- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- SSO logon ticket creation by Non SAP-System
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
SSO logon ticket creation by Non SAP-System
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2007 9:58 AM
Hello,
Is there anyway to generate a SAP logon ticket on non SAP system? by using a special module running on Apache Server for example.
If there is any documentation that speaks of this Scenario it would be appreciated if you can point me to the same.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2007 11:23 AM
Hi Peter,
Our wish is to set up a server that will stay in the DMZ and provide for incomming user after an authentication a SAP Logon Ticket . By doing this we will prevent direct access to our SAP EP that stay in backend.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2007 10:59 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2007 11:23 AM
Hi Peter,
Our wish is to set up a server that will stay in the DMZ and provide for incomming user after an authentication a SAP Logon Ticket . By doing this we will prevent direct access to our SAP EP that stay in backend.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2007 1:51 PM
I don't think it is a smart idea to "outsource" the authentication validation and to let this sensitive task be performed by a component which resides in the DMZ.
Keep in mind: the DMZ is closer to the "outer space" than the backend server network. Therefore no security relevant components (such as an "authentication server") should be operated in the DMZ.
Typically, only "pre-filtering" components are operated in the DMZ (like a reverse proxy). The backend systems do not rely on that "pre-filtering" but implement their own access control.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2007 1:44 PM
No, that's not intended. There's only a library to verify SAP Logon Tickets, externally - but none to create them.
The recommended way to enhance NetWeaver servers with new authentication mechanisms is to deploy new JAAS logon modules on a NWAS Java. The NWAS Java can then (after successful validation of the credential by the custom JAAS login module) create a SAP Logon Ticket - which can be validated by other components.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2007 2:12 PM
I agree. Even if you want to avoid direct access to the backend SAP Portal, the authentication still has to take place in a trusted environment.
There are ways to implement a user authentication for SSO outside an SAP system, but this would be via other mechanisms (e.g. certificates) - not via SAP logon tickets.
- SAP Managed Tags:
- Security
