Uderc programming article aggregator sites

"SSO" for non-sap web application using SAPGUI to browse?

Tags:
Answers: Have 9 answers
Advertisement
I have a web application (non SAP) and the user base are also SAP users in an ABAP system.
To strengthen the authentication in the web app, I wanted to implement SSO 
authentication as we pity the users for having to remember so many strong pw's and I
dont like LDAP based pw sync or other technology I dont understand, because then we are
just yet another application with the same pw...
We are having technical problems implementing SSO on the web app side, and are anyway a
bit sceptical about the user admin / role admin assignment if we get it to work.
So I have created a transaction in SAP which browses the web app and the intention is to
send the SAP sy-uname as the web app user. We can control this using s_tcode, and
an own auth object on the WAS side and a check on the session type before the connection is
established. In this sense we are dependent on the SAP concept implemented, but even so:
The role assignment is controlled in the web app itself -> so assume that I am not overly
worried about unauthorized access to the web application, as they would not have any
system role for it as their sy-uname does not exist. (Infact we can monitor this)
The browser on the front end is the SAPGUI with html controls on the SAP side.
I would be interested in knowing whether anyone else has experience with this approach, and
whether there are any areas to be carefull of?
I would also like to know whether this is a strategic error?
Kind regards,
Julius
Advertisement
The best answer: Hi Julius,
well, if that web application would run on the same ABAP backend system then the solution described in <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/0612670">SAP Note 612670</a> would be applicable:
a so-called "Re-entrance ticket" (based on the "SAP logon ticket" SSO proceedings) is issued, transported via the SAPGUI connection and back to the system via the invoked HTML control.
But for non-SAP web applications that does not help.
In that case only X.509 client certificates can be used for SSO. Actually, the web application could then also be invoked directly (independent from the SAPGUI session). The user is authenticated based on the X.509 client certificate - and not based on the ABAP userID (of the SAPGUI session).
Well, if you don't mind the effort you could also use the "SAP Logon Ticket evaluation library" (sapssoext, see <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/0304450">SAP Note 304450</a>) to evalute the SAP logon ticket externally. You'll then need to have a "stub application" at the ABAP side that triggers the http redirect to your external web application. Not a nice solution but a possible one.
In the future SAML browser artifacts would be an option (preferable to integrate non-SAP applications). But currently that's not available (for NWAS ABAP).
Cheers, Wolfgang