07-08-2008 8:46 AM
Hello,
I have read a lot of documentation on this technique for SSO to enable auth. between SAP and non-SAP systems but I think I still miss some points.
My architecture is just the opposite of what is explained in the doc by SAP: indeed, it is not a SAP portal that tries to communicate with non-SAP products in an extranet scenario which would use the web server filter as normal but it is a non-SAP Portal that tries to communicate with SAP backends. Thus I really have understood that http header is the only technique that permits to do SSO between SAP and non-SAP in an extranet scenario (kerberos is not possible here). I have read that for http header, the method uses an intermediary web server that makes the authentication and through which all flows have to pass.
My scenario is that our user from the non-SAP portal authenticates itselft on a SAP Java Stack (and gets a sap logon ticket) and then communicates directly to SAP backend systems without passing through that intermediary server, (well in fact yes it passes through but there is no retranslation or process done).
To secure it a bit more, we will use IP restriction module from the SAP Java Stack. I would like to know your opinion on this, why is it mandatory to pass always through that intermediary web server, this would be a bootleneck and would degrade performance.
I am really interested in your input,
Thanks to the community,
Tanguy
07-08-2008 6:35 PM
>
> Thus I really have understood that http header is the only technique that permits to do SSO between SAP and non-SAP in an extranet scenario (kerberos is not possible here).
>
Using X.509 client certificates for authentication (if the browser is accessing the backend system directly, not via any middleware component) is another (standard-based) option.
Depending on the capabilities of the involved components, using SAML would be another one.
07-08-2008 6:46 PM
>
> Thus I really have understood that http header is the only technique that permits to do SSO between SAP and non-SAP in an extranet scenario (kerberos is not possible here).
> Tanguy
This is not strictly correct, since Kerberos can be used in an extranet environment. You can for example setup Kerberos authentication with your non SAP portal, and use Kerberos credential delegation to allow the non-SAP portal to authenticate on the users behalf (e.g. user at workstation where browser is) to the back-end SAP system, using an SNC protected session between the systems. Once authenticated the SAP system can issue an SSO2 ticket for SSO purposes. Using this method has the advantage that you are not sending any insecure information over the network between the non-SAP portal and the SAP system as you would if you use HTTP Header Authentication.