For several internet facing applications based on SAP and non-SAP, I am looking at the possibility of using an authentication as a service provider to provide common user repository and logon behaviour.
The internet facing SAP systems will all be Java AS based.
In an authentication as a service scenario the third party would perform the authentication of the user (at least the more secure second factor authentication). The result of this authentication will of course have to be passed back to the SAP JAVA AS system, which will have defined a trust towards the third party authentication as a service provider.
I am currently looking at which standards of authentication result tokens are supported by SAP JAVA AS?
(alot is possible through the implementation of custom JAAS login modules, but support is important in this scenarion)
I assume that SAML Assertions (http://help.sap.com/saphelp_nw04/helpdata/en/94/695b3ebd564644e10000000a114084/frameset.htm) are the way to go, but can other tokens also be used ?
For example OpenID/Oauth can probably be implemented, but I am not sure if this is supported.
Also, if anyone else have experience with authentication as a service and SAP system I would love to hear more about your solution architecture.