SSO with "SAP logon tickets" without using SAP NW ...

Former Member · ‎03-19-2008

Hi

i am looking for a solution to use SSO with "SAP logon tickets" for SRM WebServices ( ICM / ABAP )

we use

- SAP NW 7.0 ABAP (ECC and SRM)

- Apache

- IIS

- Active Directory

BUT

we NOT use

- SAP EP

- SAP ITS

- SAP NW AS JAVA

is there a solution to generate "SAP logon tickets" from the ABAP Stack or IIS or ... or the best way for us - a own application ... ??

we plan to authenticat the user via Windows-Login to Windows Active Directory.

thanks for all ideas

best regards

roland dess

tim_alsop · ‎03-19-2008

Roland,

It is normal for SAP customers to install a Java engine to solve this problem so that they can implement a standard solution that is properly supported by SAP. Why don't you want to do this ?

It might be possible to use the SAP crypto library to generate an SSO2 ticket, and put some code which does this on a system outside of SAP landscape (e.g. on IIS or Apache server after authenticating user via integrated windows authentication) but I don't think any customer has done this - maybe the crypto toolkit only has the functionality to accept sso2 ticket and not issue them ? I am not sure on this.

Thanks,

Tim

Former Member · ‎03-19-2008

Hi Tim

Thank you for your answer.

There are 2 "main"-reasons that we do not want to use SAP NW AS JAVA

1) every new SAP System means more administration and more resources (HW / DB / Software)

2) in our company we use the technic of tickets in other applications too - we generate the ticket in a own "tool" with authentication on Win AD.

Your answer to the technic of SAP crypto lib ("... only has the functionality to accept sso2 ticket and not issue them...")

i think you're right!!

if we are able to generate the sap "logon ticket" in our own "tool" it would be the best solution for us.

we need the information about generating "sap logon tickets"!

who knows how to do this?

Thanks

Roland

tim_alsop · ‎03-19-2008

Roland,

I think you could use similar concept to that used by the External ITS product from SAP. With this product, the ITS AGATE software would use a secure RFC connection to ask the ABAP system to create an SSO2 ticket, which is then used by ITS for subsequent access, thus giving SSO. From this, it must be possible to request an SSO2 ticket over this secure channel, so maybe you can use same approach in your own code ?

Also, for Java - you don't need to install it on all systems, only on one (minimum). Then, the certificate used on this server for signing the SSO2 ticket can be trusted by all target ABAP systems that you want to logon to after authenticating.

Thanks,

Tim

Former Member · ‎03-19-2008

Hi Tim

your anwer is very good!!!

but let me say it in my word ...

we have two oportunities

1) install ITS A-Gate

+ no database is used

+ WIN AD can be used to authenticate the user

- only availabe in SAP 6.40

- every backend (SRM) needs a own A-GATE

2) install SAP NW AS JAVA (no EP)

+ newest SAP technology (SAP 7.x and SPNego)

+ WIN AD can be used to authenticate the user

+ only one SAP AS JAVA needed

- a database/... has to be installed

2 Questions:

1) i do not know if in both oportunities the end-user is redirected to the webservice whithout another click. means ... only one click and the application starts???

2) All users - who will work with SAP Logon Ticket - are to be defined in the UME of the JAVA-system ???

greetings

Roland

tim_alsop · ‎03-19-2008

Roland,

I wasn't suggesting you use/install ITS AGATE - I just wanted to make it clear that the AGATE code can use SAP RFC to ask ABAP system for an SSO2 ticket. If this software is able to do this, then your software could do same. You would need to find out what function to call on SAP ABAP to issue the ticket, but from the fact that code already exists in AGATE software you must be able to do this in your own software. Is it clearer now ?

Answering your two questions:

1) yes, in both cases the user would open URL in browser and be redirected automatically to j2ee engine, get authetnicated, and then redirected back to the ABAP engine - this all happens without any user involvement. In fact it happens so quickly the usre will not even notice the redirection.

2) The Java system can be configured to use ABAP as user store, so no need to define users in both java engine and in abap system.

Thanks,

Tim

Former Member · ‎03-19-2008

Hi Tim

it is clear now!!!

very good idea - i'll try to get the information of the rfc ...

but it will take a few days for me to do this.

some info to your answer 2 - use abap user-store ..

a person of sap told me that a "double-stack" installation is not "highly recommended" from sap. it will be supported but sap's favorit is a standalone-installation.

THANKS

Roland

tim_alsop · ‎03-19-2008

Roland,

Even with standalone install of j2ee engine the UME can be configured to use an ABAP user store on another system on network, but it is of course more effecitient if it can access ABAP user store on same system, so dual-stack is preferred from this point of view.

I don't know why SAP would tell you that dual-stack is not recommended - never heard this before. It is very common from what I have seen, and many SAP customers I have worked with in past, use SAP J2ee engine in dual-stack mode.

Maybe SAP were suggesting that dual-stack will require more system resources since you will be running ABAP and JAVA on same host, so memory will be shared between them ? I cannot think of any other reason.

You also need to be aware that when you use the Java engine for this type of setup, it will only be utilised during the initial logon of the user, so resource usage will be low compared to running a java engine which might be hosting a portal or some other java application.

Keep us posted on what you find out regarding the RFC's

Thanks,

Tim

tim_alsop · ‎03-19-2008

Roland,

I wanted to highlight a requirement for you - when you send an rfc to ABAP to ask for an SSO2 ticket, since you are effectively saying "Please send me an SSO2 ticket for <this> user" this could be abused by an attacker, where they could send a request such as "Please send me an SSO2 ticket for <this user who is not me, but I want to logon as them> user" ... So, SAP have made SNC a requirement when sending this type of request, so it will only issue the SSO2 ticket when it trusts where the request comes from due to SNC authentication and security.

I hope this helps,

Tim

tim_alsop · ‎03-19-2008

Roland,

I did some research, and you will need to run the rfc called RfcGetTicket() and use GETSSO2=1 in the connect string.

Thanks,

Tim

WolfgangJanzen · ‎03-20-2008

Hi Roland,

I'm sorry to have bad news for you:

- the NetWeaver Application Server ABAP (NWAS ABAP) does not support SPNEGO

- NWAS ABAP does also not allow to deploy own (custom) login modules

- there is no library which allows you to create SAP Logon Tickets (the library SAPSSOEXT only allows to validate SAP Logon Tickets)

As Tim has already mentioned the best (and recommended) way is to use a NWAS Java (either as part of a Double Stack installation or a standalone NWAS Java which is configured to use the NWAS ABAP as "ABAP reference system" (UME setting) - in order to be able to determine the proper "ABAP UserID" corresponding to the "Java username").

Notice: NWAS ABAP 7.x systems do no longer support an external ITS (6.20).

I'm actually not in favor of re-implementing the PAS solution (formerly provided by the external ITS) based on the SNC-protected RFC connection. It will take quite some effort to implement a solid solution - which afterwards you'll have to support yourself ...

Cheers, Wolfgang

Former Member · ‎03-26-2008

Hi Wolfgang

you wrote "there is no library which allows you to create SAP Logon Tickets"

... is there a possibility to create SAP Logon Tickets with our own aplication...??

... we need the information obout the structure and the content of SAP Logon Tickets

this technic is our standard to work with SSO in our intranet ... (the user will be checked against Active Directory and a cookie is stored in the local browser ...)

the programmer generates tickets for different applications ... (IBM CICS, own written applications, etc...)

Thank you!

Roland

tim_alsop · ‎03-26-2008

Roland,

If it was possible for you or anybody to write some code to create an SSO2 ticket which was accepted by SAP, then this would create a security issue for SAP applications because the person who runs this code could (theoretically) logon to SAP as anybody they like... So, for trust and security issues SAP have designed their products so that only SAP software can issue SSO2 tickets.

The only options you have are to use the RFC method I mentioned, or (the preferred method) to use Java engine.

Thanks,

Tim

WolfgangJanzen · ‎03-27-2008


> Hi Wolfgang
> 
> you wrote "there is no library which allows you to create SAP Logon Tickets"
> 
> ... is there a possibility to create SAP Logon Tickets with our own aplication...??
> ... we need the information obout the structure and the content of SAP Logon Tickets 
> Roland

When writing that "there is no library which allows you to create SAP Logon Tickets" I intended to express that there is no API (application programmers interface) - so the answer to your questions is "No".


> Roland,
> 
> If it was possible for you or anybody to write some code to create an SSO2 ticket which was accepted by SAP, then this would create a security issue for SAP applications because the person who runs this code could (theoretically) logon to SAP as anybody they like... So, for trust and security issues SAP have designed their products so that only SAP software can issue SSO2 tickets. 
> 
> The only options you have are to use the RFC method I mentioned, or (the preferred method) to use Java engine.
> 
> Thanks,
> Tim

There's nothing to add to Tim's statement. He already gave the reason why the creation of a token (SAP Logon Ticket) is restricted: only in exchange to valid credentials you can request to obtain a SAP Logon Ticket (therefore the name ...) - which is a kind of "receipt" (notice: faking receipts is considered a criminal act - at least when using those receipts in your tax declaration ...).

Former Member · ‎05-05-2008

Roland,

have you considered the use of client certificates (X.509 certificates)?

This would not require the installation of a new SAP NW WebAS Java system.

And the use of X.509 certifictates can be combined with authenticaition via Active Directory.

Best regards,

Peter

Former Member · ‎06-27-2008

Hallo

sorry for no-posting - but i installed some systems to solve the problem.

now our system-landscape looks like this:

1) SAP Portal: the UME is the Windows Active Directory ... SSO to Portal works fine

2) we created an iView that redirects to SAP SRM - webgui ... SSO to SRM works fine

BUT we do not need webgui - we want to use the Service BBPSTART !!

Unfortunatly i get the error "WPINTEGRATION.JS could not find SAPWF_sendSessInfo()"

I found a note 1158297 which discribes this problem.

There is a description :

You must have defined the BBPSTART service as a standalone link in EP (not as an iView).

???

My idea is that we redirect directly from the sap-portal to BBPSTART - the applicationserver from SRM and runs NOT in the portal.

Is this possible - and how can i define a service as a standalone link in EP (No iView) ??

Thanks

Roland

WolfgangJanzen · ‎06-27-2008


> My idea is that we redirect directly from the sap-portal to BBPSTART - the applicationserver from SRM and runs NOT in the portal.
> 
> Is this possible - and how can i define a service as a standalone link in EP (No iView) ??
> 
> Thanks
> Roland

That's a Portal-specific question - you should post it in the [Portal Forum|/community ;

Former Member · ‎06-27-2008

i post the message in the portal-forum

Thanks

Roland

SSO with "SAP logon tickets" without using SAP NW AS JAVA