enabling single sign on between enterprise ... - archive€¦ · enabling single sign on between...

Enabling Single Sign On Between Enterprise Portal and Non-SAP Applications

Applies to: SAP NetWeaver 2004s (EP7). For more information, visit the Portal and Collaboration homepage.

Summary The scope of this article is to describe the establishment of Single Sign-on (SSO) between SAP Enterprise Portal and Non-SAP application. Portal can act as a platform to access different applications without logging in it. The access can be provided in several ways – a) using user mapping b) using SAP Logon Ticket. This article provides step by step guide to solve this problem using SAP Logon Ticket approach. Single sign-on can be easily implemented in SAP Enterprise Portal with other SAP applications like BW, R/3 etc, but this implementation is not straight forward for custom built application (developed in ASP.NET or JSP).

Author: Md Ansar Hussain

Company: Satyam Computer Services Ltd

Created on: 30 October 2008

Author Bio Md Ansar Hussain is working as a SAP Technical Consultant with Satyam Computer Services Ltd. Skill set includes SAP Enterprise Portal and Java.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2008 SAP AG 1

https://www.sdn.sap.com/irj/sdn/nw-portalandcollaboration


Table of Contents Problem Description: ..........................................................................................................................................3

Account Aggregation (User Mapping):............................................................................................................3 SAP Logon Tickets:.........................................................................................................................................3

Solution Overview:..............................................................................................................................................4 Prerequisites:......................................................................................................................................................5 Solution Details:..................................................................................................................................................5

Creating a Portal Component: ........................................................................................................................5 Sending SAP Logon Ticket to the Non SAP Application: ...............................................................................7 Deploy and Create iView: ...............................................................................................................................8 Getting Public Key Certificate: ........................................................................................................................8

Enabling the backend system to accept SAP Logon Tickets: ............................................................................8 ASP.Net Web Application (running on Windows Server 2003): .....................................................................8

Pre-requisites:..............................................................................................................................................................8 Find the below steps to accomplish the task:...............................................................................................................9

Java Web Application:...................................................................................................................................16 Pre-requisites:............................................................................................................................................................16 Find the below steps to accomplish the task:.............................................................................................................16

Personalizing the Application to accept the User Inputs: .................................................................................24 Conclusion: .......................................................................................................................................................26 Related Content................................................................................................................................................27 Disclaimer and Liability Notice..........................................................................................................................28



Problem Description: Organizations will have their own applications which might have developed in various web technologies depending on the requirement specifications. Each application will be using its own user management system and administration needs to be handled individually. This makes the user to remember separate password for each application. Enterprise Portal provides a solution for this problem by providing a way to integrate different technology (Non-SAP) applications in the same platform called Portal.

Single Sign-On (SSO) is a key feature of the SAP NetWeaver Portal that eases user interaction with the many component systems available to the user in a portal environment. Once the user is authenticated to the portal, he or she can use the portal to access external applications. With SSO in the portal, the user can access different custom built systems or applications (developed in JSP or ASP.Net) without having to repeatedly enter his or her user credentials for authentication.

This can be achieved in two ways, as follows: 1. Account Aggregation (User Mapping) 2. SAP Logon Tickets

Account Aggregation (User Mapping): User Mapping is used for Single Sign-On (SSO) to back-end systems. User Mapping is done by mapping the portal user ID to the user ID of the back-end system. The user mapping can be done by an Administrator, or you can enable the end user of portal to manage their own user mapping for the systems you define. User Mapping supports the SSO using user ID and password authentication method. This method always requires user mapping. The portal user ID is mapped to the user ID and password of the back-end system. This procedure involves creation of System; configure the system with an iView to view the Non-SAP application in the content area. This needs User Mapping, for each user, the user id and password needs to be mentioned and mapped to the Non-SAP system through its alias. If user mapping is implemented, each portal user has to provide corresponding user name/password of the Non SAP Application (one-time activity).

SAP Logon Tickets:

SAP Logon Tickets are used in SAP Enterprise Portal to authenticate users to Non SAP Applications. In simple terms, the SAP Logon ticket represents user’s details. While the user tries to access the Non SAP Application through Portal, the Portal server issues a SAP Logon ticket to the user. The logon ticket is stored as a cookie on a session in the browser. Once the logon is complete in Portal, no other additional logons are required from the user. SAP Logon tickets provide a very strong level of security for SAP systems since the logon tickets are digitally signed by the portal server and have digital signatures for authenticity and integrity. It should be noted that SAP logon tickets do not contain any passwords. Normally, the SAP Logon ticket contains:

- User ID - Period of Validity of the Ticket - Issuing system - Digital Signature - Scheme of Authentication

This procedure doesn’t need any configuration activities which are done in User Mapping.

First thing to achieve is to look into your content providing application, i.e. your backend system (Non-SAP Application) to accept the SAP Logon Ticket.

User does not have to bother about authentication as in User Mapping. He/she has to log on to the portal only once and then they will have access to Non SAP Application without being challenged for authentication details.



Solution Overview: Single Sign-on process flow is mentioned in the diagram below:

Figure 1: Single Sign-on Process Flow

• An application needs to be created in Portal through NetWeaver Developer Studio (NWDS) and an

iView is created with the Portal Component to access the Non-SAP application.

• The user logs into portal to access the Non SAP Application.

• SAP Logon Ticket (MYSAPSSO2 Ticket) is send to user browser by the portal. • The cookie consists of user and system information of the portal in an encrypted form. • The destination Non-SAP Application will accept the cookie and decrypt it to obtain the user ID. • To decrypt the cookie the destination application needs to have dynamic link libraries (sapssoext.dll

and sapsecu.dll) and the Public Key from portal. • After obtaining the user ID, the Non-SAP application screen will be shown for that user

corresponding to the permission the user has in that application.



Prerequisites: • SAP Enterprise Portal Server and the Destination Non-SAP application must lie in the same domain

(e.g. if Portal URL is “abc.company.com” then the destination system URL should be like “def.company.com”).

• User IDs in the Non-SAP application must be same as that of portal (e.g. if there is a user in portal with the ID “abcd”, then the Non-SAP application must have a user having ID “abcd”).

Solution Details: Please follow the below steps,

Creating a Portal Component: • Open NetWeaver Developer Studio (NWDS). • Click New -> Project -> Portal Application. Provide a meaningful name for the project (e.g.

NonSAPApplication). • Add a component to the project. Click New -> Other -> Portal Application -> Create a new Portal

Application Object -> Select NonSAPApplication -> Portal Component -> Abstract Portal Component.

Figure 2: Abstract Portal Component

• In the next screen enter the values as – Name: NonSAPApplication Package Name: <Some meaningful name, e.g. com.company.application.sso>

o Click Finish • Create jsp page. Under NonSAPApplication -> dist -> PORTAL-INF

-> jsp folder. Right click on the jsp folder. Click New - > Other -> Simple -> File.



Figure 3: Select the file

• Click next and specify the name of the jsp as NonSAPApplication.jsp

Figure 4: Select the folder path

• Click finish to complete.

• Include the below code in the in doContent() of the NonSAPApplication.

HttpServletRequest req = request.getServletRequest(); HttpServletResponse resp = request.getServletResponse(false); //Calling a jsp page from Portal Component IResource jspResource =request.getResource(IResource.JSP, "/jsp/NonSAPApplication.jsp"); response.include(request, jspResource);



Sending SAP Logon Ticket to the Non SAP Application: • Include the below code in the NonSAPApplication.jsp

Cookie cookiesArray[] = request.getCookies(); Cookie currentCookie = null; String currentCookieName = ""; String cookieValue = "dummycookie"; boolean boolReceivedCookie = false; int cookieArrayLength = cookiesArray.length; for (int i = 0; i < cookieArrayLength; i++) { currentCookie = cookiesArray[i]; currentCookieName = currentCookie.getName(); // Get out of the loop when "MYSAPSSO2" cookie is obtained if (currentCookieName.equals("MYSAPSSO2")) { %><P><% cookieValue = currentCookie.getValue(); %><P><% boolReceivedCookie = true; break; } }

As the nonSAPApplication will be accessed through a iView in Portal, the below code is used to read the URL of the nonSAPApplication which is defined as nonSAPApplicationURL in the sub-component of Component Profile in portalapp.xml.

The process of creating the sub-component under Component Profile of portalapp.xml is mentioned in the last section of this document.

//To get the URL from iView Properties

IPortalComponentRequest currentReq = (IPortalComponentRequest)pageContext.getAttribute(javax.servlet.jsp.PageContext.REQUEST);

IPortalComponentContext componentContext = currentReq.getComponentContext();

IPortalComponentProfile profile = componentContext.getProfile();

String appURL = profile.getProperty("nonSAPApplicationURL");

Include a form, which has hidden input field called “value” which is to save the cookie value which will be received at the NonSAPApplication.

<form name="myform" method="post" action="<%=appURL%>">

<input type="hidden" name="value" value="<%=cookieValue%>" >

</form>

/* Java Script is used to auto submit the form */

<Script Language="JavaScript">

document.myform.submit();

</Script> • Import the “Servlet.jar” file to the project library.



Deploy and Create iView: To use this application follow the steps –

• Export the application to PAR file and deploy it to the portal. • Create an iView with that PAR file

When you preview the iView, the application will be executed and the Non SAP Application will be called with the SAP Logon Ticket. The destination application has to catch the ticket and decrypt it to obtain the user ID from it.

Getting Public Key Certificate: • Login into Portal with Administrator ID.

• Click on System Administrator -> System Configuration -> Keystore Administration.

• Click on “Download verify.pse file” to download the verify.pse file

Figure 5: Download verify.pse file

Enabling the backend system to accept SAP Logon Tickets: Depending on the technology in which the non SAP Application is built we need do implement the procedure to integrate the backend content to your portal, out of these, we will look at the most common ones and see how to enable SAP Logon Ticket based SSO.

a. ASP.Net Web Application (running on Window Server 2003) b. Java Web Application

This document explains the procedure to enable Single Sign On for .Net and Java web applications.

ASP.Net Web Application (running on Windows Server 2003):

Pre-requisites: • Windows Server 2003 - either 32 or 64 bit processor • Visual Studio 2003/2005 • Dlls provided by SAP (Service Market Place) i.e. sapssoext.dll and sapsecu.dll are placed in

System32 folder of Windows installation.

Note: This needs system restart.

• These dlls are specific to 32 and 64 bit processor. We need to check the server whether it is 32 or 64 bit before downloading the dlls. If the server is 32 bit, we need to download dlls for 32 bit and if the server is 64 bit, we need to download dlls for 64 bit.

• A public key file (verify.pse) from portal is needed to decrypt the cookie(Explained in “Getting Public Key Certificate”)



Find the below steps to accomplish the task: • Register the SAPSSOEXT.dll in the .Net environment using regsvr32 in Run command. • Add the SAPSSOEXT.dll as a reference in the Visual Studio. • Import the SAPSSOEXT namespace which is provided in the registered dll in the Visual Studio

Environment. • Create an Sso.cs file in the .Net application. • Include the below code in the Sso.cs file,

using System; using System.IO; using System.Reflection; using System.Configuration; namespace sapssoext { /// <summary> /// Example class for SAPSSOEXT library implemented in CSharp (C#). /// /// Compile this class with .Net compiler: /// csc ssosample.cs /// /// This class performs the calls via Reflection because no further /// references have to be set, but the COM component in SAPSSOEXT must /// be registered to the Windows registry: /// 1) ensure that "regsvr32 sapssoext.dll" component registration was done /// 2) if a null library property (Cryptlib) is passed, the environment /// variable SSF_LIB is taken. /// </summary> public class SSO2Ticket { // Constant definitions for // ParseCertificate function const int ISSUER_CERT_SUBJECT = 0; const int ISSUER_CERT_ISSUER = 1; const int ISSUER_CERT_SERIALNO = 2; private Object MyObj = null; private Type MyType = null; /** * Class constructor */ public SSO2Ticket() { Console.WriteLine("SSOTicket constructor called"); try { // get type from registry and initiate an instance of it MyType = Type.GetTypeFromProgID("SAPSSOEXT.SSO2Ticket", true); MyObj = Activator.CreateInstance(MyType); } catch (System.Runtime.InteropServices.COMException ex) { if (ex.ErrorCode == -2147221005) { throw new Exception("Register object SAPSSOEXT.SSO2Ticket:\nregsvr32 sapssoext.dll"); } else



{ throw new Exception(ex.Message); } } // the inner exception means the error within SAPSSOEXT catch (System.Reflection.TargetInvocationException fex) { throw new Exception(fex.InnerException.Message); } // catch the rest of possible exceptions catch (Exception exp) { throw exp; } } /** * Class finalize * */ ~SSO2Ticket() { Console.WriteLine("SSOTicket destructor called"); // release the COM object if (MyObj != null) { System.Runtime.InteropServices.Marshal.ReleaseComObject(MyObj); MyObj = null; } } /** * Returns internal version. * * return version */ public string getVersion() { return "SAPSSOEXT 2"; } /** * Initialization * * param seclib location of ssf-implemenation * * return true/false whether initailisation was ok */ public bool init(string ssflib) { object[] seclib = { ssflib }; if (MyType == null) { return false; } else



{ try { // invoke the first call: set the property CryptLib MyType.InvokeMember("CryptLib", System.Reflection.BindingFlags.SetProperty, null, MyObj, seclib); return true; } catch (Exception) { return false; } } } /** * eval ticket * * param ticket the ticket * param pab location of pab * param pab_password password for access the pab * * return Object array with: * [0] = (String)user, [1] = (String)sysid, [2] = (String)client , [3] = (byte[])certificate * [4] = (String)portalUser, [5] = (String)authSchema, [6] = validity * */ public Object[] evalLogonTicket(string ticket, string pab, string pab_password) { Object[] parms = { ticket, pab, pab_password }; // invoke the main method to check the ticket if (MyType == null) return new Object[7]; else return (Object[])MyType.InvokeMember("EvalLogonTicket", System.Reflection.BindingFlags.InvokeMethod, null, MyObj, parms); } /** * Parse certificate * param cert Certificate received from evalLogonTicket * param info_id One of the requst id´s * * return Info string from certificate * */ public string parseCertificate(string cert, int info_id) { Object[] parms = { cert, ISSUER_CERT_SUBJECT }; if (MyType == null) return ""; else



// invoke ParseCertificat return (string)MyType.InvokeMember("ParseCertificate", System.Reflection.BindingFlags.InvokeMethod, null, MyObj, parms); } /// <summary> /// The main entry point for the application. /// </summary> public string getUser(string cookie) { // plausi check //if(getCommandParam(args,"-i") == null) //{ // PrintHelp(); // return; //} SSO2Ticket1 ssoCls; Object[] RetArray; string subject; string issuer; string ssf_library; string pse; string ticket; string pwd = null; try { // create new instance of SSO2Ticket class ssoCls = new SSO2Ticket(); Console.WriteLine("Start SSO2TICKET main"); Console.WriteLine("Version: " + ssoCls.getVersion()); // read the ticket from a File //ticket= getTicket(getCommandParam(args,"-i")); ticket = cookie; //ssf_library = getCommandParam(args,"-L"); ssf_library = "sapsecu.dll"; // init sapsecu library if (!ssoCls.init(ssf_library)) { Console.WriteLine("Could not load SSF library: >>>" + ssf_library + "<<<"); return "-5"; } pse = "verify.pse"; // evaluate the ticket //RetArray = ssoCls.evalLogonTicket(ticket, getFullFilePath(getCommandParam(args,"-p")),getCommandParam(args,"-pwd")); RetArray = ssoCls.evalLogonTicket(ticket, getFullFilePath(pse), pwd); // get subject // subject = ssoCls.parseCertificate((string)RetArray[3], ISSUER_CERT_SUBJECT); // get issuer



// issuer = ssoCls.parseCertificate((string)RetArray[3], ISSUER_CERT_ISSUER); // Finally print out all parameter from the ticket: // RetArray(0) is the user name // RetArray(1) is the client of the issuing system // RetArray(2) is the id of the issuing system // RetArray(3) is the X.509 certificate of the issuing system // The "certificate" object is a Base64 (PEM) encoded X.509 certificate. // PrintResults((string)RetArray[0],(string)RetArray[1],(string)RetArray[2],subject,issuer,ticket,(strin g)RetArray[4],(string)RetArray[5],(string)RetArray[6]); } catch (System.Runtime.InteropServices.COMException ex) { if (ex.ErrorCode == -2147221005) { Console.WriteLine("Register object SAPSSOEXT.SSO2Ticket:\nregsvr32 sapssoext.dll"); return "-1"; } else { Console.WriteLine(ex.Message); return "-2"; } } // the inner exception means the error within SAPSSOEXT catch (System.Reflection.TargetInvocationException fex) { Console.WriteLine(fex.InnerException.Message); return fex.InnerException.Message; } // catch the rest of possible exceptions catch (Exception exp) { Console.WriteLine(exp.Message); return exp.Message; } return (string)RetArray[0]; } // print the parameters from ticket static void PrintResults(string user, string sysid, string client, string subject, string issuer, string ticket, string prtUsr, string authS, string validity) { Console.WriteLine("***********************************************"); Console.WriteLine(" Output of program:"); Console.WriteLine("***********************************************"); Console.Write("\n"); Console.Write("The ticket\n\n" + ticket + "\n"); Console.WriteLine("was successfully validated."); Console.WriteLine("User : " + user);



Console.WriteLine("Ident of ticket issuing system:"); Console.WriteLine("Sysid : " + sysid); Console.WriteLine("Client : " + client); Console.WriteLine("External ident of user:"); Console.WriteLine("PortalUsr: " + prtUsr); Console.WriteLine("Auth : " + authS); Console.WriteLine("Ticket validity in seconds:"); Console.WriteLine("Valid (s): " + validity); Console.WriteLine("Certificate data of issuing system:"); Console.WriteLine("Subject : " + subject); Console.WriteLine("Issuer : " + issuer); Console.Write("\n"); } // read the ticket string from a File public static String getTicket(string filename) { try { // Create an instance of StreamReader to read from a file. // The using statement also closes the StreamReader. using (StreamReader sr = new StreamReader(filename)) { String line = sr.ReadToEnd(); return line; } } catch (Exception e) { // Let the user know what went wrong. Console.WriteLine("The file could not be read:"); Console.WriteLine(e.Message); throw new FieldAccessException("File " + filename + " could not be read", e); } } // parse the arguments for an option public static String getCommandParam(string[] args, string option) { for (int i = 0; i < args.Length; i++) { if (args[i].Equals(option) && args.Length > i + 1) { return args[i + 1]; } } return null; } // print help to console public static void PrintHelp() { Console.WriteLine(" ssosample -i <ticket_file> [-L <SSF_LIB>]"); Console.WriteLine(" [-p <file containing public key>] [-pwd <PSE password>]");



} // get the full path to a file public static String getFullFilePath(string filename) { String path; if (Path.HasExtension(filename)) { path = ConfigurationManager.AppSettings["PublicKeyPath"].ToString()+ filename; } else { path = ConfigurationManager.AppSettings["PublicKeyPath"].ToString() + filename + ".pse"; } if (!File.Exists(path)) throw new FileNotFoundException("File " + filename + " does not exists", filename); return path; } } } Change the login.aspx page such that the namespace sapssoext is included and add the following code in Page_Load of the login.aspx page page_load method which needs to be in login.aspx protected void Page_Load(object sender, EventArgs e) { if (!IsPostBack) { PageInitialisation(); } try { if (Request.Form["value"] != null) { string cookie = Request.Form["value"].ToString(); sapssoext1.SSO2Ticket1 s = new sapssoext1.SSO2Ticket1(); //getUser(string cookie) will return the user ID. string userID = s.getUser(cookie).ToString(); Response.Write("User ID: " + userID); } } catch (Exception ex) { lblMessage.Text = ex.Message.ToString(); } }



The cookie value which was stored in the hidden input field (value) of the form sent by portal is retrieved in string cookie is passed as method argument for getUser(String cookie). The cookie will be decrypted and User ID is returned.

To decrypt the cookie, we need to use the public key certificate (verify.pse) from portal. We need to configure the application settings by placing the verify.pse file in the Bin folder of the application and need to add the path in application settings of webconfig.xml file.

Use the below statement:

<add key="PublicKeyPath" value="F:\NonSAPApplication\bin\verify.pse"></add>

Using the application settings, the PublicKeyPath can be retrieved.

Note: F is the Drive where the application is stored and the NonSAPApplication is the folder name of the application.

Once the user id is obtained, the code is to be modified in such a way that that it will direct to the Users Home page, below are the conditions which needs be checked before diverting.

• Access the user database and check whether the user id exists in the .Net Application. If exists and it is active then divert him to the Home page with the roles he/she allocated to.

• If the user id doesn’t exist, needs to display message that the user id provided by portal doesn’t exist in the application.

Java Web Application:

The configuration changes of Portal to integrate a Java Web Application are same as explained above procedure and some changes needs to be done at the Login page of Java Web Application.

Pre-requisites: • Windows - either 32 or 64 bit processor • Dlls provided by SAP (Service Market Place) i.e. sapssoext.dll and sapsecu.dll are placed in

System32 folder of Windows installation.

Note: This needs system restart.

• These dlls are specific to 32 and 64 bit processor. We need to check before downloading the dlls. If the server is 32 bit, we need to download dlls for 32 bit and If the server is 64 bit, we need to download dlls for 64 bit.

• A public key file (verify.pse) from portal is needed to decrypt the cookie.

Find the below steps to accomplish the task: • There is no need of registering the dlls, but they are loaded directly in the application through code. • Create an SSO2Ticket.java file in the Java Web Application. • Include the below code in the SSO2Ticket.java file.

package com.mysap.sso; import java.io.*; /**

* (C) Copyright 2000-2005 SAP AG Walldorf

* * Author: SAP AG, Security Development

* * SAP AG DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,

* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO

* EVENT SHALL SAP AG BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL

* DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR



* PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS

* ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE

* OF THIS SOFTWARE.

*

* This class provides wrapper functionality for SSO2Ticket

* (SAP Logon Ticket) in Java.

*

* @version 1.5 2005

*

*/

public class SSO2Ticket

{

public static final int ISSUER_CERT_SUBJECT = 0;

public static final int ISSUER_CERT_ISSUER = 1;

public static final int ISSUER_CERT_SERIALNO = 2;

private static boolean initialized = false;

public static String SECLIBRARY ;

public static String SSO2TICKETLIBRARY = "sapssoext";

static {

if (System.getProperty("os.name").startsWith("Win")) {

SECLIBRARY = "sapsecu.dll";

} else {

SECLIBRARY = "libsapsecu.so";

}

try {

System.loadLibrary(SSO2TICKETLIBRARY);

System.out.println("SAPSSOEXT loaded.");

} catch (Throwable e) {

System.out.println ("Error during initialization of SSO2TICKET:\n" + e.getMessage());

}

System.out.println("static part ends.\n");

}

/**

* Initialization

*

* @param seclib location of ssf-implemenation



*

* @return true/false whether initailisation was ok

*/

private static native synchronized boolean init(String seclib);

/**

* Returns internal version.

*

* @return version

*/

public static native synchronized String getVersion();

/**

* eval ticket

*

* @param ticket the ticket

* @param pab location of pab

* @param pab_password password for access the pab

*

* @return Object array with:

* [0] = (String)user, [1] = (String)sysid, [2] = (String)client , [3] = (byte[])certificate

* [4] = (String)portalUser, [5] = (String)authSchema, [6] = validity

*

*/

public static native synchronized Object[] evalLogonTicket(

String ticket,

String pab,

String pab_password)

throws Exception;

/**

* Parse certificate

* @param cert Certificate received from evalLogonTicket

* @param info_id One of the requst id´s

*

* @return Info string from certificate

*

*/

public static native synchronized String parseCertificate(

byte[] cert,

int info_id);

//public static void main(String[] args) throws Exception



public String getUser(String Cookie)

{

byte[] certificate;

String ticket;

String pab;

String pwd;

String ssf_library;

String user = "dummy";

// MYSAPSSO2 cookie should be passed as ticket.

try {

// plausi check

/*if(getCommandParam(args,"-i") == null)

{

//PrintHelp();

return;

}*/

System.out.println("Start SSO2TICKET main");

System.out.println("-------------- test version --------------");

String version =SSO2Ticket.getVersion();

System.out.println("Version of SAPSSOEXT: " + version);

// read ticket into a String

ticket = Cookie;

// get PAB (public key) of issuing system

//pab = getFullFilePath(getCommandParam(args,"-p"));

pab = "E:/NonSAPApplication/bin/verify.pse";

// get PSE password

//pwd = getCommandParam(args,"-pwd");

pwd = null;

// init sapsecu library

//ssf_library = getCommandParam(args,"-L");

ssf_library = null;

if(ssf_library==null)

ssf_library = SECLIBRARY;

if( !init(ssf_library)) {

System.out.println ("Could not load library: " + ssf_library);

//return;

}

// evaluate the ticket

Object o[] = evalLogonTicket(Cookie, pab!=null?pab:"SAPdefault" , pwd);



// use 3rd object to analyse the certificate

if (o[3] != null && o[3] instanceof byte[]) {

certificate = (byte[])o[3];

//System.out.println("Certificate length : " + certificate.length + " bytes");

/*

* remark: The "certificate" object is a DER encoded X.509 certificate

* of the issuing system, which can be parsed/analysed with JAVA

* funtionality e.g. Java Cryptography Architecture API, IAIK and so on.

*/

}// or

// print out all parameters received from SAPSSOEXT

user = (String)o[0];

System.out.println("User id in code: " + user);

PrintResults((String)o[0],(String)o[1],(String)o[2],parseCertificate((byte[])o[3],ISSUER_CERT_SUBJECT),parseCertificate((byte[])o[3],ISSUER_CERT_ISSUER),ticket,(String)o[4],(String)o[5],(String)o[6]);

} catch (Exception e) {

System.out.println(e);

} catch (Throwable te) {

System.out.println(te);

}

return user;

}

// print the parameters from ticket

static void PrintResults(String user, String sysid, String client, String subject, String issuer, String ticket, String prtUsr, String authS, String validity)

{

System.out.println("***********************************************");

System.out.println(" Output of program:");

System.out.println("***********************************************");

System.out.println("\n");

System.out.println("The ticket\n\n" + ticket + "\n");

System.out.println("was successfully validated.");

System.out.println("User : " + user);

System.out.println("Ident of ticket issuing system:");

System.out.println("Sysid : " + sysid);

System.out.println("Client : " + client);

System.out.println("External ident of user:");

System.out.println("PortalUsr: " + prtUsr);

System.out.println("Auth : " + authS);



System.out.println("Ticket validity in seconds:");

System.out.println("Valid (s): " + validity);

System.out.println("Certificate data of issuing system:");

System.out.println("Subject : " + subject);

System.out.println("Issuer : " + issuer);

System.out.println("\n");

}

// read the ticket string from a File

public static String getTicket(File filename) throws FileNotFoundException

{

try {

BufferedReader in = new BufferedReader(new FileReader(filename));

String str;

StringBuffer strBuffer = new StringBuffer();

while ((str = in.readLine()) != null) {

strBuffer.append(str);

}

in.close();

return strBuffer.toString();

}

catch (Exception e)

{

// Let the user know what went wrong.

System.out.println("The file could not be read:");

System.out.println(e.getMessage());

throw new FileNotFoundException("File "+ filename +" could not be read");

}

}

// parse the arguments for an option

static String getCommandParam(String[] args, String option)

{

for(int i=0; i<args.length; i++)

{

if(args[i].equals(option) && args.length > i+1)

{

return args[i+1];

}

}

return null;



}

// print help to console

static void PrintHelp()

{

System.out.println(" java SSO2Ticket -i <ticket_file> [-L <SSF_LIB>]");

System.out.println(" [-p <file containing public key>] [-pwd <PSE password>]");

}

// get the full path to a file

static String getFullFilePath(String filename) throws FileNotFoundException

{

if(filename==null)

return null;

String path;

File file = new File(filename);

if( file.getAbsolutePath().toLowerCase().indexOf(".pse") > 0 )

{

path = file.getAbsolutePath();

System.out.println("\n if path: " + path);

}

else

{

path = file.getAbsolutePath() + ".pse";

System.out.println("\n else path: " + path);

}

if( ! new File(path).exists() )

throw new FileNotFoundException("File "+ filename +" does not exists");

return path;

}

}

This class needs to be placed in the com.mysap.sso package as the same package name is used SAPSSOEXT.dll.

The verify.pse file is placed in bin folder of the application.

pab = "E:/NonSAPApplication/bin/verify.pse";

Note: E is the Drive where the application is stored and the NonSAPApplication is the folder name of the application.

Compile the class and use this in the login.jsp file by importing.

<%

SSO2Ticket singleSignOn = new SSO2Ticket();

String ticket = "";



String user = "";

if(!request.equals(null) && !response.equals(null)) {

String cookie = "";

cookie = request.getParameter("value");

//out.println("Cookie Value: " + cookie);

if(!value.equals(null)){

user = singleSignOn.getUser(cookie);

}

}

%>

The cookie value which was stored in the hidden input field value of the form sent by portal is retrieved in string cookie and passed as method argument for getUser(String cookie).

The cookie value is in turn passed to evalLogonTicket() method of SSO2Ticket class which will decrypt the cookie and give the user and system information of which the user id is returned in the login.jsp file.

Once the user id is obtained, the code is to be modified in such a way that that it will direct to the Users Home page, below are the conditions which needs be checked before diverting.

• Access the user database and check whether the user id exists in the Java Web Application. If exists and it is active then divert him/her to the Home page with the roles he/she allocated to.

• If the user id doesn’t exist, needs to display message that the user id provided by portal doesn’t exist in the application.



Personalizing the Application to accept the User Inputs: To make this application robust, we need to provide a way such that users can customize the Non-SAP Application URL without modifying the code - Follow the below mentioned steps to accomplish this task –

• Open NWDS and go to the project you have just created. • In the project structure tree (left side of the screen), navigate to dist -> PORTAL-INF ->

portalapp.xml. • Click on to the Components Tab. • Right-click component-profile and click Add component-profile property • Click New and create property as mentioned below and click Finish.

Name : nonSAPApplicationURL Value :”http://NonSAPApplication/Integrated/Login.aspx”

• Right-click on nonSAPApplicationURL and click Add sub-property. • Click “Add Standard” and populate values as mentioned below -

Personalization : dialog • The component-profile properties will look like this –

Figure 6: Component Profile Property • Deploy and export the application in the portal. • Open the iView object just created with the PAR file. • You can see an editable options in the iView – nonSAPApplicationURL as shown below –



Figure 7: Customizing the Application • Modify the code such that the application gets the required information from the personalization

setting. Update your code as follows – IPortalComponentContext componentContext = request.getComponentContext(); IPortalComponentProfile profile = componentContext.getProfile(); String appURL = profile.getProperty("nonSAPApplicationURL");

• appURL variable will now contain the URL of the application to be opened after integration. Based on this, you can apply the appropriate code as mentioned above.

• Now you do not have to open your code again and again if the application URL changes after some time. Just modify the value in the iView as shown above and the application will accommodate appropriate changes automatically.

Note: This has been included in the NonSAPApplication.jsp file which was mentioned earlier in this document.



Conclusion: Now users will be able to access other non-SAP web application without multiple authentications. They have to provide their authentication details only once when he/she logs on to the portal. If URL of the application changes then the application does not require any modification in code. These values can be simply changed in the iView properties and the application acts as per the user specified inputs. But this needs to be remembered that the above mentioned procedure is valid if portal and the destination application are in the same domain. Single sign-on is also possible with applications in different domains. But separate procedure has to be followed to do that.



Related Content www.sdn.sap.com

help.sap.com

For more information, visit the Portal and Collaboration homepage.


http://www.sdn.sap.com/

https://www.sdn.sap.com/irj/sdn/nw-portalandcollaboration



Disclaimer and Liability Notice This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.

SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk.

SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.

enabling single sign on between enterprise ... - archive€¦ · enabling single sign on between...

Documents