Authentication and Single Sign
Authentication and Single Sign Authentication and Single Sign
Integrated Windows Authentication Initial authentication is done to the local system (Windows) Two methods of Integrated Windows authentication possible • NTLM • Kerberos Requirement: • Applications need to run on an IIS or • authentication needs to be done on an intermediate IIS (using IIS Proxy module from SAP) available for SAP WebAS Java 6.40 Coming soon: SAP Consulting solution for Kerberos Authentication directly on WebAS 6.40 Java please contact your local SAP consulting organization © SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 24
Header Based Authentication Best Practices • Block risk of user impersonation! Be aware of Header Spoofing • Safeguard J2EE engine HTTP(S) ports from direct access by users Prevent opportunity to bypass the proxy for J2EE engine access • Configure SSL with mutual authentication between the web server and the J2EE engine See documentation on ‘Using SSL with an Intermediary Server’ Intermediate SSL © SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 25
- Page 1 and 2: Authentication and Single Sign-On P
- Page 3 and 4: Authentication Identifies a Subject
- Page 5 and 6: Why Use Single Sign-On? Typical sit
- Page 7 and 8: What the Administrator Wants … Ce
- Page 9 and 10: Web-Based Authentication Methods
- Page 11 and 12: Authentication and SSL with X.509 C
- Page 13 and 14: Obtaining a X.509 Certificate Digit
- Page 15 and 16: SAP Logon Tickets - SSO Process Por
- Page 17 and 18: What is a SAP Logon Ticket • SAP
- Page 19 and 20: SSO to Non-SAP Components Using SAP
- Page 21 and 22: Multi Domain SSO Recommendation:
- Page 23: Adding the User Name Header • The
- Page 27 and 28: SAML - SSO Process Authentication A
- Page 29 and 30: Pluggable Authentication Service (P
- Page 31 and 32: Pluggable Authentication Service: A
- Page 33 and 34: JAAS Authentication J2EE Browser Wi
- Page 35 and 36: Single Sign-On for SAP GUI for Wind
- Page 37 and 38: SSO From Web to Traditional - ITS
- Page 39 and 40: Prerequisites 1) Users have the sam
- Page 41 and 42: System Preparation 1. Export Portal
- Page 43 and 44: Agenda Authentication and Identitie
- Page 45 and 46: Single Sign-On Possibilities Authen
- Page 47 and 48: Further Information Public Web: ww
Header Based <strong>Authentication</strong> Best Practices<br />
• Block risk of user impersonation!<br />
Be aware of Header Spoofing<br />
• Safeguard J2EE engine HTTP(S) ports from direct access by<br />
users<br />
Prevent opportunity to bypass the proxy for J2EE engine access<br />
• Configure SSL with mutual authentication between the web server<br />
<strong>and</strong> the J2EE engine<br />
See documentation on ‘Using SSL with an Intermediary Server’<br />
Intermediate<br />
SSL<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 25