Chapter 6 Single Sign-On Solution for SAP Internet Transaction Server 2.0

This chapter describes the steps needed to integrate Sun ONE Identity Server into a Single Sign-On (SSO) environment with SAP’s Internet Transaction Server (ITS) 2.0. Topics in this chapter include:

Introduction

SAP ITS 2.0 acts as the gateway between your web server and the backend SAP R/3 application server by adding an HTML-based user interface to SAP applications. It is composed of two parts, WGate and AGate. WGate establishes the connection between ITS and the Web server and forwards user requests to AGate, which establishes the connection to the SAP R/3 system and performs processing tasks that are required to move data between SAP R/3 applications and the Internet. WGate resides on the same computer as the web server, as a server extension.

Sun ONE Identity Server along with Sun ONE Identity Server Policy Agent provides a natural integration between the SAP applications and non-SAP applications through the use of the SAP Pluggable Authentication Service (PAS).

Architecture Details

SSO is achieved through the use of PAS provided by SAP. PAS supports several types of external authentication methods, including X.509 Certificates, NTLM, NTPassword, LDAP, HTTP and dynamic libraries (DLL). This SSO solution, using Sun ONE Identity Server, uses the DLL method for external authentication. This scenario offers SSO using a partner-specific library, which is a shared library and is developed using SAP’s SDK for PAS. SAP’s SDK has four functions, and provides an interface to the ITS system without the knowledge of the XGateway interface of the ITS itself.

Prerequisites

The following steps are prerequisite to ensuring that SSO scenario works properly:

Installing PAS

PAS must be installed on the Administration AGate (ADM) instance. The library needed for PAS (sapextauth.dll) is supplied with SAP ITS from 4.6D C3 onwards, and is also located in the ITS program directory. For detailed instructions to install PAS, see SAP documentation.

The required service and template files must be installed in the respective instance in the subdirectories \services and \templates, respectively. To do so, you can unpack ITS package ntauth.sar from the SAP Service Marketplace or from the server component CD in path ITS\common\packages\211, or create the following files manually:

It is important to note that two separate AGate instances are required on the ticket issuing system. While PAS is installed on the ADM instance of the ticket issuing system, the Webgui service is hosted on the other AGate instance. On a ticket accepting system, only the Webgui service is hosted on the typical AGate instance.

Configuring the SAP Systems

To set up the SSO environment, you need to configure at least one SAP system to issue SSO2 logon tickets and some other systems to accept the SSO2 logon tickets. The following sections provide steps to configure these systems.

Configuring SAP R/3 System and the ITS instance

As stated in the section Prerequisites, the connection between AGate and the ticket-issuing SAP system need to be configured for SNC. The following instructions describe how to configure the SAP R/3 system and its corresponding ITS instance. For instructions on how to install SNC, please refer to the SAP SNC User’s Guide.

On the ticket issuing SAP R/3 system, configure the following parameters in the DEFAULT.PFL file.

Table 6-1 Parameters in DEFAULT.PFL
Parameter	Value
snc/enable	1
snc/gssapi_lib	path_to_SAPCRYPTOLIB
snc/identity/as	SNC name of the application server
snc/data_protection_max	3
snc/data_protection_min	1
snc/data_protection_use	2

Specify AGate’s SNC information in the system access control list for SNC. This list is available in the table SNCSYSACL, view VSNCSYSACL and TYPE=E.

Enter the SNC name for AGate in the SNC name field.

Select the following options:

Entry for RFC activated

Entry for diag activated

Entry for certificate activated

Create a generic entry for AGate in the extended user access control list. This list is available in the table USRACLEXT:

Enter an asterisk (*) in the User field.

Enter AGate’s SNC name in the SNC name field

If you require external user name mapping, you need to maintain the mapping in the table USREXTID.

In the ITS component’s AGATE global.srvc file, configure these parameters:

Table 6-2 Parameters in global.srvc
Parameter	Value
~Type	2
~SncNameAgate	SNC name of AGate and ITS Manager
~sncNameR3	SNC name of the application server
~sncQoPR3	2
~secure	0

Make sure the environment variable SNC_LIB contains the path and file name of sapcryptolib.

Configuring the System to Issue SSO2 Logon Tickets

Use the following steps to configure the SAP R/3 Stem as well as its corresponding ITS instance for issuing SAP SSO2 logon tickets.

Stop the running AGate instance on the ITS server, if necessary.

Set the parameters in the global service file global.srvc:

Table 6-3 Parameters in global.srvc
Parameter	Value
~login	(space)
~password	(space)
~cookies	1
~mysapcomusesso2cookie	1
~mysapcomnosso1cookie	1
~mysapcomssonoits	1
~mycomgetsso2cookie	1
~secure	0
~type	2

Set the following parameters in the application server’s profile on the ticket issuing SAP R/3 system by modifying DEFAULT.PFL:

Table 6-4 Parameters in DEFAULT.PFL
Parameter	Value
login/accept_sso2_ticket	1
login/create_sso2_ticket	2
login/ticket_expiration_time	Desired Value

Execute the SSO administration wizard (transaction SSO2 in the SAP system).

Enter NONE as the RFC destination.

Choose Edit->Activate Workplace.

Configuring Systems to Accept SSO2 Logon Tickets

In the global service file global.srvc, set the following parameters:

Table 6-5 Parameters in global.srvc
Parameter	Value
~login	(space)
~password	(space)
~mysapcomusesso2cookie	1

On all of the component systems’ application servers, set the following profile parameters:

Table 6-6 Parameters in the Component Systems’ Application Servers
Parameter	Value
login/accept_sso2_ticket	1
login/create_sso2_ticket	0

Execute the Transaction SSO2 using the SSO administration wizard on the SAP R/3 system.

Enter the RFC destination or the host name and system number for the ticket issuing system.

If the report indicates errors on the SAP R/3 system, correct these errors on the ticket issuing SAP R/3 system and re-execute the SSO administration wizard on the component systems.

To initiate the configuration steps on the component system, choose Edit->Activate Workplace. Red traffic lights indicate errors in the configuration.

Place the PAS shared library in the programs directory of the SAP instance. After you have installed the policy agent, copy the policy agent shared libraries also to this directory. For details, see section Installing and Configuring the Policy Agent.

Each SAP service must have its own corresponding template files and service files. The SAPDLL service file will follow the same naming conventions as the rest of the SAP services, that is, if the service name is sapdll, the service file name will be sapdll.srvc. For more information on the template files, see section SAP Template Files.

The sapdll.srvc service file must be configured as follows. This file must be located under SAP Install_dir/SAP/ITS/2.0/ADM/services.

Table 6-7 Parameters in *sapdll.srvc*
Parameter	Value
~login	test
~password	test
~theme	99
~xgateway	sapextauth
~extauthtype	DLL
~extauthmodule	\path_to_extauth.dll
~extid_type	UN
~properties_file	\path_to_paslibrary_config_file
~exitUrl	http://s1is_host:port/amserver/UI/Logout
~client	000
~language	en
~mysapcomgetsso2cookie	1
~redirectHost	host.domain:port
~redirectPath	/scripts/wgate/webgui/!
~redirectQS	~client=000
~redirectHttps	0


Note	The parameter ~properties_file is not a standard SAP service file parameter. This parameter should be added to the sapdll service file because the PAS DLL requires this file to know which Sun ONE Identity Server instance to communicate with.

Installing and Configuring the Policy Agent

Once you have configured the SAP R/3 systems and Sun ONE Identity Server, you can install Sun ONE Identity Server Policy Agent, version 2.1 for Sun ONE Web Server 6.0. For details on installing and configuring the policy agent, see Chapter 2 of this guide.

In Identity Server, policies must exist to allow or deny user access to the SAP service and resources.

The SAP Service typically resides at:

http://host.domain:port/scripts/wgate/sapdll/!

This is the URL for the sapdll PAS module service, which eventually redirects the user to the requested resource as indicated by the parameters ~redirectHost and ~redirectQS in the sapdll.srvc file. Policies must exist to protect the service (/scripts/wgate/sapdll/!) and the corresponding redirecting resource. For information on creating policies in Sun ONE Identity Server, please see Sun ONE Identity Server documentation.

The following policy agent shared libraries must be placed in the programs directory of your SAP ITS instance (\Program Files\SAP\ITS\2.0\programs). For the PAS shared library to work properly, it is absolutely necessary that the shared libraries for the policy agent are accessible.

The following are the libraries that you will need:

amsdk.dll

libnspr4.dll

libplc4.dll

libplds4.dll

libxml2.dll

nss3.dll

ssl3.dll

The global.srvc file on the ITS which hosts the Webgui service must contain at least the following parameters:

Table 6-8 Required Parameters in global.srvc
Parameter	Value
~client	000
~cookies	1
~exiturl	http://s1is_host:port/amserver/UI/Logout
~login	(space)
~password	(space)
~xgateway	sapdiag
~xgateways	sapxgadm,sapdiag,sapxgwfc,sapxginet,sapxgbc,sapextauth
~mysapcomgetsso2cookie	1
~mysapcomusesso2cookie	1
~mysapcomnosso1cookie	1
~mysapcomssonoits	1

SAP Template Files

Along with the SAP Service file (sapdll.srvc), a template directory needs to be created under ADM/templates and it must contain the default templates. These templates are presented here. You can create these files manually at this location:

Template file login.html

Code Example 6-1 Template file login.html


‘declare fieldEcho, getLanguages in "sapxjutil";‘
<!--
Copyright SAP AG 2002
Remark: Example Login Template.
You can write your own scripts by using BHTML and JScript
-->
‘if (~extauthtype == "LDAP")‘
<!--
// SAP AG 2002
// here an example for LDAP DN string. the complete string for bind must be
// uid=<user>, ou=<organisation unit>, o=<organisation>
// with this jscript example you can build your own distiguished name for your directory
//
// This example can be used, if no Base DN is set in the service file!
// Remark: All values must not be case sensitive. After ldap_bind the module searches
// the correct DN in the LDAP directory and set this as ~login. Therefore you should
// set in USREXTID the correct DNs - USREXITD is case sensitive !
-->
<script language=javascript>
// uncomment the example code
//var ou="People";
//var o ="wdf.sap-ag.de";

function buildDN()
{
// the input text for ~login will be replaced
//document.pasform.elements[1].value = "uid="+document.pasform.elements[1].value+", ou="+ou+", o="+o;
// after new value, we submit the form --> you can see result by jscript call
// alert(document.pasform.elements[1].value);
pasform.submit();
}
</script>
‘end‘
<h3>Please log on to the SAP System</h3>
<table>
<tr><td>
<form method="post" name="pasform" action="‘wgateURL()‘">
‘fieldEcho()‘
<table>
<tr><td>Service:</td><td>‘~Service‘</td></tr>
‘if (~client=="")‘
<tr><td>Client:</td><td><input name="~client" value="‘RSYST-MANDT‘"></td></tr>
<tr><td>
<input name="~clientinput" type="hidden" value= "1">
</td></tr>
‘end‘</tr>
‘if (~language=="")‘<tr><td>Language:</td>
<td>
<select name="~language">
‘if (getLanguages ("langId", "langDesc") == 0)
repeat with i from 1 to langId.dim‘
<option value="‘langId[i]‘">‘langDesc[i]‘</option>
‘end
else‘
<option value="en">No allowed languages specified! Using English as default.</option>
‘end‘
</select>
</td></tr>
‘end‘
<!-- for the PAS Types NTLM and HTTP the users dont have to input any things.
for NTPassword and LDAP the Users might have to input settings like login and password
Remark: Administrator can predefine such things in service file like
~login hasso
~password 1972
-->
‘if (~extauthtype == "NTPassword")‘
<tr><td>Login:</td><td><input name="~login" value="‘~login‘"></td></tr><tr><td>
<input name="~logininput" type="hidden" value="1">
</td></tr>
‘if (~password=="")‘
<tr><td>Password:</td><td><input type=password name="~password" value=""></td></tr><tr><td>
<input name="~passwdinput" type="hidden" value="1"></td></tr>
‘end‘
‘if (~extauthtype=="NTPassword")‘
<tr><td>NT domain:</td><td><input name="~ntdomain" value="‘~ntdomain‘"></td></tr>
‘end‘
‘end‘

‘if (~extauthtype == "LDAP")‘
‘if (~login=="")‘<tr><td>Login:</td><td><input type=text name="~login" value="‘~login‘"></td></tr><tr><td>
<input name="~logininput" type="hidden" value="1">
</td></tr>
‘end‘
‘if (~password=="")‘
<tr><td>Password:</td><td><input type=password name="~password" value=""></td></tr><tr><td>
<input name="~passwdinput" type="hidden" value="1"></td></tr>
‘end‘
‘end‘

‘if (~extauthtype == "DLL")‘
‘if (~login=="")‘<tr><td>Login:</td><td><input type=text name="~login" value="‘~login‘"></td></tr><tr><td>
<input name="~logininput" type="hidden" value="1">
</td></tr>
‘end‘
‘if (~password=="")‘
<tr><td>Password:</td><td><input type=password name="~password" value=""></td></tr><tr><td>
<input name="~passwdinput" type="hidden" value="1"></td></tr>
‘end‘
‘end‘

<tr><td></td><td>‘~MessageLine‘</td></tr>
</table>
</td>
</tr>
<tr>
<td>
<table align=center">
<tr>
<td>
<!--
here again for LDAP we switch the Submit button
-->
‘if (~extauthtype == "LDAP")‘
<input type=button name="~OkCode=/0" value="Logon" onClick="buildDN()">
‘else‘
<input type=submit name="~OkCode=/0" value="Logon">
‘end‘
</td>
</tr>
</table>
</td>
</tr>
</form>
</td>
</tr>

</table>