Non-SAP Single Sign-On

Former Member · ‎07-01-2008

Hello,

I tried doing a search on this but I couldn't get a clear answer. I was wondering if anyone is familiar with non-SAP Single Sign to SAP.

Basically we are creating our own portal using .NET and JSP, and we were trying to create a cookie that gets generated when you login to our site, and one of the links will be to SAP ISA (Internet Sales Application).

Right now we are using Portal to Signle-Sign on to SAP ISA (Java based CRM).

But we would like to use our Website (.NET, JSP, Stellent Content Management) to provide Single Sign-On to SAP.

I would really appreciate if anyone can point me in the right direction.

Thanks!

Imran

tim_alsop · ‎07-01-2008

Hi,

You can call an rfc in sap to issue an sso2 ticket which will give you single signon, but to do this you need to first authenticate to sap so that the sap application trusts you. Without this initial authentication it would theoretically be possible for any application to request a ticket for any user - clearly this would not be very secure.

I have worked with SAP customers who have used SNC between .net server and SAP system, and this establishes a trust relationship, then over this snc connection the rfc can be called to request a logon ticket. This same approach is used by SAP external ITS and can also be used for SSO with .net applications.

You can also use SNC with RFC connections between .net server and SAP app server to authenticate the user logged in at the workstation where browser is located - this is done using Kerberos with credentials delagation.

I hope this helps.

Thanks,

Tim

Former Member · ‎07-01-2008

Hi Tim,

Thank you for the very helpful answer. Do you provide consulting in this area?

So are you saying that it is possible for external customers, to login to our website (Stellent, .NET, JSP), and then authenticate to SAP using SNC and RFC's? Have you seen this work? Is it transparent?

Thanks!

Imran

tim_alsop · ‎07-02-2008

Hi,

I do consult SAP customers but you need to contact me via email for that.

Yes, the external customer/user would logon to your website and then be recognised in SAP application and this would probably best be done using SSO2 tickets, and you can use RFC/SNC as a way to get the SSO2 ticket issued for the user who has authenticated to the .net application. The SAP .net connector is also required in this case.

The solution you use depends mostly on what your .net application needs when it connects to the backend SAP system. You can also use http header variables for this kind of solution, if applicable.

Thanks,

Tim

Former Member · ‎07-02-2008

Hello Tim,

I sent you an email to your Cyber Safe ID.

Thanks!

Imran

Former Member · ‎07-02-2008

Hello Imram,

another approach is the use of client certificates. This has the advantage that the techonlogy is supported across all SAP applications, platforms, UI technologies, etc., and also for a number of non-SAP technologies - so you don't have the risk to get stuck, e.g. in case you move tothe SAP E-SOA world, where Kerberos is not supported for web service authentication today.

Client certificates are easy to use and can be integrated with your portal. There are 2 ways to get the client certificates to the user - either you have a PKI in place, then you can use that, or you need a certificate server that generates the certificates on the fly (fully transparently) - e.g. as part of your portal authentication.

Peter

Former Member · ‎07-02-2008

Hello Peter,

Thanks for the relply. Have you used PKI's? Are you refering to X.509 certificates. Can you point me in any direction to how I can get this implemented?

Thanks!

Imran

WolfgangJanzen · ‎07-02-2008

Another option would be SAML - if your portal is supporting SAML Browser Artificats (as SAML source site). However, I have to admit that it would not help you much since your SAP application is most likely deployed on an ABAP system < NetWeaver 7.1 (and only as of NW 7.1 ABAP systems do support SAML Browser Artifacts, in conjunction with a NWAS Java system).

Former Member · ‎07-02-2008

Hello Wolfgang,

Thank you for responding. We are using ISA (Internet Sales Application). It is Java based NW 7.0 sr 3. The ISA coponent comes with both CRM JAVA, and ERP JAVA.

Since we are on NW04's SR3 will SAML work. Also how about HTTP Header Variable, JAAS, and X.509 Certificates?

Thanks,

Imran

WolfgangJanzen · ‎07-03-2008

>


> We are using ISA (Internet Sales Application). It is Java based NW 7.0 sr 3. The ISA coponent comes with both CRM JAVA, and ERP JAVA.
> 
> Since we are on NW04's SR3 will SAML work. 
>

I need to clarify.

>


> Also how about HTTP Header Variable, JAAS, and X.509 Certificates?
>

That definetly works (the first two ones only with NWAS Java, X.509 client certificates also with NWAS ABAP). You could even deploy your own (custom) JAAS login module (NWAS Java).

But I also have a question:

Do you intend to use WebServices (your Portal then acts as WS Consumer, the NWAS Java acts as WS Provider)? Or is the browser directly accessing the NWAS Java server (which provides interactive web applications, rendering the content)?

Regards, Wolfgang

Former Member · ‎07-03-2008

Hello Imran,

yes, I am talking about X.509 certificates. We have used this with many SAP customers successfully and without a lot of effort. As I mentioned, you don't need a PKI to use this authentication method, which is of all valid methods mentioned here the one most widely supported accross SAP applications, versions, platforms and technologies. You can find information on the configuration on the SAP server side at various locations (search e.g. for "client certificates" in the SAP Help Documentation). I'll be happy to give you more details about the use without a PKI, but you would have to contact me via e-mail directly (see business card).

Thanks,

Peter