Entering content frameFunction documentation Pluggable Authentication Services for External Authentication Locate the document in its SAP Library structure

Use

Using pluggable authentication services (PAS) allows you to authenticate your SAP users using external mechanisms instead of those provided by SAP. Based on the external authentication, the PAS issues the user a logon ticket, which is then used for further authentication when accessing the SAP services. In this way, you can integrate your SAP services into an existing Single Sign-On (SSO) environment that uses non-SAP authentication.

There are a number of external authentication mechanisms that you can use, for example:

Integration

When using PAS, the actual user authentication takes place outside of the SAP system. When the user accesses the SAP system via the ITS, the external mechanism authenticates the user and informs the PAS of the result. If the external authentication was successful, the PAS passes this information on to the SAP system so that it can issue the user his or her logon ticket. Depending on the mechanism you use, the user’s ID for the logon ticket is either sent with his or her authentication information from the external mechanism or it is obtained from the user external ID mapping table in the SAP system.

The external authentication can take place on either of the ITS components, the AGate or the WGate. See the graphics below.

Pluggable Authentication Services on the AGate

This graphic is explained in the accompanying text

Example

Examples of external authentication mechanisms that take place on the AGate include:

Pluggable Authentication Services on the Web Server (WGate)

 

This graphic is explained in the accompanying text

 

Example

Examples of external authentication mechanisms that take place on the Web server (WGate) include:

Platform Availability

The supported PAS mechanisms are available for the ITS platforms as shown in the table below.

Availability of PAS

PAS Type

Authenticating Component (AGate / WGate)

Available Platforms

Windows NTLM

WGate

Microsoft Internet Information Server (IIS)

Verifying Windows NT User ID / Password

AGate

Windows NT/2000/XP

X.509 Client Certificates

WGate

All supported Web server platforms

LDAP bind

AGate

All supported AGate platforms

HTTP header variables

WGate

All supported Web server platforms

Partner mechanisms

AGate

Determined by availability of the partner product

Note

The other ITS component can run on a different platform. For example, when using Windows NTLM authentication, the AGate can run on a Linux host.

For more information about ITS availability and supported platforms, see the SAP Service Marketplace at http://service.sap.com/sap-its.

Prerequisites

For your SAP system to be able to use PAS, it must meet the following prerequisites:

Recommendation

For cases where the ITS is installed as a dual host installation and where the pluggable authentication takes place on the Web server, we also recommend using SNC between the ITS WGate and the AGate components.

The system searches for an entry in the user external ID mapping table (USREXTID) that maps the user’s external ID to his or her user ID for the SAP system. Alternatively, when using LDAP bind, HTTP header variables, or a mechanism provided by a partner, then the external authentication mechanism can provide the user’s ID for the SAP system directly. In this case, no mapping entry in the table USREXTID is necessary.

Example

For example, you can store the user’s ID for the SAP system in the directory server used for the LDAP bind authentication. In this case, the user’s ID is obtained from the directory server instead of from the mapping table in the SAP system.

In addition, you must also meet any requirements for the specific scenario you use. For more information, see the sections provided for each of these scenarios.

 

 

 

 

Leaving content frame