Web Policy Agents Guide |
Chapter 6
Single Sign-On Solution for SAP Internet Transaction Server 2.0This chapter describes the steps needed to integrate Sun ONE Identity Server into a Single Sign-On (SSO) environment with SAP’s Internet Transaction Server (ITS) 2.0. Topics in this chapter include:
IntroductionSAP ITS 2.0 acts as the gateway between your web server and the backend SAP R/3 application server by adding an HTML-based user interface to SAP applications. It is composed of two parts, WGate and AGate. WGate establishes the connection between ITS and the Web server and forwards user requests to AGate, which establishes the connection to the SAP R/3 system and performs processing tasks that are required to move data between SAP R/3 applications and the Internet. WGate resides on the same computer as the web server, as a server extension.
Sun ONE Identity Server along with Sun ONE Identity Server Policy Agent provides a natural integration between the SAP applications and non-SAP applications through the use of the SAP Pluggable Authentication Service (PAS).
Architecture DetailsSSO is achieved through the use of PAS provided by SAP. PAS supports several types of external authentication methods, including X.509 Certificates, NTLM, NTPassword, LDAP, HTTP and dynamic libraries (DLL). This SSO solution, using Sun ONE Identity Server, uses the DLL method for external authentication. This scenario offers SSO using a partner-specific library, which is a shared library and is developed using SAP’s SDK for PAS. SAP’s SDK has four functions, and provides an interface to the ITS system without the knowledge of the XGateway interface of the ITS itself.
The process flow in the SSO environment is as follows:
- A user issues an HTTP request to a SAP service named sapdll.
- The request is intercepted by the policy agent. Since there is no valid SSOToken in the request, the user is redirected to Sun ONE Identity Server for authentication.
- Upon successful authentication, the user is granted access to the sapdll service. This is the PAS dynamic link library which communicates with Sun ONE Identity Server and verifies the validity of the SSO Token.
- The PAS dynamic link library then sets the value of ~login to that of the user who authenticated with Sun ONE Identity Server and is mapped in the SAP system.
- PAS then issues a SAP logon ticket for the user, which is set in the user’s browser.
- PAS reroutes the user to the requested service (such as Webgui).
PrerequisitesThe following steps are prerequisite to ensuring that SSO scenario works properly:
- Install and configure two ITS instances. The first instance is the regular ITS which hosts the Webgui service, and the second instance is the ITS administration which hosts the PAS service.
- Configure at least one SAP system to issue SAP SSO (SSO2 logon) tickets
- Configure the other SAP systems to accept SSO2 logon tickets.
- Ensure that the browser supports and accepts cookies because SSO2 logon tickets are saved as browser cookies.
- Configure SAP Secure Network Connections (SNC) on the ticket-issuing SAP system, but not necessarily on the ticket-accepting system. SNC is a software layer in the SAP system architecture, which assures safe communication between trusted SAP components. It requires a cryptographic library to secure the data communication paths between the various SAP systems.
- Configure PAS to use an external authentication mechanism. For details, refer SAP documentation.
- Install and configure Sun ONE Identity Server and Sun ONE Identity Server Policy Agent for Sun ONE Web Server 6.0.
Installing PASPAS must be installed on the Administration AGate (ADM) instance. The library needed for PAS (sapextauth.dll) is supplied with SAP ITS from 4.6D C3 onwards, and is also located in the ITS program directory. For detailed instructions to install PAS, see SAP documentation.
The required service and template files must be installed in the respective instance in the subdirectories \services and \templates, respectively. To do so, you can unpack ITS package ntauth.sar from the SAP Service Marketplace or from the server component CD in path ITS\common\packages\211, or create the following files manually:
For details of these template files, see section SAP Template Files.
It is important to note that two separate AGate instances are required on the ticket issuing system. While PAS is installed on the ADM instance of the ticket issuing system, the Webgui service is hosted on the other AGate instance. On a ticket accepting system, only the Webgui service is hosted on the typical AGate instance.
Configuring the SAP SystemsTo set up the SSO environment, you need to configure at least one SAP system to issue SSO2 logon tickets and some other systems to accept the SSO2 logon tickets. The following sections provide steps to configure these systems.
Configuring SAP R/3 System and the ITS instance
As stated in the section Prerequisites, the connection between AGate and the ticket-issuing SAP system need to be configured for SNC. The following instructions describe how to configure the SAP R/3 system and its corresponding ITS instance. For instructions on how to install SNC, please refer to the SAP SNC User’s Guide.
- On the ticket issuing SAP R/3 system, configure the following parameters in the DEFAULT.PFL file.
- Specify AGate’s SNC information in the system access control list for SNC. This list is available in the table SNCSYSACL, view VSNCSYSACL and TYPE=E.
- Create a generic entry for AGate in the extended user access control list. This list is available in the table USRACLEXT:
- If you require external user name mapping, you need to maintain the mapping in the table USREXTID.
- In the ITS component’s AGATE global.srvc file, configure these parameters:
Table 6-2 Parameters in global.srvc
Parameter
Value
~Type
2
~SncNameAgate
SNC name of AGate and ITS Manager
~sncNameR3
SNC name of the application server
~sncQoPR3
2
~secure
0
- Make sure the environment variable SNC_LIB contains the path and file name of sapcryptolib.
Configuring the System to Issue SSO2 Logon Tickets
Use the following steps to configure the SAP R/3 Stem as well as its corresponding ITS instance for issuing SAP SSO2 logon tickets.
- Stop the running AGate instance on the ITS server, if necessary.
- Set the parameters in the global service file global.srvc:
- Set the following parameters in the application server’s profile on the ticket issuing SAP R/3 system by modifying DEFAULT.PFL:
Table 6-4 Parameters in DEFAULT.PFL
Parameter
Value
login/accept_sso2_ticket
1
login/create_sso2_ticket
2
login/ticket_expiration_time
Desired Value
- Execute the SSO administration wizard (transaction SSO2 in the SAP system).
- Enter NONE as the RFC destination.
- Choose Edit->Activate Workplace.
Configuring Systems to Accept SSO2 Logon Tickets
To configure the component systems to accept and verify SSO2 logon tickets:
- In the global service file global.srvc, set the following parameters:
Table 6-5 Parameters in global.srvc
Parameter
Value
~login
(space)
~password
(space)
~mysapcomusesso2cookie
1
- On all of the component systems’ application servers, set the following profile parameters:
Table 6-6 Parameters in the Component Systems’ Application Servers
Parameter
Value
login/accept_sso2_ticket
1
login/create_sso2_ticket
0
- Execute the Transaction SSO2 using the SSO administration wizard on the SAP R/3 system.
- Enter the RFC destination or the host name and system number for the ticket issuing system.
- If the report indicates errors on the SAP R/3 system, correct these errors on the ticket issuing SAP R/3 system and re-execute the SSO administration wizard on the component systems.
- To initiate the configuration steps on the component system, choose Edit->Activate Workplace. Red traffic lights indicate errors in the configuration.
- Place the PAS shared library in the programs directory of the SAP instance. After you have installed the policy agent, copy the policy agent shared libraries also to this directory. For details, see section Installing and Configuring the Policy Agent.
Each SAP service must have its own corresponding template files and service files. The SAPDLL service file will follow the same naming conventions as the rest of the SAP services, that is, if the service name is sapdll, the service file name will be sapdll.srvc. For more information on the template files, see section SAP Template Files.
The sapdll.srvc service file must be configured as follows. This file must be located under SAP Install_dir/SAP/ITS/2.0/ADM/services.
Installing and Configuring the Policy AgentOnce you have configured the SAP R/3 systems and Sun ONE Identity Server, you can install Sun ONE Identity Server Policy Agent, version 2.1 for Sun ONE Web Server 6.0. For details on installing and configuring the policy agent, see Chapter 2 of this guide.
For the SSO solution to work properly, you must take care of the following:
- In Identity Server, policies must exist to allow or deny user access to the SAP service and resources.
The SAP Service typically resides at:
http://host.domain:port/scripts/wgate/sapdll/!
This is the URL for the sapdll PAS module service, which eventually redirects the user to the requested resource as indicated by the parameters ~redirectHost and ~redirectQS in the sapdll.srvc file. Policies must exist to protect the service (/scripts/wgate/sapdll/!) and the corresponding redirecting resource. For information on creating policies in Sun ONE Identity Server, please see Sun ONE Identity Server documentation.
- The following policy agent shared libraries must be placed in the programs directory of your SAP ITS instance (\Program Files\SAP\ITS\2.0\programs). For the PAS shared library to work properly, it is absolutely necessary that the shared libraries for the policy agent are accessible.
The following are the libraries that you will need:
- The global.srvc file on the ITS which hosts the Webgui service must contain at least the following parameters:
SAP Template FilesAlong with the SAP Service file (sapdll.srvc), a template directory needs to be created under ADM/templates and it must contain the default templates. These templates are presented here. You can create these files manually at this location:
Template file login.html
Template file extautherror.html
Code Example 6-2 Template file extautherror.html
<H3>Error during authentication process.</H3>
‘if (~messageline != "")‘
<p>The following error occured:</p>‘~messageline‘
<p> The trace files might contain more information about the problem.</p>
‘else‘
<p>The error can’t be qualified in more detail.</p>
<p>The trace file may contain further information about this error.</p>
‘end‘
Template file redirect.html
Code Example 6-3 Template file redirect.html
<html>
<head>
<meta http-equiv="refresh" content="0; URL=‘~ExtAuthRedirectURL‘">
</head>
<body>
</body>
</head>