Show TOC

Logon Checks: OverviewLocate this document in the navigation structure

Procedure

When an ICF service is called through an external client in SAP ABAP Application Server, a series of checks is performed to authenticate the caller. This document provides an overview of these checks in the order in which they are performed.

An initial check is used to ensure that the called service exists and is active. If the service exists and is active, the next step checks whether the service is Public or Non-Public. A Public Service can be called in the system without the logon being checked.

If the service that is being called is non-public, the service configuration is used to check whether logon data or an SSL certificate is required:

  • If Logon Data Required has been selected, the logon procedure uses the anonymous logon data specified for this service.

    • The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_SERVICE.

  • If Client certificate with SSL has been selected, this is used for the logon procedure.

    • The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_CERTIFICATE.

If neither of these procedures is required, the system checks whether the standard logon order or an alternative logon order has been selected.

  • If the standard logon order has been selected, the system attempts to log the user on in the following order:

    1. Logon using HTTP fields (HTTP header fields or form fields): These changes are:

      • sap-language

      • sap-client

      • sap-user

      • sap-alias

      • sap-password

      (If sap-user is specified, sap-alias is then unimportant, see Basic Authentication.)

      • The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_FIELD.

    2. Logon using SSL certificate (HTTPS and certificate). In this case, the system attempts to log on the user using a client certificate and SSL. The following conditions must be met:

      • The appropriate header field is set.

      • The connection for HTTPS is configured.

      • The client certificate exists.

      The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_CERTIFICATE.

    3. Logon using SSP ticket (MYSAPSSO2 cookie field). If no logon data is transferred as form fields or header fields, the system then tries to log on using an SSO ticket. To enable this, the cookie field MYSAPSSO2 must be set.

      The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_SSO.

    4. Logon using Basic Authentication. If the request contains the header field for Basic Authentication, the user name is interpreted either as a standard SAP user (default) or as an Internet user (user name alias, see transaction SU01), depending on the settings made under Basic Authentication.

      The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_BASIC.

    5. Logon using SAP logon. This is a normal logon procedure using client, user, password, and logon language. This method is used primarily between SAP Systems, and not so much for logon via a Web browser. A header field is also used to indicate that this logon method should be used.

      The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_SAP.

    6. Log on using SAML Logon (Log on Using SAML).

    7. If none of these methods are possible because the request does not contain any information regarding logon procedure, the default logon procedure is used. Logon using Service User Account. If you have maintained the Anonymous Logon Data, the logon procedure uses this user name, client, and logon language. If you have not entered any data for an anonymous user, HTTP response 401 is sent. If you are using a Web browser, this response is displayed in a popup. The user can then log on to the SAP System using HTTP Basic Authentication on this popup. The default client and logon language of the user in question are used.

      The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_SERVICE.

      • If Alternative Logon Order applies, the procedures described under the standard logon order (or a selection of them) run in the user-defined order.

      If none of the selected logon procedures are successful, the system checks to see whether an individual error page has been configured for the service.

      If no error page exists, a default response (http 401) is sent to the caller, together with a Basic Authentication prompt in a dialog box.

      Note

      If Alternative Logon Order is specified, and Basic Authentication is not permitted as a procedure, then no Basic Authentication prompt is sent when an error occurs.