Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Single-Sign-On (SSO) configuration on JAVA Stack through HTTP Header method

Go to solution
Former Member

on ‎2008 Jun 16 4:19 PM

0 Likes
4,535

Hello SDN community,

in the context of a Proof of Concept, we are testing the integration of Microsoft Sharepoint Portal with SAP Backend (addin) systems.

As the architecture impose use an external scenario (access from the internet), we couldn't use the Kerberos (SPNego) solution and thus we chosed the http header solution which in short uses an intermediary web server (in this case the IIS of the MOSS solution) which will act as authority.

I miss information on how the workflow works for this http header authentication method. Through the visual administrator of the addin JAVA stack, it is possible to configure each application with a customized authentication (a choice of security modules). But this all that I know.

My task is to configure SSO. From a sharepoint portal, the user should be able to access Web Dynpros and BSPs. I imagine that the very first call to a webdynpro or bsp (or maybe when we log on the sharepoint portal), the request to the WDP or BSP will first be forwareded by the intermediary server to the JAVA stack (or is it the SAP dispatcher that has to be configured).

Is there an application to be built on the java stack to deal with the authentication, modify http header?

What will the Java stack return? a sap long ticket? a token?

How will the redirect work (to by example a BSP which is in the ABAP stack)?

SAP preconise to secure with SSL the link between the intermediary web server and the JAVA stack, is IP restriction also a solution?

A lot of questions about how this SSO http header should work,

I would be very greatful for any help, or info,

Kind regards,

Tanguy Mezzano

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
Former Member
‎2008 Sep 26 12:33 PM
0 Likes

Hello Marcel!

Long time

I'm sure your experience could h e l p me once again, If you don't mind, I will r e w a r d points on all answers

The http header configuration did not work until the end The problem we faced was that the MYSAPSSO2 ticket was sent only for the first request, but for all other requests to the BSP application that are done automatically were sent without the ticket, so BSP pages were not correctly displayed.

Anyway, we changed technology and installed a Sun Java Access Manager system to use SAML authentication. The Java Stack has been configured and we can access servlets or Java WDP with SAML authentication. Here is the Logon Module configure: 

 
Login Module 

VerifyTicketLoginModule SUFFICIENT 

SAMLLoginModule OPTIONAL 

CreateTicketLoginModule SUFFICIENT 

BasicPasswordLoginModule OPTIONAL 

CreateTicketLoginModule SUFFICIENT

Now I'm trying to access Backend applications with SAML authentication, once again a redirection scenario is in place (the first jsp example you gave to me). But even if the trust relationship between backend and java stack is done, each I get a pop-up from the backend for Basic Pwd Authentication.

I have also in mind that there is the cookie domain problem, so I updated the parameter:

ume.logon.security.relax_domain.level to level 2 (and I set the parameter ume.logon.security.local_redirect_only to false), I restarted the Java Stack after that, but seems that parameters have not been updated: 

 
[1222422413875][Sep 26, 2008 11:46:53 AM ] - CLIENT: 256, REPLY: 
{HTTP/1.1 302 Found 
Set-Cookie: MYSAPSSO2=AjExMDAgABBwb3J0YWw6REVNT19NT1NTiAAHZGVmYXVsdAEACURFTU9fTU9TUwIAAzAwMAMAA0pEMgQADDIwMDgwOTI2MDk0NgUABAAAAAgKAAlERU1PX01PU1P%2FAQQwggEABgkqhkiG9w0BBwKggfIwge8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGBzzCBzAIBATAiMB0xDDAKBgNVBAMTA0pEMjENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDgwOTI2MDk0NjUzWjAjBgkqhkiG9w0BCQQxFgQUA8RhPIQSd0Hvy4MNDLDvxEvAG1IwCQYHKoZIzjgEAwQuMCwCFE2SiIKjzMYkMSSiS0yfaJwW%2FMLWAhQ1%2Fm9HI9K05yt93LoWVdAVIo2EXQ%3D%3D;path=/;domain=.bbbb.company.com;HttpOnly 
Set-Cookie: saplb_*=(J2EE7854200)7854250; Version=1; Path=/ 
Server: SAP J2EE Engine/7.00 
Content-Type: text/plain 
Location: https://host.aaaa.company.com...
Content-Length: 0 
Date: Fri, 26 Sep 2008 09:46:53 GMT 

} 
[1222422413875][Sep 26, 2008 11:46:53 AM ] - CLIENT: 256, REPLY: 
{}

Could you think of something??

Thanks again for your time,

Tanguy Mezzano

Show replies
Show replies
Former Member
‎2008 Sep 26 1:50 PM
0 Likes

Hi,

are you sure that your trust relation is correctly configured and that your client is actually sending the MYSAPSSO2 Cookie to your backend?? (Use Sniffer or Firebug or similar tools to see the HTTP traffic).

Why are you using SAML now? If your problem was that the MYSAPSSO2 Cookie was not sent correctly than SAML will not solve your issues.

As far as I can see you're using the same approach as before but your Engine is now using the SAML Login Module to authenticate your user instead of Header Authentication Module correct?

Please explain in more detail what your scenario looks like?

- Request Flow

- Components involved

Do you have an image of your architecture?

Cheers

Former Member
‎2008 Sep 26 2:31 PM
0 Likes

Hello Marcel,

thx for replying.

Yes we encounter the same problem, you are correct, but SAML has been chosen for business reasons.

Indeed, I used a sniffer and I see that the cookie is not sent to backend:

Here I call the SSOredirect servlet configured with the SAML logon module


GET /SSOredirect/SSOredirect.jsp?redirectURL=http://backend.aaaa.company.com:1080/sap/bc/bsp/sap/bspApplication.do?sap-client=211&SAMLart=AAEVFPtvTWbcf6tErfETsmgRWt%2BmkXkzVZFswirDjNPRHzeCVC9lajAx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-silverlight, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-silverlight-2-b2, */*
Accept-Language: en-ca,fr-be;q=0.7,zh-cn;q=0.3
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Host: j2ee.bbbb.company.com:50000
Connection: Keep-Alive
Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfczODIW7v22rw8m+gFzntfHz4WJOhyMTDnk=@AAJTSQACMDE=#

Here I get correclty authenticated, I get a SAP Logon Ticket and a redirection 302 but I see that the domain relaxtion has not been done!


HTTP/1.1 302 Found
Set-Cookie: MYSAPSSO2=AjExMDAgABBwb3J0YWw6REVNT19NT1NTiAAHZGVmYXVsdAEACURFTU9fTU9TUwIAAzAwMAMAA0pEMgQADDIwMDgwOTI2MTMwMgUABAAAAAgKAAlERU1PX01PU1P%2FAQQwggEABgkqhkiG9w0BBwKggfIwge8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGBzzCBzAIBATAiMB0xDDAKBgNVBAMTA0pEMjENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDgwOTI2MTMwMjQyWjAjBgkqhkiG9w0BCQQxFgQUDyA7NdmWOMWT2ash7mMoD8QIZ0YwCQYHKoZIzjgEAwQuMCwCFH7UhLTffgOjpNqp7Lx%2FUtw76ZBXAhQbOpoPAoWNpyZGoA8pIk5e8XbjTQ%3D%3D;path=/;domain=.bbbb.company.com;HttpOnly
Set-Cookie: saplb_*=(J2EE7854200)7854250; Version=1; Path=/
Server: SAP J2EE Engine/7.00
Content-Type: text/plain
Location: http://backend.aaaa.company.com:1080/sap/bc/bsp/sap/bspApplication.do?sap-client=211
Content-Length: 0
Date: Fri, 26 Sep 2008 13:02:42 GMT

Then I see in the logs, that it requests the backend application but without the logon ticket:


GET /sap/bc/bsp/sap/bspApplication.do?sap-client=211 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-silverlight, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-silverlight-2-b2, */*
Accept-Language: en-ca,fr-be;q=0.7,zh-cn;q=0.3
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Host: backend.aaaa.company.com:1080
Connection: Keep-Alive
Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfczODIW7v22rw8m+gFzntfHz4WJOhyMTDnk=@AAJTSQACMDE=#

and of course I am not authorised:


HTTP/1.1 401 Unauthorized
set-cookie: sap-usercontext=sap-client=211; path=/
content-type: text/html; charset=iso-8859-1
content-length: 28
sap-system: RD1
www-authenticate: Basic realm="SAP Web Application Server [RD1]"
sap-client: 360
server: SAP Web Application Server (1.0;620)

Enter User Name and Password

The SSOredirect servlet on java stack that does the redirection is:


String redirectURL = request.getParameter ("redirectURL"); 
response.sendRedirect (redirectURL);

The parameter: ume.logon.security.relax_domain.level is set to 2.

Best regards,

Tanguy

Former Member
‎2008 Sep 29 1:22 PM
0 Likes

Hello Marcel,

I think that it's my Java Stack that is not taking into account my changes in its configuration.

After that you update parameters in Visual Admin, what should I do beside restarting SAP systems?

I've changed ume.logon.httponlycookie to false also but I still see in the logs or with a sniffer:

domain=.bbbb.company.com;HttpOnly

instead of:

domain=.company.com

Argh, thanks for your input if you have time,

Tanguy

Ask a Question