Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

How to Provide Logon Ticket to non SAP (J2E) system (SAPSSOEXT)

0 Kudos

Hello Forum,

we need to provide SAP logon ticket to a non SAP, J2E based system in order to implement Single Sign On.

The external J2E system will use SAPSSOEXT to encrypt the ticket.

The external application will be called through a Web Dynpro application integrated in SAP Portal.

Since we also have to display some web content we would have to go with Exit Plugs, Call External Window or similar.

My question is: how, under the given situation, can be the sap logon ticket provided to the partner system?

Ideally, the ICM should handle the task transparent to me?

But if not, what options do we have? I am tinking about, but not limited to:

- send http request by RFC destination, which has send logon ticket enabled (SM59). How is the ticket included in the request that way?

- extract the ticket with some public ABAP API and send it manually

- ...

Thanks in advance for any advice.

Carsten

6 REPLIES 6

Former Member
0 Kudos

Perhaps I am misunderstanding your requirement, but I don't think this is the intended scenario for logon tickets...

I think you might have licensing issues as well.

Have you looked into other authentication mechanisms?

Cheers,

Julius

Former Member
0 Kudos

The Logon Ticket is sent in a cookie called MYSAPSSO2. You just have to read the cookie and use the external library SAPSSOEXT to verify the logon ticket. This is perfectly legal and the way SAP intended it to be.

You also have to make sure that the user is first authenticated by SAP Portal (so he gets the logon ticket) and that the ticket is sent to the external application (via the correct DNS name).

SAP Logon Tickets are not very secure. Please make sure that they are only transported using encrypted links and that all users have up to date anti malware software on their systems.

0 Kudos

Thanks for your replies.

Yes this describes the solution we are looking for.

The partner already did some testing about SAPSSOEXT and is sure to go this way.

My question is, as the user logs on to the Portal and starts the Web Dynpro ABAP application, how do I make sure that the logon ticket is send (via cookie) to the external system?

I mean this is not simply done by calling the URL via a Web Dynpro exit plug, correct?

Do we have to send a http request first? How to include the ticket, via a RFC destination?

Is there any solution to avoid the seperated approach? Because I am not sure yet if the partner supports the two steps (send ticket, call URL).

Regards

Carsten

Edited by: Carsten Schoen-Schmidt on Jan 26, 2009 10:27 AM

Edited by: Carsten Schoen-Schmidt on Jan 26, 2009 10:29 AM

0 Kudos

The cookie is sent automatically by the browser. For example: Your SAP portal machine is called portal.example.com. After authentication, a cookie containing the logon ticket is issued for the domain .example.com . For all machines in this domain (e.g. server01.example.com) the browser sends the cookie automatically with each http request.

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

>

> - send http request by RFC destination, which has send logon ticket enabled (SM59). How is the ticket included in the request that way?

> Carsten

That indicates that we are actually talking of "SAP (Authentication) Assertion Tickets" (and it discloses that you are using an ABAP system with SAP_BASIS release 6.40 or higher). Don't get confused by the wrong description in SM59: this is no SAP Logon Ticket but an Assertion Ticket.

If you are using NWAS 7.0 then you could also consider to use Web Service calls and SAML Tokens for authentication. That would be much more appropriete when communicating with non-SAP components.

0 Kudos

Hello,

thanks for all your answers and sorry, I was some time on a different topic.

I also remembered (and looked it up) that there are different approaches to specifiy the logon method via a Portal iView.

Right now we consider two different solutions

1) Make the call in ABAP, via HTTP Request, e.g. with SM59.

2) Let the Portal iView make the request, using the athentication method provided by the linked System object.

We prefer 2 kind of for implementation reasons.

The Portal System object "http system", which we would use with the URL iView for example, offers different options like user/password (GET/POST), basic and so on.

Does any of these solutions transfer the "assertion ticket" automaticaly?

There is also the option custom authentication service. This has to be implemented via a Java Service on the Portal. Is such a service needed to implement the SAML/Web Service approach also?

Regards

Carsten