Solved: user external authentication

Former Member · ‎06-28-2011

hello,

I have read documentation about the technique for SSO to enable authentication between SAP and non-SAP systems but I didn't find a solution for our problem.

We seek a way to authenticate extern SAP users. We have two SAP systems (ERP and BI) and other non-SAP systems and we want users to authenticate once.

For this reason we are interested in any other authentication mechanisms (eg HTTP authentication header, or otherwise) which has been possible programmatic authentication (from an external application, most likely written in. NET). We need to access the web interface for BI and ERP without the need for additional licenses (such as SAP Enterprise Portal).

Please help me with a solution.

Thanks you

martin_voros · ‎06-29-2011

Hi,

for web based only access you could try to use SAML. Your possibilities depend on what version you are. Another approach is to use SAL logon tickets. These are just digitally signed cookies. Every application server checks validity of cookie and if everything is OK it authenticates user. There is a standard library from SAP that allows to validate cookie. So you could use same authentication method on your custom portal.

Cheers

Former Member · ‎06-28-2011

You can implemts SSO through logon tickets or SNC between ECC and BW and other Non SAP application

martin_voros · ‎06-29-2011

Hi,

for web based only access you could try to use SAML. Your possibilities depend on what version you are. Another approach is to use SAL logon tickets. These are just digitally signed cookies. Every application server checks validity of cookie and if everything is OK it authenticates user. There is a standard library from SAP that allows to validate cookie. So you could use same authentication method on your custom portal.

Cheers

Former Member · ‎06-29-2011

thank you all for answers. Version is not a problem (last version). I studied the solution with SAP logon tickets, but don't we need to implement SAP EP? client does not wish to pay other licenses, so we can not buy SAP EP. If we can implement the solution with SAP Logon Tickets without using SAP EP, please give me more details.

Thank you very much for help.

martin_voros · ‎06-29-2011

No, every application server can generate SSO cookie. Check parameters login/accept_sso2_ticket and login/create_sso2_ticket. For example user could authenticate against ECC, that would give him a valid ticket which will be accepted by BI system.

Cheers

Former Member · ‎06-29-2011

So, let me introduce our scenario: We have a web application will authenticate the user, as in the next window will have four icons, one for each system (ERP, BI and two other non-SAP systems). The user will be able to connect to any of that four systems without introducing longer username and password.

I insist with this because in all documentation I read is specified the need of SAP EP for SAP Logon Tickets - process SSO.

Can we use SAP Logon Tickets in our scenario?

What other solution is also suitable for our scenario?

What solution you recommend to us?

thank you for help

martin_voros · ‎06-30-2011

Hi,

it's more complicated. First, I will tell you how it works with SAP Portal. A user authenticates against portal and he gets a logon ticket. The back end systems are configured that they accept only tickets signed by portal. So when user is pointed to a backend system it checks ticket and if everything is fine the user gets authenticated.

So you could try to replicate this set up with your portal. The problem is that I don't know if there is a library for generating logon tickets. So you would have to figure out format of SAP logon tickets.

SAP provides a library that can be used to verify SAP logon tickets. So you could use the following approach. You would create a dummy service on ECC box that would require authentication. After authentication it would generate a logon ticket and redirect user to the portal. You would implement a custom logon procedure on your portal. You would just read a logon ticket (browser cookie) generated by ECC and verify it using SAP library. If everything is OK the user would get logged to portal. You would also configure BI system to accept tickets from ECC. It has some disadvantages. For example user needs to have direct access to ECC box but this could be solved using web dispatcher. Basically, you would set up ECC as an identity provider in SAML terminology.

As you can see I ignored non-SAP systems because it really depends on what you can do with them. As I said there is a library from SAP for verifying SAP logon tickets. So you can create a custom logon procedure for all these systems.

So to summarize it. Answer for the first question is maybe. Using SAML instead of proprietary SAP logon tickets might be more suitable. Other options could be to use proxies to do some translations between various formats. It's really hard to recommend anything without additional information.

Cheers

Former Member · ‎06-30-2011

Hi,

thanks for solutions and explanation. Your help is very useful to me

I found something about PAS: "Pluggable Authentication Services (PAS) allows SAP user to be authenticated outside of SAP. When the user is authenticate by an external service, the PAS will issue an SAP Logon Ticket or x.509 Certificate which will be used for future authentication into SAP systems. The PAS is generally regarded as an opportunity for companies to either use a new external authentication system or an existing external authentication system. In some cases, the PAS is used with an external single sign-on system that uses SAP Logon Tickets or x.509 certificates." Can PAS help us? if yes, how?

Can you please give me more datails about using SAML in our scenario?

Thank you again for help

martin_voros · ‎07-01-2011

PAS allows you to implement your own authentication mechanism. Basically, same thing what you would have to do in your non SAP systems if you decided to go with SAP logon tickets. It's only available only for Java stack. So if you go with SAP logon tickets than it's not going to be helpful.

SAML is a open standard and you could use it as a replacement for proprietary SAP logon tickets. It's supported by many vendors. You have to check what version is supported on your system. More info about SAML can be easily found on net. I would start with wikipedia.

Cheers

Martin

Former Member · ‎07-07-2011

Thank you very much for all answers.

I studied the problem and what I need now is a programmatic way (.NET connector or other library) that we can get a ticket, which will be added to the current session as a cookie. Once added the cookie in HTTP header, links in the Page to SAP applications will be accessed directly with the user already authenticated.

I looked for a sample code or something, but I found just this topic , where things are not very clear and the article remembered there can not be opened anymore.

Please help me with this.

Thank you,

Raluca

Edited by: Raluca Gidei on Jul 7, 2011 10:16 AM

Former Member · ‎07-15-2011

Thank you for all answers. We solved the problem configuring SSO with SAP Logon Tickets (using EP) for SAP systems, and we are still working for issue tickets for non-SAP applic.