Skip to Content
avatar image
Former Member

SSO Between SAP ABAP and third party Tomcat Application


Hi Experts,

I need to do the single sign on (SSO) between SAP ABAP which is CRM 7.0 and Third party Tomcat application. Could you please guide me how should I configure the same

Can you please clarify my below queries

Scenario is like SAP CRM system will call one URL which is of tomcat application and that url ask for logon data of tomcat application.

For trial purpose I have maintained same user id and password between ABAP and tomcat. now my requirement "It should not ask me any login screen and when I call url from CRM system it should directly redirect to tomcat"

I decided to follow with STRUSTSSO2 logon ticket method. Does tomcat support this?

How does tomcat recognise the SAP user?

Appreciate your reply.

Thanks,

Aditya

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Dec 10, 2013 at 11:02 PM

    Hi,

    first, you need to clarify roles of your systems. Let's use SAML language. There are 2 system roles: identity provider and service provider. A service provider provides services to a user (e.g. web UI of CRM system where a user can create an order). A identity provider authenticates user e.g. by using username/password and then issuing signed ticket that is accepted by all service providers. Note that one system can have both roles. Also note that usernames do not have to be same for a user in all systems. A service provider can do a mapping for usernames. In case of service providers they don't need to know password for users and it's actually good if they don't know them.

    In your scenario you seem to have two options: you can set CRM system as identity provider or your Tomcat application server. Whenever users want to use a service provided by one of the systems they need to be redirected to identity provider for authentication first.

    So let's say that CRM system is identity provider. When users access a CRM URL then they get a standard logon screen of CRM system. After successful authentication they get a SSO cookie and they can use services provided by CRM. Tomcat application server needs to implement a custom logon module. I don't think that SAP method is supported out of the box. So when users try to access services provided by Tomcat it will check if there is a valid SSO cookie. If not it needs to redirect user to CRM system. If there is a valid cookie then it will let users in. The note mentioned by Antal provides a link to library that can validate SSO cookies issued by SAP systems.

    The other option is that Tomcat has a role of identity provider. In this case you need to be able to generate a cookie that can be verified by SAP system. Unfortunately, there is no officially supported library that allows you to generate SSO cookies. There is an supported way how to do this.

    There is also third option that both systems are identity providers. I would not go this way because you would have to sync passwords between systems and that's a really ugly solution without too much benefit.

    Also note that if identity provider is down then users can't use services. This is not true for the third option because any system can authenticate user. So that's one of the factors for deciding which system will be used as identity provider.

    You could also use SAML instead of SAP proprietary SSO solution but that would require some additional work (CRM system does not have capability to be SAML identity provider, it can be only service provider).

    Cheers

    Add comment
    10|10000 characters needed characters exceeded

  • Dec 10, 2013 at 04:16 PM

    Hi Aditya,

    Please review SAP Note 304450 -  Singel-Sign-On with SAP logon tickets in non-SAP systems.

    Best Regards,

    Antal

    Add comment
    10|10000 characters needed characters exceeded

    • Hi,

      that library gives you ability to parse and validate logon cookie issued by SAP ticket. You pass it a cookie content and it gives you back if it's a valid cookie (signed by trusted cert) and all the fields such as username. So to use it in Tomcat you will have to define a custom authentication module that uses this library. It reads cookie, parses it and validates it with this library and if everything is OK then it authenticates user. If you need to know how to write a custom logon module for Tomcat then you need to find a better forum.

      Cheers