the NWAS ABAP server ...

> In SAPGUI for WIndows SSO using Kerberos, a user logs into his LAN OS account, and after enabling SNC in the SAP server and entering the principal name matching the end-user's LAN account name under the SNC tab of the User Master record and enabling SNC in the SAPGUI, the end-user does not have to log into SAP with any SAP password.

Well, for SAPGUI (and RFC) clients you can use SNC. And if your ABAP server is using an Windows operating system you can also use the SNC library provided by SAP (note 352295) - which obviously you do.

> The hope of the BI team was to be able for a user to generate a URL corresponding to a query from the BEX analyzer, then post that URL for other users to be able to access once they had logged into the LAN. The hope was that with SAP LOGON tickets, a SAP LOGON ticket would be generated for each user when they logged into the LAN [...]

STOP - at this point your assumption fails ...

No, you will not get a SAP Logon Ticket when you logon into your LAN. Only SAP application server issue SAP Logon Tickets (they are proprietary tokens).

It does not help if you are able to use SNC for your SAPGUI (or RFC client). When you are using a different user agent (here: a browser) you start from zero - you cannot pass the SAP Logon Ticket or SNC credentials to the browser. (Notice: the browser transmits SAP Logon Tickets via cookies; cookies, however, can only be set by a web server as part of a http response; but you need the cookie to be transmitted with the very first http request - that's a classic hen-and-egg problem ...).

> The SSO process for Web-based URL access is a new beast for which I have no experience.

Yes, indeed: it is a beast.

And frankly speaking: what you are looking for (SPNEGO authentication) is not provided by the ABAP stack. I'm sorry.

> From the other posts, I am getting the impression that I will not be able to do this on an ABAP-only server, but need at least one server with a JAVA stack which will issue the SAP LOGON tickets for all other servers. I was looking for a quick solution without going that route because I cannot implement anything without first going through a security approval process which typically takes 90 days or more to get through several auditing agencies.

Well, I understand your concerns. But unfortenately I have no other news for you.

> I briefly considered SAP LOGON Certificates, but because my ABAP-only servers are on a closed loop network with absolutely no access to the outside world, not even through firewalls, I therefore have no access for those servers to the SAP CA free service at Service Marketplace. Yes- I considered implementing the MS version of their own CA certificate generator inside that closed loop, but I believe I need at least one server with the JAVA stack so I can store things in the JAVA service for the Secure Key Store.

Well, I assume that you are referring to X.509 client certificates (for mutual SSL authentication). Yes, you require an SSL server certificate (which should be issued by a trusted CA, however that means: you have to purchase that SSL server certificate) - but anyway: it's highly recommended to support https and not to force your users to transmit their data unencrypted via http.

In addition, you need to obtain individual X.509 client certificates for each user (and assign the mapping certificate -> user). Here, the so-called SAP Trust Center Service (-> SAP Passports) can help you: you operate the Registration Authority (RA) and SAP runs an Certification Authority (CA) - at no extra costs.

> So I am unsure at the moment what is the best way to solve the problem of SSO for the WEB URL access to queries generated in BEX explorer.

Well, I also only see the two options:

(1) using NWAS Java with SPNEGO login module, issuing SAP Logon Tickets which can be validated by the NWAS ABAP, or

(2) using X.509 client certificates for SSO (which you might then also use for other purposes, e.g. S/MIME, digital signatures, ... - and with other servers, including non-SAP ones).