cancel
Showing results for 
Search instead for 
Did you mean: 

SSO from .Net application to SAP Portal

Former Member
0 Kudos

Hi,

I have a requirement in which I need to enable SSO from a ASP.Net application to SAP Enterprise Portal.

Can anyone please let me know how to go ahead with this ?

Thanks in advance,

Vivek

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

1. How is the ASP.NET application calling the SAP enterprise portal ?

a. Through a link

b. Through webservice call

c. Call to SAP EP from ASP.NET application

2. What kind of authentication are you using against the ASP.NET application ? Does it match that of SAP EP ? Is it windows integrated logon ?

3. Is the SAP EP and ASP.NET intranet portals?

If yes to 3, you probably should try to look at SSO directly to SAP EP through windows integrated logon via an IIS server and IISproxy.

Cheers

Dagfinn

Former Member
0 Kudos

Hi Dagfinn,

Thanks for you help.

Here are the answers to your queries. Please advice me aho to go ahead with it.

1. How is the ASP.NET application calling the SAP enterprise portal ?

It will access it through a link.

2. What kind of authentication are you using against the ASP.NET application ? Does it match that of SAP EP ? Is it windows integrated logon ?

The ASP.net authentication is form-based, not Windows integrated logon. The user ID and password data is stored in a SQL Server database. Enterprise Portal will have users from LDAP and also from its own database. Portal autentication is also form based.

3. Is the SAP EP and ASP.NET intranet portals?

No, both the applications could be accessed from internet also.

Regards,

Vivek

Former Member
0 Kudos

2. Since the user directories are different it will be very difficult to have any kind of SSO. Just think of it, how should you know which user in SAP EP a user in ASP.NET should map against.

I would recommend providing direct SSO against SAP EP with certificates. You can find more information about this in the webinar "Authentication using the User Management Engine"

https://www.sdn.sap.com/sdn/webinar.sdn?res=/irj/servlet/prt/portal/prtroot/com.sap.sdn.wcm.compound...

It might also be sufficient to give SSO to intranet users only, whilst giving form based login for internet users. This is also covered in the webinar above.

Cheers

Dagfinn

Former Member
0 Kudos

Hi Dagfinn,

Thanks for your help.

->Since the user directories are different it will be very difficult to have any kind of SSO. Just think of it, how should you know which user in SAP EP a user in ASP.NET should map against.

Say for example I have same set of users in the ASP.net application and SAP EP, then will SSO work ? If I dont have a user ID in SAP EP but only in the .net application, I should get a login screen og EP? Is this doable ? Just a thought !!

-> I would recommend providing direct SSO against SAP EP with certificates

Are you referring to SSO for EP with X509 certification.I am having a look at the webinar.

Thanks,

Vivek

Former Member
0 Kudos

1. Yes, that is doable. But the question is how to make sure that SAP EP can trust ASP.net application. A simple way with security-through-obscurity (ie. no security), is to have the asp.net application create a cookie with a base64 encoded value of the username. Make sure the asp.net application is on the same domain as the portal (aspapp.company.com and sapep.company.com; company.com must match!). The on SAP EP write a custom jaas login module( see http://help.sap.com/saphelp_nw04/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/frameset.htm and https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sapportals.km.docs/documents/a1-8-4/prtl3... which reads the name of the user from the cookie and tries to authenticate him. If that fails, it tries one of the other jaas login module (the last being form login).

This will work, but to hack it you merely add a cookie with another username than yourself.

Since it is just a link, the asp.net never talks directly to the SAP EP system and you need to implement it using a cookie.

2. Yes, x.509 client certificates. This will give you SSO regardless of the source of the link.

Former Member
0 Kudos

Uuuuh, the first solution looks like an open door, don't you think? Any security freak will recognize a simple base 64 encoding in about a second.

Another question @ Vivek:

Why do you need SSO from .net to EP and not the other way round?

In common scenarios, a portal is the leading the system and the "entry" to other systems. SSO from EP to .NET applications is rather easy.

Regards, Karsten

Former Member
0 Kudos

Thanks a lot Dagfinn for your help.

I will analyse the possibilities an dget back to you if I have any more queries.

Karsten - We definitely want to enable SSO from EP to the ASP.net application, I feel this can be done using web server filters. The client would also need SSO vice versa, so just as a proactive measure I am analyzing all the possibilities.

Regards,

Vivek

Former Member
0 Kudos

Vivek,

Have a look at this document for one way to implement sso from SAP EP to ASP.NET

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/enabling single sign-on for asp.net applications in enterprise portal 6.article

Former Member
0 Kudos

Hi Dagfinn,

Thanks you your help.

Just wanted to clear one doubt which I have.

When I do SSO through SAPLOGONticket , then also the user ID is passed as a cookie, so is this also not a security threat ? Or I think along with the user ID , the digital certificate is also passed along with the SAPLogon Ticket.If this is true then can I not pass the digital certificate values along with the user name from the ASP application. SAP Portal would read the cookie values extract the user name and also the digital certificate values and using a combination of both it will authenticate the user.

I have no clue how this caould be done, just thinking of all the possibilities.

Regards,

Vivek

Former Member
0 Kudos

> When I do SSO through SAPLOGONticket , then also the

> user ID is passed as a cookie, so is this also not a

> security threat ?

Hi Vivek,

the Logonticket is a cookie that contains the userId, the authentication scheme, the validity period and the digital signature. It's based on a public/private key encryption and of course works only in a trusted relationship, so it fulfills common security standards.

http://help.sap.com/saphelp_nw04/helpdata/en/53/695b3ebd564644e10000000a114084/frameset.htm

Regards, Karsten

Former Member
0 Kudos

Hi Vivek,

Have you accomplished this?? We have a similiar requirement at our client and we are looking at possible options. Can you please post your solution and any documentation you have gone throguh.

I have tried that webinar, I am getting an error.

Thanks in advance.

Former Member
0 Kudos

Hi Kiran,

Well we were foreseeing a requirement to do SSO form .Net to SAP Portal.

But our client was ok with enabling SSO from Portal to the .Net application, so I did not really try the other way round.

If you achieve this, please share the solution with us.

Thanks,

Vivek

former_member182161
Participant
0 Kudos

Hello,

How to get access to that Webinar?? I get error code 403.

Santhosh

former_member182161
Participant
0 Kudos

Hi Vivek,

Did you go through the webinar? If so which method is suitable in our scenario??

Santhosh

Former Member
0 Kudos

Hi Santosh,

I dod not get through any webinar for this.

Regards,

Vivek

former_member182161
Participant
0 Kudos

Hi Dagfinn, Karsten, Vivek,

So whats the solution for SSO in this case with two applications in different domains and with the same usernames and different user base?

Santhosh

Former Member
0 Kudos

Hi Santhosh,

There is a how to document at service.sap.com on "How to… Perform Cross Domain Single Sign-On with SAP Logon Tickets" , you might wat to have a look at that.

But this explains SSO from Portal to the Microsoft based application.

Regards,

Vivek

Answers (0)