Use
Using pluggable authentication services (PAS) allows you to authenticate your SAP users using external mechanisms instead of those provided by SAP. Based on the external authentication, the PAS issues the user a logon ticket, which is then used for further authentication when accessing the SAP services. In this way, you can integrate your SAP services into an existing Single Sign-On (SSO) environment that uses non-SAP authentication.
There are a number of external authentication mechanisms that you can use, for example:
Integration
When using PAS, the actual user authentication takes place outside of the SAP system. When the user accesses the SAP system via the ITS, the external mechanism authenticates the user and informs the PAS of the result. If the external authentication was successful, the PAS passes this information on to the SAP system so that it can issue the user his or her logon ticket. Depending on the mechanism you use, the user’s ID for the logon ticket is either sent with his or her authentication information from the external mechanism or it is obtained from the user external ID mapping table in the SAP system.
The external authentication can take place on either of the ITS components, the AGate or the WGate. See the graphics below.
Pluggable Authentication Services on the AGate
Examples of external authentication mechanisms that take place on the AGate include:
Pluggable Authentication Services on the Web Server (WGate)
Examples of external authentication mechanisms that take place on the Web server (WGate) include:
Platform Availability
The supported PAS mechanisms are available for the ITS platforms as shown in the table below.
Availability of PAS
PAS Type |
Authenticating Component (AGate / WGate) |
Available Platforms |
Windows NTLM |
WGate |
Microsoft Internet Information Server (IIS) |
Verifying Windows NT User ID / Password |
AGate |
Windows NT/2000/XP |
X.509 Client Certificates |
WGate |
All supported Web server platforms |
LDAP bind |
AGate |
All supported AGate platforms |
HTTP header variables |
WGate |
All supported Web server platforms |
Partner mechanisms |
AGate |
Determined by availability of the partner product |
The other ITS component can run on a different platform. For example, when using Windows NTLM authentication, the AGate can run on a Linux host.
For more information about ITS availability and supported platforms, see the SAP Service Marketplace at http://service.sap.com/sap-its.
Prerequisites
For your SAP system to be able to use PAS, it must meet the following prerequisites:
For cases where the ITS is installed as a dual host installation and where the pluggable authentication takes place on the Web server, we also recommend using SNC between the ITS WGate and the AGate components.
The system searches for an entry in the user external ID mapping table (USREXTID) that maps the user’s external ID to his or her user ID for the SAP system. Alternatively, when using LDAP bind, HTTP header variables, or a mechanism provided by a partner, then the external authentication mechanism can provide the user’s ID for the SAP system directly. In this case, no mapping entry in the table USREXTID is necessary.
For example, you can store the user’s ID for the SAP system in the directory server used for the LDAP bind authentication. In this case, the user’s ID is obtained from the directory server instead of from the mapping table in the SAP system.
In addition, you must also meet any requirements for the specific scenario you use. For more information, see the sections provided for each of these scenarios.