Skip to Content
author's profile photo Former Member
Former Member

BSP without logon?

Hello,

I have a request from a customer that they want to access the BSP application without a login.

I have recommended them against this, due to security, traceability, etc. but they still want to do it (for various reasons to long to get into here).

To make a long story short: they will get an email from workflow with a link to the BSP saying that they have a task to perform. They want to store userid and possibly password (preferably in Outlook) and thus not have to logon to the application.

BTW, they don't have LDAP, they don't want to use digital signatures.

Now, the questions is:

1) Is there a way of accessing a BSP application without login in to the Web AS?

2) Is it even possible to access, for instance, Outlook to get hold of user credentials?

Is it possible to validate against Exchange or windows?

Regards,

Leif

Add comment
10|10000 characters needed characters exceeded

2 Answers

  • Posted on Nov 06, 2003 at 07:34 PM

    Leif,

    First the warning: DO NOT RUN SERVICES AS PUBLIC. DO NOT DO THIS.

    Now that it has been said and done (the same as printing on a packet of cigarettes: smoking can kill you), let us get to work.

    You need to look at transaction SICF. Find exactly this BSP application, and *only* this BSP application in tree in front of you. Double click node, change, configure user name, password and client. The problem with this is that the BSP application will under one user for all people. But this is what they want.

    Please read ICF documentation.

    2+3: "No" he says with confidence, without really been sure.

    regards, brian

    Add comment
    10|10000 characters needed characters exceeded

  • Posted on Dec 30, 2003 at 07:56 PM

    Well, there is actually a way to achieve this:

    what your customer is looking for is a way to (automatically) logon users - also known as "single sign-on". In your case : using the Microsoft Windows network logon credentials (NTLM) for SSO.

    Since the NTLM authentication is a proprietary mechanism (which is only available for Microsoft platforms - on both, client and server side - and which currently only works with the Microsoft Internet Explorer) it is not available in the standard.

    However you can achieve such a solution using "PAS" (Pluggable Authentication Service) - see SAP note 358469. Notice: you require an ITS (Internet Transaction Server) for PAS.

    The basic idea is:

    use the ICF error handler routines (such as used to invoke the BSP SYSTEM application) to trigger an http redirect to the PAS service (instructing the PAS service to perform a 2nd http redirect back to the original URL after finishing the SSO job); all that (the two http redirects and the NTLM authentication) will be performed without the notice of the user.

    In contrast to SAP note 517860 you should enter the following redirect URL:

    http://its-host.domain.com:port/scripts/wgate/sapntauth?redirectPath=<%=PATHTRANS%>&redirectQS=<%=FORMFIELD%redirectHost=was-host.domain.com:port&redirectHttps=0

    (where you need to replace the hostnames, domains and ports accordingly, of course).

    Furthermore you should choose the option "without form fields" (instead of "form fields (base64)").

    Final remark:

    yes, this has been successfully installed by a customer, already.

    Cheers, Wolfgang

    Add comment
    10|10000 characters needed characters exceeded