https://community.sap.com/t5/application-development-and-automation-discussions/sso-using-http-header/m-p/8154512#M1621597 <HTML><HEAD></HEAD><BODY><P>Thanks you all for your responses.</P><P></P><P>I need to validate the username/password at Tivoli because in fact the scenario is as follows:</P><P></P><P>1- End-users connect to a Websphere Portal, where they are authenticated using TAM. TAM already has its own authentication information. Then the user can carry out different actions, for example, doing something in the portal, or choosing to connect to SAP by clicking on a link.</P><P></P><P>2- When the user clicks the link (which points to a URL served by SAP), then we need a mechanism to avoid the user to be asked for credentials again. So we need to do something that allows TAM to talk with the SAP Server and validate the user. </P><P></P><P>I read this info from IBM, but I'm not sure about how to implement it (please see case 1)</P><P></P><P><A href="http://www.ibm.com/developerworks/tivoli/library/t-authsaptam/index.html" target="test_blank">http://www.ibm.com/developerworks/tivoli/library/t-authsaptam/index.html</A></P><P></P><P>Martin, we are right now upgrading to EHP5, so we'll have basis 702. </P><P></P><P></P><P>Best Regards</P><P></P><P>Francisco</P></BODY></HTML> Tue, 30 Aug 2011 07:31:04 GMT Former Member 2011-08-30T07:31:04Z https://community.sap.com/t5/application-development-and-automation-discussions/sso-using-http-header/m-p/8154508#M1621593 <HTML><HEAD></HEAD><BODY><P>Hello all,</P><P></P><P>I'd like to configure a SSO between IBM Tivoli Access Manager and SAP ECC 6.0 (only ABAP stack).</P><P>I have read some IBM papers about this solution, but I don't have experience with it and haven't found any HowTo guide about the issue.</P><P></P><P>The idea is that IBM TAM validates the user in its logon screen, then passes the username to SAP ECC in the HTTP header, then SAP validates the user and returns a ticket to IBM TAM (a cookie, in fact), that will be used to keep the user validated during the session. </P><P></P><P>I'd appreciate any help from your own experience.</P><P></P><P>Thanks and Regards!</P><P></P><P>Francisco</P></BODY></HTML> Mon, 29 Aug 2011 14:17:01 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sso-using-http-header/m-p/8154508#M1621593 Former Member 2011-08-29T14:17:01Z https://community.sap.com/t5/application-development-and-automation-discussions/sso-using-http-header/m-p/8154509#M1621594 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I've not used this method but my opinion is that it is not secure enough. I would call it "Simple Sign On" !</P><P>You have, at least, to filter IPs to be sure that the authentication HTTP headers are only accepted from the IP adress from Tivoli.</P><P>The ICM or the Web Dispatcher is able to filter IPs for specific URLs.</P><P></P><P>Regards,</P><P>Olivier</P></BODY></HTML> Mon, 29 Aug 2011 16:51:30 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sso-using-http-header/m-p/8154509#M1621594 Former Member 2011-08-29T16:51:30Z https://community.sap.com/t5/application-development-and-automation-discussions/sso-using-http-header/m-p/8154510#M1621595 <HTML><HEAD></HEAD><BODY><P>I can only assume you are talking about SAP logon tickets.</P><P></P><PRE><CODE><P>then passes the username to SAP ECC in the HTTP header, then SAP validates the user and returns a ticket to IBM TAM</P></CODE></PRE><P>No, the logon ticket is returned to the browser of the client application. The user will need to authenticate against SAP to have a SSO2 ticket issued to them, so passing it as a header variable is not enough to be able to authenticate in the first place.</P><P></P><P>With old SU05 internet users this was a feature, but has been replaced by real SU01 users. They should authenticate themselves and a "hardwired" system or service user cann ISSUE an SS02 logon ticket.</P><P></P><P>How do users authenticate against IBM TAM? Rather re-use that?</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Mon, 29 Aug 2011 19:33:17 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sso-using-http-header/m-p/8154510#M1621595 Former Member 2011-08-29T19:33:17Z https://community.sap.com/t5/application-development-and-automation-discussions/sso-using-http-header/m-p/8154511#M1621596 <HTML><HEAD></HEAD><BODY><PRE><CODE></CODE></PRE><P>&lt;div class="jive-quote"&gt;&amp;gt; No, the logon ticket is returned to the browser of the client application. The user will need to authenticate against SAP to have a SSO2 ticket issued to them, so passing it as a header variable is not enough to be able to authenticate in the first place.</P><P>&lt;/div&gt;</P><P>I am not sure here cause I am just guessing but it might be using form based authentication. Tivoli authenticates against ABAP AS using form based method on behalf of user and it gets SSO ticket. Then it passes SSO ticket to user and redirects user to ABAP AS. I think this method is used for doing SSO for legacy applications. But I might be completely wrong.</P><P></P><P>Francisco, what Netweaver release are you on? 7.02 offers SAML 2.0 which should be supported by Tivoli. This should give you more future proof solution.</P><P></P><P>Cheers</P></BODY></HTML> Mon, 29 Aug 2011 21:56:29 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sso-using-http-header/m-p/8154511#M1621596 mvoros 2011-08-29T21:56:29Z https://community.sap.com/t5/application-development-and-automation-discussions/sso-using-http-header/m-p/8154512#M1621597 <HTML><HEAD></HEAD><BODY><P>Thanks you all for your responses.</P><P></P><P>I need to validate the username/password at Tivoli because in fact the scenario is as follows:</P><P></P><P>1- End-users connect to a Websphere Portal, where they are authenticated using TAM. TAM already has its own authentication information. Then the user can carry out different actions, for example, doing something in the portal, or choosing to connect to SAP by clicking on a link.</P><P></P><P>2- When the user clicks the link (which points to a URL served by SAP), then we need a mechanism to avoid the user to be asked for credentials again. So we need to do something that allows TAM to talk with the SAP Server and validate the user. </P><P></P><P>I read this info from IBM, but I'm not sure about how to implement it (please see case 1)</P><P></P><P><A href="http://www.ibm.com/developerworks/tivoli/library/t-authsaptam/index.html" target="test_blank">http://www.ibm.com/developerworks/tivoli/library/t-authsaptam/index.html</A></P><P></P><P>Martin, we are right now upgrading to EHP5, so we'll have basis 702. </P><P></P><P></P><P>Best Regards</P><P></P><P>Francisco</P></BODY></HTML> Tue, 30 Aug 2011 07:31:04 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sso-using-http-header/m-p/8154512#M1621597 Former Member 2011-08-30T07:31:04Z https://community.sap.com/t5/application-development-and-automation-discussions/sso-using-http-header/m-p/8154513#M1621598 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>it looks to me that you could reuse some parts of scenario 1.Basically, intercept connections to SAP box, authenticate user against Tivoli, Tivoli gets a cookie for that user and pushes it back to user. After this user can use cookie to log on to SAP box.My only issue is that it seems like you need to sync passwords between Tivoli and SAP box. But I might be missing something. So it would be better to user a proper SSO solution. Definitely, I would look at SAML in your case because your system will be 7.02 soon.</P><P></P><P>Cheers</P></BODY></HTML> Tue, 30 Aug 2011 08:45:21 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sso-using-http-header/m-p/8154513#M1621598 mvoros 2011-08-30T08:45:21Z