05-22-2015 12:28 PM
A customer use a portal with SSO from windows clients. At the windows client the users login to a AD domain and in the browser they authenticate themself at the portal and work the whole day with this authentication. Now, he will use my application. This is a .Net application and it use the .NetConnector(nco 3.0) for SAP communication. At the time, it has his own login for the nco. The customer asks me, why it didn't use the existing Logon Ticket. The answer is, I don't know how.
Is it possible to get the LogonTicket in my stand alone app, can I use it in the nco (MYSAPSSO2 parameter) and if yes how can I get it?
Many thanks in advanced
05-22-2015 2:24 PM
Hi,
This should be possible. I have done something similar multiple times before. The latest one was a HTML app that had a custom logon screen. The users entered their username/password. The application server passed it to SAP portal via HTTP parameters. If everything was ok the portal issued a SSO cookie that was used for some consequent calls. It was a workaround to avoid a proper implementation of SSO. The only missing part is to figure out how your standalone app can reuse AD credentials of a user that is running the app. I can't help you with that but i am pretty sure ther must be API for that.
Cheers
05-22-2015 2:24 PM
Hi,
This should be possible. I have done something similar multiple times before. The latest one was a HTML app that had a custom logon screen. The users entered their username/password. The application server passed it to SAP portal via HTTP parameters. If everything was ok the portal issued a SSO cookie that was used for some consequent calls. It was a workaround to avoid a proper implementation of SSO. The only missing part is to figure out how your standalone app can reuse AD credentials of a user that is running the app. I can't help you with that but i am pretty sure ther must be API for that.
Cheers
05-22-2015 3:34 PM
Hi,
from security and usability perspective, the best solution would be to re-use the Windows authentication (the Kerberos ticket) also for your SNC connection to the backend. However, this requires an SNC capable SSO product such as SAP Single Sign-On.
Logon tickets are no longer recommended for new implementations, as mentioned in OSS note 2117110.
Best regards,
Christian
05-28-2015 2:20 PM
Thank you for your reply.
Our customer won't use SNC for whatever reason. The OSS note says what I shouldn't do but what I can do instead is very wishy-washy. Do you have a suggestion of a forum where I can get detailed information?
05-28-2015 3:12 PM
SNC is the best solution for this, using an SNC library that has Kerberos support so you can use the credentials of the user at the .net application server (delegated). This is actually very easy, very secure and common. I have helped at least 20 or 30 companies implement exactly this, and never had any issues with it. Also, there is a bonus since the session between the .net server and back-end SAP system can be encrypted, after the authentication is complete.