62.3 Integration Architecture

The following diagram illustrates the integration between Access Manager and SAP NetWeaver Enterprise Portal.

62.3.1 Process Overview: Integration with SAP NetWeaver Enterprise Portal

Here is an overview of the integration process with SAP NetWeaver Enterprise Portal.

  1. A user attempts to access content via the SAP NetWeaver Enterprise Portal.

    For example, the user may enter the following URL to access an HR application through a proxy server:


  2. The WebGate intercepts the request and queries the Access Server for the security policy that determines if the resource is protected.

    The security policy consists of an authentication scheme, authorization rules, and allowed operations. Based on the authentication and authorization success or failure, specified actions are performed.

    The Access System security policy for the SAP /irj login URL is applicable to all resources accessed using the https://host:port/irj URL.

    Note that the SAP NetWeaver Enterprise Portal has its own authorization system that can be configured to set user access to iViews.

  3. If the resource is protected, the WebGate prompts the user for authentication credentials.

    The credentials that the WebGate requests depend on the authentication scheme configured in the Access System, for example, Basic over LDAP or Form-based authentication.

  4. If the credentials are validated, the Access System authenticates the user and sets an encrypted ObSSOCookie in the user's browser.

  5. After authenticating, the authorization rules defined in the Access System are applied based on the security policy.

    Specific actions are performed based on the authorization rules. If the user is authorized, access to the SAP Portal login (the requested content) is allowed. For SAP Enterprise Portal header variable integration, the Access Server sets the authenticated user ID in a header variable.

    If the user is not authenticated or authorized, he or she is denied access and redirected to another URL, as determined by the administrator. For example, the user may be redirected to an "invalid credentials" page.

  6. For the integration with SAP NetWeaver Enterprise Portal, the proxy Web server redirects the request to the SAP NetWeaver Enterprise Portal internal Web server that contains the header variable details.

  7. The SAP NetWeaver Enterprise Portal uses the header variable value to check the mapping of the user ID against the configured data source in the portal.

    Both the Access Manager and SAP NetWeaver Enterprise Portal data source must contain the same user ID value.

    Upon successful mapping, SAP NetWeaver Enterprise Portal allows the user to access the requested resource.

    SAP NetWeaver Enterprise Portal sends a response to the proxy, and the proxy redirects to the client browser.

  8. All interaction with the SAP Enterprise Portal takes place through the proxy server.