Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Http Header Authentication

Former Member
0 Kudos

Hello,

I have read a lot of documentation on this technique for SSO to enable auth. between SAP and non-SAP systems but I think I still miss some points.

My architecture is just the opposite of what is explained in the doc by SAP: indeed, it is not a SAP portal that tries to communicate with non-SAP products in an extranet scenario which would use the web server filter as normal but it is a non-SAP Portal that tries to communicate with SAP backends. Thus I really have understood that http header is the only technique that permits to do SSO between SAP and non-SAP in an extranet scenario (kerberos is not possible here). I have read that for http header, the method uses an intermediary web server that makes the authentication and through which all flows have to pass.

My scenario is that our user from the non-SAP portal authenticates itselft on a SAP Java Stack (and gets a sap logon ticket) and then communicates directly to SAP backend systems without passing through that intermediary server, (well in fact yes it passes through but there is no retranslation or process done).

To secure it a bit more, we will use IP restriction module from the SAP Java Stack. I would like to know your opinion on this, why is it mandatory to pass always through that intermediary web server, this would be a bootleneck and would degrade performance.

I am really interested in your input,

Thanks to the community,

Tanguy

2 REPLIES 2

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

>

> Thus I really have understood that http header is the only technique that permits to do SSO between SAP and non-SAP in an extranet scenario (kerberos is not possible here).

>

Using X.509 client certificates for authentication (if the browser is accessing the backend system directly, not via any middleware component) is another (standard-based) option.

Depending on the capabilities of the involved components, using SAML would be another one.

tim_alsop
Active Contributor
0 Kudos

>

> Thus I really have understood that http header is the only technique that permits to do SSO between SAP and non-SAP in an extranet scenario (kerberos is not possible here).

> Tanguy

This is not strictly correct, since Kerberos can be used in an extranet environment. You can for example setup Kerberos authentication with your non SAP portal, and use Kerberos credential delegation to allow the non-SAP portal to authenticate on the users behalf (e.g. user at workstation where browser is) to the back-end SAP system, using an SNC protected session between the systems. Once authenticated the SAP system can issue an SSO2 ticket for SSO purposes. Using this method has the advantage that you are not sending any insecure information over the network between the non-SAP portal and the SAP system as you would if you use HTTP Header Authentication.