"SSO" for non-sap web application using SAPGUI to browse?

I have a web application (non SAP) and the user base are also SAP users in an ABAP system.
To strengthen the authentication in the web app, I wanted to implement SSO 
authentication as we pity the users for having to remember so many strong pw's and I
dont like LDAP based pw sync or other technology I dont understand, because then we are
just yet another application with the same pw...
We are having technical problems implementing SSO on the web app side, and are anyway a
bit sceptical about the user admin / role admin assignment if we get it to work.
So I have created a transaction in SAP which browses the web app and the intention is to
send the SAP sy-uname as the web app user. We can control this using s_tcode, and
an own auth object on the WAS side and a check on the session type before the connection is
established. In this sense we are dependent on the SAP concept implemented, but even so:
The role assignment is controlled in the web app itself -> so assume that I am not overly
worried about unauthorized access to the web application, as they would not have any
system role for it as their sy-uname does not exist. (Infact we can monitor this)
The browser on the front end is the SAPGUI with html controls on the SAP side.
I would be interested in knowing whether anyone else has experience with this approach, and
whether there are any areas to be carefull of?
I would also like to know whether this is a strategic error?
Kind regards,
Julius

Hi Julius,
well, if that web application would run on the same ABAP backend system then the solution described in <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/0612670">SAP Note 612670</a> would be applicable:
a so-called "Re-entrance ticket" (based on the "SAP logon ticket" SSO proceedings) is issued, transported via the SAPGUI connection and back to the system via the invoked HTML control.
But for non-SAP web applications that does not help.
In that case only X.509 client certificates can be used for SSO. Actually, the web application could then also be invoked directly (independent from the SAPGUI session). The user is authenticated based on the X.509 client certificate - and not based on the ABAP userID (of the SAPGUI session).
Well, if you don't mind the effort you could also use the "SAP Logon Ticket evaluation library" (sapssoext, see <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/0304450">SAP Note 304450</a>) to evalute the SAP logon ticket externally. You'll then need to have a "stub application" at the ABAP side that triggers the http redirect to your external web application. Not a nice solution but a possible one.
In the future SAML browser artifacts would be an option (preferable to integrate non-SAP applications). But currently that's not available (for NWAS ABAP).
Cheers, Wolfgang

Similar Messages

  • SSO FOR NON SAP APPLICATIONS

    SSO for non sap applications in EP on which siteminder sso is integrated
    Posted: Aug 28, 2006 7:09 AM        Reply      E-mail this post 
    Hi ,
    we have implemented Siteminder on SAP PORTAL 6 SP16 for authentication.I would like to integrate non sap application in Portal.I could not find any documentaion for setting up non sap application's in portal on which siteminder external authentication is implemented.
    can anybody help for getting step by step document.
    diff rewards to be given

    Hi,
    if you have access to service.sap.com via S-User, you can download "SAP Enterprise Portal Security Guide" in the portal section. It has dedicated descriptions about SSO-Settings, also about netegrity.
    You can also search help.sap.com about "SSO" which gives you overview descriptions.
    On SAP Service Net, there is also an pdf "Integrating Security functions" in the Netweaver 2004s Portal section, where the description of the Java API for the PDK is included. This is very helpfull for coding.

  • SSO for  non sap applications in EP on which siteminder sso is integrated

    Hi ,
    we have implemented Siteminder SSO on   SAP PORTAL 6 SP16  for authentication.I would like integrate non sap application in Portal.I could not find any documentaion for setting up non sap application's in portal on which siteminder sso external authentication is implemented.
    can anybody help for getting  step by step document.
    Thanks
    Tag

    Hi ,
    we have implemented Siteminder SSO on SAP PORTAL 6 SP16 for authentication.I would like to integrate non sap application in Portal.I could not find any documentaion for setting up non sap application's in portal on which siteminder sso external authentication is implemented.
    can anybody help for getting step by step document.
    diff rewards to be given...
    Thanks
    Tag

  • Tutorial for Building Mobile Web Applications Using ADF/BC4J-problem

    This is the tutorial for:
    Develop a offline, Web-based Disconnected Mobile application
    Trying to create an offline mobile application using jdeveloper & oracle lite. I want to be able to update the home database after using the application in a disconnected fashion. I do not have a web site, nor is that a feasible option.
    Jdeveloper 10.1.3.4 which should be OK as it is higher than the release specified in the tutorial.
    webtogo
    oraclie lite 10
    oracle 10.
    I have tried to follow the tutorial completely and I can not get this to connect from webtogo. It runs fine in the jdeveloper usising the container. I created the war file, did the wtg packaging process, opened the mobile manager and published the application & granted access to user 'john'. The samples provided work fine. The new application appears on the webscreen after installing web 0c4j. When I click on it, the address toolbar shows:
    http://localhost/webtogo/bc4jtutorial/faces/CustomerOrders.jsp
    When it installed mobile client, it installed the CustomerOrders.jsp into:
    E:\mobileclient\mobile_client_oc4j\j2ee\mobileclient\applications\mobileclient\bc4jtutorial
    an example of the samples that work shows
    http://localhost/webtogo/sample6/list
    in the browser address line.
    Which looks like it's really
    E:\mobileclient\mobile_client_oc4j\j2ee\mobileclient\applications\mobileclient\samples\sample6
    on the file system
    Any one have any ideas? I'll take another solution if someone has found one. However, i am not a great java programmer so thought jdeveloper was great to create forms and access the database.
    Theo Korol
    [email protected]

    Hi,
    selecting a session bean, this option shows for me in 11.1.2. Make sure that - by accident - you don't select the local or remote interface class
    Frank

  • SSO to non SAP Application using SAP Logon Ticket

    Hi Experts,
    I Have EP 7 SP 15 using SPNego Wizard to SSO with Active Directory and SSO between EP and ECC using SAP Certificates.
    Now I have a demand to SSO some JAVA based applications (non SAP) to my portal using the SAP Logon Ticket.
    I Have followed some blogs that directed me to use SAPSSOEXT (some libs) to read the MYSAPSSO2 cookie. The problem is that I didn't found this cookie, I even executed the command javascript:document to look for this cookie but the browser just show me the JSESSIONID info.
    Does anybody knows where I can find this cookie or if there's a better way to set up this SSO? It´s necessary to say that I cannot SSO these application to the kerberos protocol because some security reasons on my company.
    Thanks
    Armando

    Hi,
    I dont have much info related but i can giv u hint
    refer OSS Notes 442401 and 723896.
    When using SAP logon tickets for non-SAP applications, two different implementation options are available. The difference lies in where the ticket verification takes place.
    In the first case,  the SAP logon ticket is submitted to the web server filter located on the web server. The web server filter verifies the portal serveru2019s public key
    certificate using its local Personal Security Environment (PSE) and then populates the HTTP header field with the user ID for SSO to the non-sap web application.
    In the second case,  the SAP logon ticket is sent to the non-SAP application, which then verifies it using the ticket verification DLL and submits the user ID to the application for SSO.
    You can refer following link :-
    http://help.sap.com/saphelp_nw70/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm
    user authentication and SSO
    http://help.sap.com/saphelp_nw70/helpdata/EN/8f/ae29411ab3db2be10000000a1550b0/frameset.htm
    Authentication Using a Directory with SSO Integration Using Logon Tickets
    http://help.sap.com/saphelp_nw70/helpdata/EN/f8/3b514ca29011d5bdeb006094191908/frameset.htm
    SSO
    SAP Logon Ticket-based Single Sign-On
    http://help.sap.com/saphelp_nwce10/helpdata/en/45/b6af743753003ae10000000a11466f/frameset.htm

  • SSO to Non-SAP using login-tickets

    Hi all,
    I'd like to set up an SSO connection to a non-SAP HTTP system by using the SSO web filter (iis_sso.dll) on IIS 5.0.
    I've created an iView (using the application integrator) with the URL template : http://<ip-address-host>:82/reqvars.asp?<Authentication> in which <Authentication> is MYSAPSSO2=<Request.SSO2Ticket>. The reqvar.asp page comes with the web filter as an example and displays all HTTP header fields. That way you can check whether the user-ID has been extracted successfully from the SAP logon ticket. However, I fail to get any value into the REMOTE_USER variable. The ISAPI filter (iss_sso) has been installed (global) successfully.
    I'm using the following settings in the verify.properties files:
    remote_user_alias = REMOTE_USER
    pse_file = C:\SSOFilter\verify.pse
    application = portal
    log_file = C:\SSOFilter\filter.log
    log_level = 3
    Remark: in the original example the remote_user_alias is set to REMOTE-USER: However, I feel this is wrong since the actual variable is REMOTE_USER. Also I have seen this one in another forum post as being a working properties file. Or should I use original value?
    No entries are being written to the log so I believe nothing is happening at all.
    The SSOFilter folder contains the following files:
    iis_sso.dll
    sapsecu.dll
    sapsecu.lib
    verify.properties
    verify.pse
    mfc71.dll, mfc71u.dll, msvcp71.dll, msvcr71.dll and sapsecin.exe
    This folder also has been added to the environmental PATH variable.
    Any suggestions would be highly appreciated (and rewarded ,
    Frodo

    Hi,
    I dont have much info related but i can giv u hint
    refer OSS Notes 442401 and 723896.
    When using SAP logon tickets for non-SAP applications, two different implementation options are available. The difference lies in where the ticket verification takes place.
    In the first case,  the SAP logon ticket is submitted to the web server filter located on the web server. The web server filter verifies the portal serveru2019s public key
    certificate using its local Personal Security Environment (PSE) and then populates the HTTP header field with the user ID for SSO to the non-sap web application.
    In the second case,  the SAP logon ticket is sent to the non-SAP application, which then verifies it using the ticket verification DLL and submits the user ID to the application for SSO.
    You can refer following link :-
    http://help.sap.com/saphelp_nw70/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm
    user authentication and SSO
    http://help.sap.com/saphelp_nw70/helpdata/EN/8f/ae29411ab3db2be10000000a1550b0/frameset.htm
    Authentication Using a Directory with SSO Integration Using Logon Tickets
    http://help.sap.com/saphelp_nw70/helpdata/EN/f8/3b514ca29011d5bdeb006094191908/frameset.htm
    SSO
    SAP Logon Ticket-based Single Sign-On
    http://help.sap.com/saphelp_nwce10/helpdata/en/45/b6af743753003ae10000000a11466f/frameset.htm

  • SSO from Non-SAP portal to EP

    Hi.
    We need SSO from Non-SAP portal to EP.
    The Non-SAP Portal has publish Form-based authentification.
    I mean userid&password set to URL.
    Then the EP can generate SAP Logon ticket to backend system?
    regards,

    How to Enable Single Sign-on with Non-SAP Web Application                    
    I have very good material coollected for the same implement this.
    http://help.sap.com/saphelp_nw04/helpdata/en/12/9f244183bb8639e10000000a1550b0/content.htm                                             
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a7b5ba90-0201-0010-4dbc-8f999dcd2798                                                                                
    Cheers!!                                             
    SJ.

  • SSO from non-SAP to SAP apps

    Hi All,
    Currently We have SAP applications, non-SAP applications(java, .NET, PHP etc) in our landscape.
    If the client tries to access any non-SAP application it should ask for authentication and thereby for any subsequent access to any URL's(SAP or NON-SAP apps) it should not ask for any authentication.
    FYI:
    The client logins into SAP Portal(SAP to NON-SAP) first and thereby able to achieve SSO for non-SAP applications as well.
    Currently we are stuck for the scanerio of  Non-SAP to SAP apps ?
    Please suggest.......
    Thanks,
    Mano.

    Hi samuli,
    Using SPNEGO, we can incorporate windows authentication for SAP Portal ( after desktop authentication user can logon without userid/password). But for non-sap apps this would be challenge.
    I have another option, using webdispatcher if we enable server redirect for all applications(SAP & NON-SAP) and get authenticated centrally by which SSO can be achieved across all the apps.
    Would above solution work ?
    Thanks,
    Mano.

  • SSO to non SAP Application (ASP)

    We have followed the sample steps for SSO to non SAP Applications in ASP, but we're receiving the following results:
    Start SSO2TICKET main
    Version: SAPSSOEXT 2
    Ticket verifying failed. Return codes error=1 and ssf error=0
    Does anyone know what the problem is and how to solve it?
    Thanks!

    hi ive,
    u cn refer to this links.......these r  some of    the blogs that u cn go throu.its useful.
    <b>User Mapping-based Single Sign On,
    SAP Logon Ticket-based Single Sign-On>
    regards
    bhargava

  • Web Server Filter Based SSO to Non-SAP Apps

    Hi,
    I am following SAP Note 442401 for configuring the Non-SAP App for Web Server Filter based SSO using SAP Logon Ticket. Also, I have downloaded the 5_0_2_8.zip file.
    The Readme doc of this zip file says:
    "<b>Changes in Web server filter plugins
    The Web server filter plug ins and the Ticket Toolkit now were separated.
    See subdirectories for further information:
    "C"          the Ticket Toolkit
    "filter"     the Web server filter plug ins
    This is the last released version (5.0.2.8) on SAPSERV.
    Pleaser refer for newer versions to SAP Service Marketplace (http://service.sap.com/patches)
    Technology Components-> SAP SSOEXT -> SAP SSOEXT</b>"
    Zip file has two folders named "C" and "filter".
    "C" folder has cpp code to varify the ticket.
    "Filter" folder has DLLs for the different web servers.
    So far so good . Now, what I want to know is that is placing the  DLL from the Filter folder onto the respective web server and doing some configs, as per the PDF provided with ZIP file, enough?
    Or do I need to do anything else, like writing any class to read and validate the Ticket?
    Thanks,
    Vivek

    See Web Server Filter Based SSO to Non-SAP Apps

  • SSO with SAP logon tickets to non-SAP web app

    I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work.  I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal.  Anyone tried similar?
    Cindy

    Hi Cindy,
    If it is EP6 SP2 probably you can checkout the following document.
    http://service.sap.com/ep60
    Go to Documentation Help>How-To-Guides>Current How To Guides section.
    checkout the following how to guide.
    Perform Cross Domain SSO with SAP Logon tickets zip file.
    If you want the zip file please send an e-mail to
    [email protected]
    Regards
    -Venkat Malempati

  • SSO from SAPJ2EE to Non-SAP Java Applications

    Hello,
    does anybody know, if there is a newer version of MySapSsoSupport-0.5.tar.gz
    This enables Single Sign-On from SAP J2EE Engine/EP to Non-SAP Java Applications.
    Thanks in advance.
    Guenter

    Hi Guenther
    I am not aware of this MySapSsoSupport package. As far as I am aware the only supported scenarios for SSO to non-SAP Systems are listed here:
    http://help.sap.com/saphelp_nwpi71/helpdata/de/12/9f244183bb8639e10000000a1550b0/content.htm

  • Integrate 'External non-SAP Purchasing Application' with SAP SD for third party purchasing/ drop shipping?

    What is the best way to integrate 'External non-SAP Purchasing Application' with SAP SD for third party purchasing/ drop shipping?
    Details about expected process Flow.
    Receive PO from customer into SAP > SAP SD creates Sales Order > ?? SAP Integrate with External non-SAP Purchasing Application to trigger purchasing > External non-SAP Purchasing Application creates PO, Ships Material to Customer Ship to address (drop ship), Sends Shipping confirmation (FCR) & Invoices to SAP> ??Receive FCR and Invoice in SAP > ?? Initiate SAP Accounts Payable (Vendor Payments) and Accounts Receivable (Customer Invoice) > ?? Update SAP SD Sales Order with shipping status>
    Questions we need to answer;
      - How to achieve '??' steps from above process.
      - What type of Master Data we will need to configure (Say Materials Item Category, Type etc.)
      - Any standards options to configure SAP SD (Type of Sales Order)
      - We certainly don’t want to trigger SAP MM Purchasing (i.e. PR, PO etc.). How can we bypass it.
      - How to make statistical receipts against sales order line items so that SO status will be updated.
      - How to receive Invoice and FCR from External non-SAP app to trigger AP and AR transactions.
      - Are there any SAP standard configurations/ BAPIs/ BADIs available to achieve this integration.
    Any inputs on above questions are appreciable.
    Anand.

    This question is resolved. We ended up activating purchasing module and used purchasing documents PR/ PO to integrate with third party purchasing system.
    Anand.

  • License Keys for J2EE-Engine_ORA SAP Web Application Server.

    Hi Experts
    I have installed SAP Net Weaver 04 support release 1 > oracle JAVA System. I don’t have ABAP system on same Hardware so I cant used SLICENSE GUI transaction code, how I generate hardware key, I am performing installation on Windows 2003 server.
    Now I want to add License Keys for J2EE-Engine_ORA SAP Web Application Server. So please give me producer for how to add license key.
    Regards,
    Rahul

    Hi
    Go to  Visual Administrator in the following path:
    <Your Server> -->  Services --> Licensing  Adapter to get the Hardware key , SID etc . Ten apply license in
    https://service.sap.com/licensekeys
    Once you get the license from SAP, do the following
    ->Download the license  file to a local disk
    --> Start the Visual Administrator  Server --> Services --> Licensing Adapter
    --> Use the Install License From File button to upload the file
    --> Select the file with the downloaded license key
    --> Choose Open to continue
    After installation restart J2EE engine
    Thanks
    Prince Jose

  • Installation guide for SAP Web Application Server

    Hi guys
    'm new to ep can u tel how to install   SAP Web Application Server
    thanks
    regards
    kamal

    hi anup
    thanks
    In this some commands are used whether it is unix  r some other os.. can u tel me someother answers also..
    Edited by: kamal_ep on Apr 7, 2009 8:12 AM

Maybe you are looking for

  • After updating my MBP to firmware 1.1 my internet does not work anymore

    Please help, A couple of days ago my MBP asked me if I wanted to update to Firmware 1.1 and I did. I followed the steps like it said and when I restarted it my internet was not working anymore. I called my internet provider and they tried helping me

  • Webhelp right pane not displaying in IE10 for Windows 7

    Hello, I'm using Robohelp 9 - HTML, and generating Webhelp using IE10 on Windows 7. When I generate the help, the default topic displays. However, if I click any page within a book, the right-pane displays blank. But, if I make the browser window sma

  • HT3500 How do I connect my iPad to my wireless printer?

    How do I connect my iPad to my wireless printer?

  • Running webservices prevents clean shutdown ?

    We're using OC4J with eclipse and the development team has to go through the pain of restarting the appserver twice each time we stop/start. After fixing the localhost/127.0.0.1 problem (see *1), things worked smoothly until we started developing web

  • Dynamic Sort of Records in a Block

    Dear Experts I am using only Forms 4.5. I have two separate datatable blocks, which I want to consolidate and move it to another block and sort on itemwise. What is the command to sort the block based on a column dynamically ? Should I have to do it