07-31-2007 9:58 AM
Hello,
Is there anyway to generate a SAP logon ticket on non SAP system? by using a special module running on Apache Server for example.
If there is any documentation that speaks of this Scenario it would be appreciated if you can point me to the same.
07-31-2007 11:23 AM
Hi Peter,
Our wish is to set up a server that will stay in the DMZ and provide for incomming user after an authentication a SAP Logon Ticket . By doing this we will prevent direct access to our SAP EP that stay in backend.
07-31-2007 10:59 AM
07-31-2007 11:23 AM
Hi Peter,
Our wish is to set up a server that will stay in the DMZ and provide for incomming user after an authentication a SAP Logon Ticket . By doing this we will prevent direct access to our SAP EP that stay in backend.
07-31-2007 1:51 PM
I don't think it is a smart idea to "outsource" the authentication validation and to let this sensitive task be performed by a component which resides in the DMZ.
Keep in mind: the DMZ is closer to the "outer space" than the backend server network. Therefore no security relevant components (such as an "authentication server") should be operated in the DMZ.
Typically, only "pre-filtering" components are operated in the DMZ (like a reverse proxy). The backend systems do not rely on that "pre-filtering" but implement their own access control.
07-31-2007 1:44 PM
No, that's not intended. There's only a library to verify SAP Logon Tickets, externally - but none to create them.
The recommended way to enhance NetWeaver servers with new authentication mechanisms is to deploy new JAAS logon modules on a NWAS Java. The NWAS Java can then (after successful validation of the credential by the custom JAAS login module) create a SAP Logon Ticket - which can be validated by other components.
07-31-2007 2:12 PM
I agree. Even if you want to avoid direct access to the backend SAP Portal, the authentication still has to take place in a trusted environment.
There are ways to implement a user authentication for SSO outside an SAP system, but this would be via other mechanisms (e.g. certificates) - not via SAP logon tickets.