der Sso Sap Webserver Tech Overview

8/6/2019 der Sso Sap Webserver Tech Overview

1/3

BackgroundWhile ERP applications are recognized as mission critical pieces of infrastructure, they are onlyone of many such applications in a typical enterprise. As businesses have moved to a web-based approach for their applications, the need to extend SSO across the enterprise has becomea requirement. In addition, companies are also seeking to standardize and centralize specificaspects of their infrastructure, in particular, access management. With the continued expansionof online business initiatives, many companies also seek to provide access to data stored withintheir ERP and other internal systems to external customers and business partners, not justemployees.

SAPs current architecture, commonly known as the SAP NetWeaver Architecture is basedon SAPs web application server, SAP Web AS. SAP Web AS supports J2EE and ABAP andtherefore provides the dual capability of deploying the ABAP-based Business Sever Pages andweb applications compliant with J2EE.

The e Trust SiteMinder Single Sign-On Agent for SAP Web Application Server was designed toenable SSO integration among non-SAP, non-Web AS, SAP, Web AS J2EE, and Enterprise Portalapplications. It provides integration between e Trust SiteMinder and the SAP Web ApplicationServer enabling SAP customers to extend SSO to their corporate Web and application servers.Additionally, e Trust SiteMinder allows administrators to select a variety of authenticationmethods to protect their sensitive resources.

Technical Overview: Add-On Solutions for e Trust SiteMinder

e Trust SiteMinder SSO Agent for SAP WebApplication ServerWith e Trust SiteMinder and SAP, users benefit from extending the e Trust SiteMinder Single Sign-On (SSO)experience to SAP solutions. The e Trust SiteMinder SSO Agent for SAP Web Application Server (Web AS)coupled with e Trust SiteMinder provides a single sign-on environment for Web Applications and SAP solutions.

Solution Benefits Improved user experience and

satisfaction

Enhanced security

Supported Platforms

ENTERPRISE APPLICATIONS

SAP NetWeaver: SAP Web AS,SAP Enterprise Portal

OPERATING SYSTEMS Microsoft Windows, IBM AIX,

HP-UX, Sun Solaris

Installation Prerequisites

SAP NetWeaver: SAP Web AS,SAP Enterprise Portal

e Trust SiteMinder Software:e Trust SiteMinder Policy Server,e Trust SiteMinder Web Agent


2/3

Specific Capabilities


Figure 1.

eTrust SiteMinder FederationSecurity Services.

Features Description Benefits

Single Sign-On Extends e Trust SiteMinderSingle Sign-On for protectedWeb applications to SAPapplications.

Rich user experience,increased security, reducedcustomer support costs.

Authentication Management Provides support for a varietyof authentication methods.Provides a single authentica-tion point for all applications.

Increased security, lowerapplication developmentcosts, reduced adminis-trative costs.

Enhanced Security Tier 2 integration moves thepoint of trust from the webserver to the SAP Web ASJ2EE Engine.

Increased security. Anattack on a web server isless likely to compromisekey business systems.

Session Synchronization e Trust SiteMinder and SAPsessions are linked. Whenthe e Trust SiteMindersession ends, the correspon-ding SAP session is nolonger available.

Increased security. Helpsprevent misuse of critical,confidential business data.

Figure 1. eTrust SiteMinder SSO Agent for SAP Web AS.


3/3

How It Works1. User HTTP-based web client accesses the Web AS J2EE engine application or Enterprise

Portal via the front end web server.

2. e Trust SiteMinder Web Agent, hosted on the web server, intercepts the request and checks

if the accessed application or resource is protected by e Trust SiteMinder. If the resource isprotected, the user is challenged to provide authentication credentials.

3. e Trust SiteMinder authenticates the user and checks for the users access permissions to theprotected resources. If the user has access to the application, the Policy Server returns theWeb AS Username in the form of an HTTP header response along with the SessionLinkerheader response. The SessionLinker response returns the cookie names (JSESSIONID andMYSAPSSO2) against which the e Trust SiteMinder session is tracked.

4. Once e Trust SiteMinder allows access to the protected application or resource, the webserver forwards the request to the J2EE engine. The J2EE engine invokes the e TrustSiteMinder login module, protecting the Web AS deployed application or the EnterprisePortal application.

5. The e Trust SiteMinder login module validates the e Trust SiteMinder session informationagainst the Policy Server.

6. The Policy Server returns success if the e Trust SiteMinder session is valid, and returns theWeb AS username. The e Trust SiteMinder login Module confirms that the session doesindeed belong to the requesting Web AS user. If the session is not valid, the authenticationattempt fails and access to the requested resource is prohibited.

7. If the e Trust SiteMinder login module successfully validates the user session, the modulesets the user Principle to the Web AS username. The Web AS J2EE engine invokes theCreateTicket login module, which creates the MYSAPSSO2 ticket for the authenticatedWeb AS user. The J2EE engine services the request for the application if both loginmodules succeed.

8. The SessionLinker on the web server maintains a track of the e Trust SiteMinder sessionagainst the Web AS session identified by the JSESSIONID and MYSAPSSO2 cookies. Ifaccess is illegal, the cookies are emptied. If access is legal, the requested application orresource is presented to the user.


Copyright 2006 CA. All r ights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. MP310081106

For more information, call1-800-875-9659 or visit ca.com

Documents

der Sso Sap Webserver Tech Overview