Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO with Windows ADS authentication against BSP

Go to solution
Former Member

‎04-08-2008 11:07 PM

0 Kudos

Hi,

we have an application running on BSP which we would like to enable for SSO.

Scenario:

User logs on to Windows PC / Domain.

He calls an URL, which is technically a BSP running on a SAP NW 2004S.

We would like the authentication piece happening through SSO.

Questions:

a) is there a solution provded by SAP which supports that ?

b) do we have to use a 3rd party tool ?

My understanding is that X.509 based certificates could address this issue:

What are the involved steps to have a certifcat issuer within out domain (we do not want (need) to use an external trusted instance or so)? Is there any guide out there?

At this point we do not have any other SSO requirements nor any additional security aspects.

Platform:

- Windows PCs as frontend

- SAP running on iSeries (AS/400)

Thanks

Christian

1 ACCEPTED SOLUTION

Go to solution
tim_alsop
Active Contributor

‎04-08-2008 11:19 PM

0 Kudos

Christian,

The solution is:

1. You install a login module on Java stack which uses the built in Kerberos support in browser to authenticate the user at workstation. This login module is often referred to as the SPNEGOLoginModule

2. You configure the BSP in ABAP stack to redirect to Java engine when authentication is required, otherwise use the SSO2 ticket to determine user id of user who has already authenticated.

3. The user logs onto workstation and gets Kerberos credentials from domain during this logon.

4. The browser is used by user to access the BSP application, and the BSP application redirects to the J2EE Engine so that the user can be authenticated using the Kerberos protocol.

5. When J2EE engine has authenticated the user via the SPNEGO login module, an SSO2 ticket is created and the user is redirected back to the ABAP stack where the BSP application runs.

5. The user gets loged onto the BSP application.

Is that ok ?

As you can see, there is no need to use certificates. of course you can use certs if you want to encrypt the browser communcations via SSL.

Thanks,

Tim

6 REPLIES 6

Go to solution
tim_alsop
Active Contributor

‎04-08-2008 11:19 PM

0 Kudos

Christian,

The solution is:

1. You install a login module on Java stack which uses the built in Kerberos support in browser to authenticate the user at workstation. This login module is often referred to as the SPNEGOLoginModule

2. You configure the BSP in ABAP stack to redirect to Java engine when authentication is required, otherwise use the SSO2 ticket to determine user id of user who has already authenticated.

3. The user logs onto workstation and gets Kerberos credentials from domain during this logon.

4. The browser is used by user to access the BSP application, and the BSP application redirects to the J2EE Engine so that the user can be authenticated using the Kerberos protocol.

5. When J2EE engine has authenticated the user via the SPNEGO login module, an SSO2 ticket is created and the user is redirected back to the ABAP stack where the BSP application runs.

5. The user gets loged onto the BSP application.

Is that ok ?

As you can see, there is no need to use certificates. of course you can use certs if you want to encrypt the browser communcations via SSL.

Thanks,

Tim

Go to solution
Former Member
In response to tim_alsop

‎04-30-2008 5:30 PM

0 Kudos

Hi Tim,

I have a similar problem, the users logs on to windows/domain then calls an URL that is a simple web template running in a BW 3.5. Have any solution for a SSO for BW 3.5 for web mode.

Thnks a lot!!!!

Go to solution
tim_alsop
Active Contributor
In response to tim_alsop

‎04-30-2008 6:08 PM

0 Kudos

Gerardo,

For better support on SDN, you should open a new thread and mark it as a question. This means it is not confused with other threads, and also SDN points can be awarded to contrinbutors who give good answers. Of course you can refer to another thread if you need to give an example of something else similar to your question.

Thanks,

Tim

Go to solution
Former Member
In response to tim_alsop

‎04-30-2008 10:44 PM

0 Kudos

You are all right Tim,

There is my thread, I will appreciate your suggestions.

Thanks.

Gerardo.

Go to solution
Former Member

‎05-02-2008 2:22 PM

0 Kudos

Tim,

thanks for your answer a month ago...

We have now implemented successfully the J2EE engine with SPNego, SSO works in this environment.

Now we are wondering about step 2 of your solution list (above):

How do we need to configure the BSP in SICF so that the user authentication is redirected to our Java engine. The standard we are seeing there

in tab "Logon Data" and field "procedure" does not help us any further...

Any hints, ideas ?

Thanks

Christian

Go to solution
tim_alsop
Active Contributor
In response to Former Member

‎05-02-2008 2:39 PM

0 Kudos

Hi,

I am afraid I am only familiar with how this is done when using the products from my company, since we sell a product which includes various login modules, and it also includes java servlets. Then, in SICF you would configure the redirect URL to point to our servlet and when authenticated the servlet hands control back to the ICF service on ABAP stack.

I am sure that same is possible using the method you are using, but I am afraid I am not aware of it. Perhaps since this SDN thread is marked as answered already, you can open a new thread and ask if anybody knows how to configure the service in SICF. Of course, if you are interested in using our product instead I can give you more support, but not via SDN.

I hope this helps ?

Thanks,

Tim