Authentication and Single Sign
Authentication and Single Sign Authentication and Single Sign
SSO From Web to Traditional – Enterprise Portal • Using logon tickets, Enterprise Portal and SAP Shortcuts • Logon ticket is passed to SAP Shortcut using a portal iView Browser Window Alice EP https://host1.mycompany.com/irj/... Alice Start SAP Shortcut Alice R/3 SAPGUI for Windows © SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 38
Prerequisites 1) Users have the same user ID in all of the systems they access using the logon ticket. Passwords do not have to be the same in all systems. 2) The user has an account in the active user store on the SAP J2EE Engine. 3) The end users Web browsers accept cookies. In Internet Explorer 5.0, accept session cookies for the local intranet zone. 4) Any Web servers or SAP Web AS servers (to include the SAP J2EE Engine) that are to accept the logon ticket as the authentication mechanism are located in the same DNS domain as the issuing server. The logon ticket cannot be used for authentication to servers outside of this domain. 5) The clocks for the accepting systems are synchronized with the ticket-issuing system. If you do not synchronize the clocks, then the accepting system may receive a logon ticket that is not yet valid, which causes an error. 6) The issuing server must possess a public and private key pair and public-key certificate so that it can digitally sign the logon ticket. 7) Systems that accept logon tickets must have access to the issuing server's publickey certificate so that they can verify the digital signature provided with the ticket. 8) The UMEs of the Portal and Web Dynpro systems are set up to authenticate users against the ABAP system. © SAP AG 2005, Authentication and Single Sign On / Patrick Hildenbrand / 39
- Page 1 and 2: Authentication and Single Sign-On P
- Page 3 and 4: Authentication Identifies a Subject
- Page 5 and 6: Why Use Single Sign-On? Typical sit
- Page 7 and 8: What the Administrator Wants … Ce
- Page 9 and 10: Web-Based Authentication Methods
- Page 11 and 12: Authentication and SSL with X.509 C
- Page 13 and 14: Obtaining a X.509 Certificate Digit
- Page 15 and 16: SAP Logon Tickets - SSO Process Por
- Page 17 and 18: What is a SAP Logon Ticket • SAP
- Page 19 and 20: SSO to Non-SAP Components Using SAP
- Page 21 and 22: Multi Domain SSO Recommendation:
- Page 23 and 24: Adding the User Name Header • The
- Page 25 and 26: Header Based Authentication Best Pr
- Page 27 and 28: SAML - SSO Process Authentication A
- Page 29 and 30: Pluggable Authentication Service (P
- Page 31 and 32: Pluggable Authentication Service: A
- Page 33 and 34: JAAS Authentication J2EE Browser Wi
- Page 35 and 36: Single Sign-On for SAP GUI for Wind
- Page 37: SSO From Web to Traditional - ITS
- Page 41 and 42: System Preparation 1. Export Portal
- Page 43 and 44: Agenda Authentication and Identitie
- Page 45 and 46: Single Sign-On Possibilities Authen
- Page 47 and 48: Further Information Public Web: ww
Prerequisites<br />
1) Users have the same user ID in all of the systems they access using the logon<br />
ticket. Passwords do not have to be the same in all systems.<br />
2) The user has an account in the active user store on the SAP J2EE Engine.<br />
3) The end users Web browsers accept cookies. In Internet Explorer 5.0, accept<br />
session cookies for the local intranet zone.<br />
4) Any Web servers or SAP Web AS servers (to include the SAP J2EE Engine) that<br />
are to accept the logon ticket as the authentication mechanism are located in the<br />
same DNS domain as the issuing server. The logon ticket cannot be used for<br />
authentication to servers outside of this domain.<br />
5) The clocks for the accepting systems are synchronized with the ticket-issuing<br />
system.<br />
If you do not synchronize the clocks, then the accepting system may receive a logon<br />
ticket that is not yet valid, which causes an error.<br />
6) The issuing server must possess a public <strong>and</strong> private key pair <strong>and</strong> public-key<br />
certificate so that it can digitally sign the logon ticket.<br />
7) Systems that accept logon tickets must have access to the issuing server's publickey<br />
certificate so that they can verify the digital signature provided with the ticket.<br />
8) The UMEs of the Portal <strong>and</strong> Web Dynpro systems are set up to authenticate users<br />
against the ABAP system.<br />
© SAP AG 2005, <strong>Authentication</strong> <strong>and</strong> <strong>Single</strong> <strong>Sign</strong> On / Patrick Hildenbr<strong>and</strong> / 39