Skip to Content

SSO from HCP App to SAP Jam

Hi, we are currently working on an SAP internal project which is actually an App deployed to HCP. We are delegating the user authentification to SAP ID Services and to be exact we are using FORM Authentication. In the App, we have links to SAP(internal) Jam(https://jam4.sapjam.com/).

In most cases our scenario works. However, if we use Firefox to access our App, since it does not take the SAP SSO certificate automatically(for Chrome you get a pop up to select your SAP SSO certificate), we are prompted to enter the SCN user and password(auth. 1). This is so far ok. However, after authentication and after I have logged in the App, I click the SAP Jam link inside to App, I am again prompted to enter my SCN user and password(auth. 2). This is not so nice.

I know, the first authentification(auth. 1) checks only if the user has a valid scn user and password and the second time(auth. 2), since I am accessing an SAP internal Jam group, I am or at least should be checked agains my SAP company internal credentials.

My questions:

1. during the second authentification(auth. 2), why it works, when I enter my SCN credentials not my SAP company internal credentials? I have different password for my SCN credentials and my SAP credentials. Maybe it is because they have the same ID(my D-number?)?

2. how can I get rid of the second authentification(auth. 2)? We have application logic already in our App to check, that the users of our App are SAP internals(D-number or I-number), so it would be really nice that somehow SAP ID Services can provide some API to do a silent login, like the scenario in my question 1.

Really appreciate your help. Thank you.

Regards, Yashu

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Feb 14, 2015 at 12:37 AM

    This is happening because it appears to me that these two applications are not integrated, but you just have links to Jam from App1. So they both require their own authentication. If you use IE on SAP imaged desktops you likely won't see either authentication, because of the way IE handles desktop certificates.

    If you want to do a deeper SSO integration between the two then you would need use something like this: SAP Jam Developer Guide

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Chris, the single use tokens never give you access to things you are not allowed to see. It just provides a mechanism to move from the API to a web session as a convenience. As a security control we don't allow direct sharing between API session and a web session.

      So if the user hijacks their single use token to view a different URL its ok as long as its the same user, because they won't see anything they are not permissioned to see. Once the token is used to create a session once then it becomes invalidated. We have actually had this feature for a long time I think the security is well validated, but we are always open to feedback.