Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SSO using HTTP header

Go to solution
Former Member

‎2011 Aug 29 3:17 PM

0 Likes
1,114

Hello all,

I'd like to configure a SSO between IBM Tivoli Access Manager and SAP ECC 6.0 (only ABAP stack).

I have read some IBM papers about this solution, but I don't have experience with it and haven't found any HowTo guide about the issue.

The idea is that IBM TAM validates the user in its logon screen, then passes the username to SAP ECC in the HTTP header, then SAP validates the user and returns a ticket to IBM TAM (a cookie, in fact), that will be used to keep the user validated during the session.

I'd appreciate any help from your own experience.

Thanks and Regards!

Francisco

1 ACCEPTED SOLUTION
Read only

Go to solution
Former Member

‎2011 Aug 29 8:33 PM

0 Likes
960

I can only assume you are talking about SAP logon tickets.

then passes the username to SAP ECC in the HTTP header, then SAP validates the user and returns a ticket to IBM TAM

No, the logon ticket is returned to the browser of the client application. The user will need to authenticate against SAP to have a SSO2 ticket issued to them, so passing it as a header variable is not enough to be able to authenticate in the first place.

With old SU05 internet users this was a feature, but has been replaced by real SU01 users. They should authenticate themselves and a "hardwired" system or service user cann ISSUE an SS02 logon ticket.

How do users authenticate against IBM TAM? Rather re-use that?

Cheers,

Julius

5 REPLIES 5
Read only

Go to solution
Former Member

‎2011 Aug 29 5:51 PM

0 Likes
960

Hi,

I've not used this method but my opinion is that it is not secure enough. I would call it "Simple Sign On" !

You have, at least, to filter IPs to be sure that the authentication HTTP headers are only accepted from the IP adress from Tivoli.

The ICM or the Web Dispatcher is able to filter IPs for specific URLs.

Regards,

Olivier

Read only

Go to solution
Former Member

‎2011 Aug 29 8:33 PM

0 Likes
961

I can only assume you are talking about SAP logon tickets.

then passes the username to SAP ECC in the HTTP header, then SAP validates the user and returns a ticket to IBM TAM

No, the logon ticket is returned to the browser of the client application. The user will need to authenticate against SAP to have a SSO2 ticket issued to them, so passing it as a header variable is not enough to be able to authenticate in the first place.

With old SU05 internet users this was a feature, but has been replaced by real SU01 users. They should authenticate themselves and a "hardwired" system or service user cann ISSUE an SS02 logon ticket.

How do users authenticate against IBM TAM? Rather re-use that?

Cheers,

Julius

Read only

Go to solution
mvoros
Active Contributor
In response to Former Member

‎2011 Aug 29 10:56 PM

0 Likes
960

<div class="jive-quote">&gt; No, the logon ticket is returned to the browser of the client application. The user will need to authenticate against SAP to have a SSO2 ticket issued to them, so passing it as a header variable is not enough to be able to authenticate in the first place.

</div>

I am not sure here cause I am just guessing but it might be using form based authentication. Tivoli authenticates against ABAP AS using form based method on behalf of user and it gets SSO ticket. Then it passes SSO ticket to user and redirects user to ABAP AS. I think this method is used for doing SSO for legacy applications. But I might be completely wrong.

Francisco, what Netweaver release are you on? 7.02 offers SAML 2.0 which should be supported by Tivoli. This should give you more future proof solution.

Cheers

Read only

Go to solution
Former Member
In response to Former Member

‎2011 Aug 30 8:31 AM

0 Likes
960

Thanks you all for your responses.

I need to validate the username/password at Tivoli because in fact the scenario is as follows:

1- End-users connect to a Websphere Portal, where they are authenticated using TAM. TAM already has its own authentication information. Then the user can carry out different actions, for example, doing something in the portal, or choosing to connect to SAP by clicking on a link.

2- When the user clicks the link (which points to a URL served by SAP), then we need a mechanism to avoid the user to be asked for credentials again. So we need to do something that allows TAM to talk with the SAP Server and validate the user.

I read this info from IBM, but I'm not sure about how to implement it (please see case 1)

http://www.ibm.com/developerworks/tivoli/library/t-authsaptam/index.html

Martin, we are right now upgrading to EHP5, so we'll have basis 702.

Best Regards

Francisco

Read only

Go to solution
mvoros
Active Contributor
In response to Former Member

‎2011 Aug 30 9:45 AM

0 Likes
960

Hi,

it looks to me that you could reuse some parts of scenario 1.Basically, intercept connections to SAP box, authenticate user against Tivoli, Tivoli gets a cookie for that user and pushes it back to user. After this user can use cookie to log on to SAP box.My only issue is that it seems like you need to sync passwords between Tivoli and SAP box. But I might be missing something. So it would be better to user a proper SSO solution. Definitely, I would look at SAML in your case because your system will be 7.02 soon.

Cheers