Pluggable Authentication Services for External Authentication (SAP Library

Pluggable Authentication Services for External Authentication

Use

Using pluggable authentication services (PAS) allows you to authenticate your SAP users using external mechanisms instead of those provided by SAP. Based on the external authentication, the PAS issues the user a logon ticket, which is then used for further authentication when accessing the SAP services. In this way, you can integrate your SAP services into an existing Single Sign-On (SSO) environment that uses non-SAP authentication.

There are a number of external authentication mechanisms that you can use, for example:

· Windows NT LAN Manager (NTLM) authentication

· User ID and password verification using the Windows NT domain controller

· Authentication using an LDAP bind to a directory server

· Authentication using the Secure Sockets Layer (SSL) protocol and X.509 client certificates

· An arbitrary authentication mechanism on the Web server that sets the user’s ID in an HTTP header variable

· An arbitrary mechanism on the AGate that is provided by a certified partner

Integration

When using PAS, the actual user authentication takes place outside of the SAP system. When the user accesses the SAP system via the ITS, the external mechanism authenticates the user and informs the PAS of the result. If the external authentication was successful, the PAS passes this information on to the SAP system so that it can issue the user his or her logon ticket. Depending on the mechanism you use, the user’s ID for the logon ticket is either sent with his or her authentication information from the external mechanism or it is obtained from the user external ID mapping table in the SAP system.

The external authentication can take place on either of the ITS components, the AGate or the WGate. See the graphics below.

Pluggable Authentication Services on the AGate

This graphic is explained in the accompanying text

Example

Examples of external authentication mechanisms that take place on the AGate include:

· Verifying the user’s Windows NT domain and password on the domain controller

· LDAP bind to a directory server

· An authentication mechanism provided by a certified partner that occurs on the AGate

Pluggable Authentication Services on the Web Server (WGate)

This graphic is explained in the accompanying text

Example

Examples of external authentication mechanisms that take place on the Web server (WGate) include:

· Windows NTLM authentication

· SSL and X.509 client certificates

· An arbitrary authentication mechanism on the Web server that sets the user’s ID in an HTTP header variable

Platform Availability

The supported PAS mechanisms are available for the ITS platforms as shown in the table below.

Availability of PAS

PAS Type	Authenticating Component (AGate / WGate)	Available Platforms
Windows NTLM	WGate	Microsoft Internet Information Server (IIS)
Verifying Windows NT User ID / Password	AGate	Windows NT/2000/XP
X.509 Client Certificates	WGate	All supported Web server platforms
LDAP bind	AGate	All supported AGate platforms
HTTP header variables	WGate	All supported Web server platforms
Partner mechanisms	AGate	Determined by availability of the partner product

Note

The other ITS component can run on a different platform. For example, when using Windows NTLM authentication, the AGate can run on a Linux host.

For more information about ITS availability and supported platforms, see the SAP Service Marketplace at http://service.sap.com/sap-its.

Prerequisites

For your SAP system to be able to use PAS, it must meet the following prerequisites:

· One system must be set up as a ticket-issuing system, for example, an SAP system application server, and the corresponding ITS.

· The other SAP systems in your SSO environment must be set up to accept the logon tickets. The prerequisites for using logon tickets must therefore also be met:

¡ The user must have the same user ID in all systems that are to accept logon tickets.

¡ Accepting systems must meet the system requirements as described in SAP note 177895.

¡ Users must configure their Web browsers to accept cookies. (The logon ticket is a session cookie with the name MYSAPSSO2.)

¡ The Web servers used to access the various systems must all reside in the same DNS domain.

· Because the authentication occurs externally and not within the SAP system itself, you must use Secure Network Communications (SNC) between the ITS AGate and the SAP system to guarantee the integrity and security of the user's authentication.

Recommendation

For cases where the ITS is installed as a dual host installation and where the pluggable authentication takes place on the Web server, we also recommend using SNC between the ITS WGate and the AGate components.

· The ticket-issuing SAP system must be able to recognize the user's ID.

The system searches for an entry in the user external ID mapping table (USREXTID) that maps the user’s external ID to his or her user ID for the SAP system. Alternatively, when using LDAP bind, HTTP header variables, or a mechanism provided by a partner, then the external authentication mechanism can provide the user’s ID for the SAP system directly. In this case, no mapping entry in the table USREXTID is necessary.

Example

For example, you can store the user’s ID for the SAP system in the directory server used for the LDAP bind authentication. In this case, the user’s ID is obtained from the directory server instead of from the mapping table in the SAP system.

In addition, you must also meet any requirements for the specific scenario you use. For more information, see the sections provided for each of these scenarios.