Purpose
The Single Sign-On (SSO) mechanism with user name and password provides an alternative
for applications that cannot accept and verify SAP logon tickets. With this SSO mechanism
the Portal Server uses user mapping information provided by users or administrators to give
the portal user access to external systems. The portal components connect to the external
system with the user’s credentials.
As the user's user ID and password are sent across the network, you should use
a secure protocol such as Secure Sockets Layer (SSL) for sending data.
Single Sign-On to non-SAP systems via a Java iView developed specifically for the
customer
The system must be defined in the system landscape. Go to System Administration → System Configuration → System Landscape → Create a System Object.
The administrator or user must map user data to user data in the system. Go to User Administration →User Mapping or Personalize -> userMapping the system name.
Single Sign-On with SAP Logon Tickets
Purpose
SAP logon tickets represent the user credentials. The Portal Server issues a logon ticket to a
user after successful initial authentication. The logon ticket itself is stored as a cookie on the
client and is sent with each request of that client. It can then be used by external applications
such as SAP systems to authenticate the portal user to those external applications without
any further user logons being required.
SAP logon tickets contain information about the authenticated user. They do not contain any
passwords. Specifically, logon tickets contain the following items:
. Portal user ID and one mapped user ID for external applications
. Authentication scheme
. Validity period
. Information identifying the issuing system
. Digital signature
Technically, SSO with SAP logon tickets works as follows:
1. The first time the Portal Server is started, it generates a cryptographic key pair. The
private part of this key is used for ticket generation (for the digital signature).
2. Once the user has been successfully authenticated in the portal, the Portal Server
issues a logon ticket to the user. This logon ticket is stored as a non-persistent cookie
in the browser on the client.
3. Each time the user tries to access an external system from the portal, the Portal Server
sends the logon ticket with the request to the external system.
4. The external system checks that the logon ticket is valid by verifying the digital
signature of the Portal Server. It uses the public key contained in the digital certificate
of the Portal Server to verify this.
5. If the logon ticket is valid, the external system extracts the user ID for that system from
the logon ticket.
6. The user is logged on to the external system without having to enter his or her user ID
and password.
The Portal Server issues a SAP logon ticket for the Internet domain or a sub-domain of the
Portal Server only.
Configuring Portal Server for SSO with SAP Logon
Tickets
In the default mode, the Portal Server creates and digitally signs SAP logon tickets for users,
therefore you do not need to make any settings. However there are some settings that you
need to make in particular cases. These are described below.
Procedure
Configure the lifetime of the SAP logon ticket
You set the lifetime of the SAP logon ticket in the user management configuration tool. Go to System Administration → System Configuration -> User Management Configuration → Security Settings and change the Life Time of SAP Logon ticket.
SAP Systems only: Set logon method to SAP logon tickets in portal system landscape
For each SAP System that you wish to access with SAP logon tickets, do the following:
...
1. Create a system for property editor System Administration → System Configuration → System Landscape ->Create a System.
2. Set the value of the property Logon Method to SAPLOGONTICKET.
3. Save your changes.
No comments:
Post a Comment