Was this page helpful to you?
Do you have any additional feedback?
Logon Checks: Overview
When an ICF service is called through an external client in the ABAP Application Server, a series of checks is performed to authenticate the caller. This document provides an overview of these checks in the order in which they are performed.
An initial check is used to ensure that the called service exists and is active. If the service exists and is active, the next step checks whether the service is Public or Non-Public. A public service can be called in the system without the logon being checked.
If the service that is being called is non-public, the service configuration is used to check whether logon data or a client certificate is required:
● If Logon Data Required has been selected, the logon procedure uses the anonymous logon data specified for this service.
The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_SERVICE.
● If Client certificate with SSL has been selected, this is used for the logon procedure.
○ The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_CERTIFICATE.
If neither of these procedures is required, the system checks whether the standard logon order or an alternative logon order has been selected.
● If the standard logon order has been selected, the system attempts to log the user on in the following order:
1. Logon using HTTP fields (HTTP header fields or form fields):
(If sap-user is specified, sap-alias is then unimportant, see Basic Authentication)
○ The AUTHENTICATION_METHODattribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_FIELD.
2. Logon using SSP ticket (MYSAPSSO2 cookie field). If no logon data is transferred as form fields or header fields, the system then tries to log on using an SSO ticket. To enable this, the cookie field MYSAPSSO2 must be set.
○ The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_SSO.
3. Logon using Basic Authentication. If the request contains the header field for Basic Authentication, the user name is interpreted either as a standard SAP user (default) or as an Internet user (user name alias, see transaction SU01), depending on the settings made under Basic Authentication.
○ The AUTHENTICATION_METHODattribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_BASIC.
4. Logon using SAP logon. This is a normal logon procedure using client, user, password, and logon language. This method is used primarily between SAP Systems, and not so much for logon via a Web browser. A header field is also used to indicate that this logon method should be used.
○ The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_SAP.
5. Logon using client certificate (HTTPS and certificate). In this case, the system attempts to log on the user using a client certificate and SSL. The following conditions must be met:
○ The appropriate header field is set.
○ The connection for HTTPS is configured.
○ The client certificate exists.
The AUTHENTICATION_METHODattribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_CERTIFICATE.
If none of these methods are possible because the request does not contain any information regarding logon procedure, the default logon procedure is used: logon via service user account. If you have maintained the Anonymous Logon Data, the logon procedure uses this user name, client, and logon language. If you have not entered any data for an anonymous user, HTTP response 401 is sent. If you are using a Web browser, this response is displayed in a popup. The user can then log on to the SAP System using HTTP Basic Authentication on this popup. The default client and logon language of the user in question are used.
○ The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_SERVICE.
● If Alternative Logon Order applies, the procedures described under the standard logon order (or a selection of them) run in the user-defined order.
If none of the selected logon procedures are successful, the system checks to see whether an individual error page has been configured for the service.
If no error page exists, a default response (http 401) is sent to the caller, together with a Basis Authentication prompt in a dialog box.
If Alternative Logon Order is specified, and Basis Authentication is not permitted as a procedure, then no Basis Authentication prompt is sent when an error occurs.
The following content is not part of SAP product documentation. For more information, see the following disclaimer .