Professional Documents
Culture Documents
Introduction
User Management
Single Sign On
Conclusion
Introduction
User Management
Single Sign-on
Conclusion
Portal
Logon
Solution
SAP Logon Tickets
E.g. with SAP Enterprise Portal, SAP WebAS,...
SAP
Enterprise Portal / Web AS can use LDAP Directories as User Repository
(User Persistence Store)
Enterprise Portal provides SSO to SAP and MS backend systems using SAP
Logon Tickets
SAP provides a Directory Interface for User Management via LDAP
mySAP HR can create / update users in LDAP Directories
SAP user data can be synchronized with user data in LDAP Directories
mySAP
3rd party Microsoft based mySAP Systems
Applications applications HR WebDynpro CUA
Java
Application
UME
SAP (Web AS Java)
ISAPI Filter
User data
SSO SSO SSO SSO SSO SSO
Active
Directory
SSO Authentication
Interduction
User Management
Single Sign-on
Conclusion
mySAP HR mySAP
Create modify mySAP Systems
Directory users HR WebDynpro CUA
Java
Active Directory Application
UME
Assign groups and (Web AS Java)
password User data
Active
CUA
Directory
Create /
Synchronize SAP
ABAP users using
BC-LDAP-USR
interface
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 11
mySAP HR LDAP interface
Goal
Create / modify users in the directory server automatically from employee
data stored in mySAP HR
Reason
mySAP HR is master system for (basic) employee data
First name
Last name
Employee number
Manager
….
Optimize Administration of users
Reduction in operational costs
Correctness of data
Speed of the process
Restriction
Only export of data
mail: andre.fischer@sap.com
memberOf: CN=Users,DC=MSCTSC,DC=SAP,DC=CORP;
CN=Domain Admins,CN=Users,DC=MSCTSC,DC=SAP,DC=CORP;
… CN=SAP Users,CN=Users,DC=MSCTSC,DC=SAP,DC=CORP;
SAP HR WebAS
>= 6.10
LDAP
>=4.7
mySAP HR mySAP
Create modify mySAP Systems
Directory users HR WebDynpro CUA
Java
Active Directory Application
UME
Assign groups and (Web AS Java)
password User data
Active
CUA
Directory
Create /
Synchronize SAP
ABAP users using
BC-LDAP-USR
interface
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 16
Active Directory - Useradministration
Activate account
Assign groups
Perform additional
administrative tasks …
mySAP HR mySAP
Create modify mySAP Systems
Directory users HR WebDynpro CUA
Java
Active Directory Application
UME
Assign groups and (Web AS Java)
password User data
Active
CUA
Directory
Create /
Synchronize SAP
ABAP users using
BC-LDAP-USR
interface
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 18
Architecture: User Management Engine
Portal
Server
User is
assigned to
roles that are
assigned to the
user or the
groups the user
has been
assigned to
mySAP HR mySAP
Create modify mySAP Systems
Directory users HR WebDynpro CUA
Java
Active Directory Application
UME
Assign groups and (Web AS Java)
password User data
Active
CUA
Directory
Create /
Synchronize SAP
ABAP users using
BC-LDAP-USR
interface
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 22
Overview SAP LDAP user synchronisation
4.7 and Mandatory for 4.5 & 4.6
higher optional for 4.7 and higher
LDAP ALE
LDAP
CUA on
WebAS
Connection with
LDAP Server LDAP
Function
‘LDAP_XXX‘ RFC
Connection with
LDAP Server LDAP
Function
‘LDAP_XXX‘ RFC
Introduction
User Management
Single Sign-on
Conclusion
Single Sign-on
User authenticates once against a security
system
User is afterwards automatically authenticated to
other systems
Authentication
Initial check of user credentials (for example
username/password)
Typical situation
In a complex system landscape an employee has many user IDs with different
passwords
Different procedures for each system to roll-out, reset and change
new/existing passwords
Users find continuous password changing for many systems annoying
Problems
High administration cost and effort
Security risk: Users write passwords down and store them where they can easily
be found
Limitations 2.
Login
Multiple domains are now supported*.
In this case an attribute that is unique in
all domains has to be used as portal 1.
logon id (for example userPrincipalName) Auth.
Can only be used in Intranet scenarios Active
Directory
Active
Directory
Prerequisites
User Persistence Store: Active
2. LDAP bind
Directory Check
credentials
Authentication of users is delegated
SAP Enterprise Portal
to the operating system
User must enter his or her Windows 3.
authentication credentials SAP Logon
Ticket issued
1.
Typical scenarios Login
Extranet scenarios
Intranet scenarios where a second
login using the same username /
password should be use
Microsoft Applications
using SSO2KerbMap
Module *
Features:
Account aggregation can be used if the external system does not
support SAP logon tickets
System is maintained in portal system landscape
Portal components connect to the external system with the user’s
credentials (user ID and password), e.g. with SAP AppIntegrator
Credentials submitted via HTTP GET Query String or HTTP POST body
User mapping and credentials information are securely stored in the
Portal Database
Conclusion:
Seamless SSO technique such as SAP Logon Tickets is preferred
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 35
SSO – SAP Logon Tickets
Backend
System
Portal
Server’s
public-key
certificate
Step 1:
Verification of the digital signature provided with the SAP logon ticket.
Step 2:
If SAP User ID‘s of a portal user are not equal in all SAP backend
system SSO via account aggregation has to be used
Web SAP
WebDynpro SAP Dynpro
Logon
Ticket
WebAS
BSP-Pages SAP
Logon
Initial Ticket
Logon
SAPGUI for HTML
ITS SAP
SAP
Logon
Ticket Web
Windows
SAP
SAPGUI for Windows Logon SAP
Ticket
Shared Library
Dynamic Link Library for verifying SSO Tickets in third party
Software
Native support of SSO using SAP Logon Tickets for applications
written in C, Visual Basic
SAP provides C samples
Java Classes
Java Classes provided by SAP
Operating System independent
Javadoc on SDN contains JAVA samples
Goal:
Use of Kerberos for authentication on MS backend servers
Problem:
Kerberos does not work well across the Internet (firewall config)
Windows integrated authentication can only be used in intranet
scenarios (firewall config, trusted domains)
To perform Kerberos on a client’s behalf the server needs to have
the client’s primary credentials (RFC 1510)
Client’s password OR
Client’s ticket granting ticket (TGT) and the corresponding session key
But, Windows Server must NOT know the client’s password which
would be a severe breach of trust
Applicable where
Kerberos would not
Work natively, e.g.
Managability / over the Internet
Constraints
Authentication On behalf
of a end user
7
Identification + 3+5
ADS 2003
Constrained
delegation
Kerberos
Windows
Client HTTP (S) Backend
IIS 6 Application
(IE)
2
1 SAP Logon
Ticket
4 Impersonation
Sample configuration
in ADS for
Outlook Web Accesss
Global catalog
server
Firewall
Client – Exchange
Extranet back-end servers
Client - Intranet
Exchange Exchange
Frontend Server Backend Server(s)
passthrough Impersonation
3
authentication Kerberos ticket
Check SAP Logon
Ticket
SSO22KerbMap
SSO22KerbMap
Module
1
Module
2
* German localization
SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 50
Summary
Authentication Microsoft
to backend S4U2-
Kerberos
Extensions
Introduction
User Management
Single Sign-on
Conclusion
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of
Microsoft Corporation.
IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®,
OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix
and Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.
ORACLE® is a registered trademark of ORACLE Corporation.
UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.
Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and
other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium,
Massachusetts Institute of Technology.
JAVA® is a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented
and implemented by Netscape.
MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. All other product and service names mentioned are the trademarks of
their respective companies.