SAP NetWeaver Application Server authenticates users with a user ID and password. It then issues an SAP Logon Ticket that is stored in the user's browser and allows single sign-on to other applications. The ticket contains information like user ID, validity dates, and issuing system. SAP provides tools to enable single sign-on using logon tickets with other identity management platforms, web applications, and non-SAP Java environments.
Download as TXT, PDF, TXT or read online on Scribd
0 ratings0% found this document useful (0 votes)
89 views
Security
SAP NetWeaver Application Server authenticates users with a user ID and password. It then issues an SAP Logon Ticket that is stored in the user's browser and allows single sign-on to other applications. The ticket contains information like user ID, validity dates, and issuing system. SAP provides tools to enable single sign-on using logon tickets with other identity management platforms, web applications, and non-SAP Java environments.
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2
How Does It Work
User requests access to a resource on SAP NetWeaver Application Server.
Resource requires authentication. SAP NetWeaver Application Server authenticates user, with user ID and password for example. SAP NetWeaver Application Server issues an SAP Logon Ticket to the user. SAP Logon Ticket is stored in the user's browser as a non-persistent HTTP cookie. When user authenticates with another application, the user's client presents the SAP Logon Ticket. Composition User ID Validity date(s) Issuing system Digital signature Authentication method Notable Properties Below is a short list of important properties of SAP NetWeaver Application Server Java for SAP Logon Tickets.[2]
login.ticket_client - a three-character numeric string used to indicate the client
that is written into the SAP logon ticket login.ticket_lifetime - indicates the validity period of the ticket in terms of hours and minutes (i.e., HH:MM) login.ticket_portalid - yes/no/auto for writing the portal ID into the ticket ume.login.mdc.hosts - Enables SAP NetWeaver Application Server Java to request logon tickets from hosts outside the portal domain ume.logon.httponlycookie - true/false for security against malicious client-side script code such as JavaScript ume.logon.security.enforce_secure_cookie - Enforces SSL communication ume.logon.security.relax_domain.level - Relaxes the subdomains for which the SAP logon ticket is valid Single Sign-On SAP Logon Tickets can be used for single sign-on through the SAP Enterprise Portal. SAP provides a Web Server Filter that can be used for an authentication via http header variable and a Dynamic Link Library for verifying SSO Tickets in 3rd party software which can be used to provide native support for SAP Logon Tickets in applications written in C or Java.
Web Server Filter
The filter is available from SAP Enterprise Portal 5.0 onwards. Leveraging the filter for single sign-on requires that the web-based application support http header variable authentication. The filter authenticates the logon ticket by using the enterprise portal's digital certificate. After authentication, the user's name, from the logon ticket, is extracted and is written into the http header. Additional configuration to the http header variable can done in the filter's configuration file (i.e., remote_user_alias).
Integration with Identity & Access Management Platforms
Tivoli Access Manager has developed an authentication service compatible with SAP Logon Tickets[3] Sun ONE Identity has developed a solution where companies can use the SAP Internet Transaction Server (ITS 2.0) and SAP Pluggable Authentication Service (PAS) for integration with SAP for single sign-on. This method uses logon tickets for single sign-on and the SAPCRYPTOLIB (SAP encryption library) for SAP server-to-server encryption. Sun's solution utilizes the dynamic libraries (DLL) external authentication method.[4] IBM Lotus Domino can be used as a technical ticket verifier component [5] Availability Windows, Microsoft Internet Information Server Apache HTTP Server, iPlanet Web Server Dynamic Link Library SAP provides Java and C sample files that can provide some hints how the library can be implemented in the source code of a high level programming language such as Visual Basic, C or Java.
Single Sign-On to Microsoft Web Applications
Microsoft web-based applications usually only support the authentication methods basic authentication or windows integrated authentication (Kerberos) provided by the Internet Information Server. However, Kerberos does not work well over the internet due to the typical configuration of client-side firewalls. SSO to Microsoft backend systems in extranet scenarios is limited to the user id password mechanism. Based on the new feature called protocol transition using constrained delegation SAP developed the SSO22KerbMap Module. This new ISAPI Filter requests a constrained Kerberos ticket for users identified by valid SAP Logon Ticket that can be used for SSO to Microsoft web-based applications in the back end.[6]
Single Sign-On to Non-SAP Java Environments
It is possible to use SAP Logon Tickets in a non-SAP Java environment with minor custom coding.[7][8]