Entering content frame

Process documentation Authentication Using an Arbitrary Mechanism on the Web Server Locate the document in its SAP Library structure

Purpose

With this PAS option, the user is authenticated using an arbitrary authentication mechanism that occurs on the Web server. This mechanism sets the user’s ID in an HTTP header variable so that it can be retrieved by the WGate and passed on to the AGate. As with the LDAP bind option, the arbitrary mechanism can provide the user’s ID for the SAP system directly. Otherwise, the system obtains the SAP user ID from the user external ID mapping table USREXTID. The system then issues the user his or her logon ticket.

Prerequisites

For the prerequisites for using an arbitrary authentication mechanism on the Web server for PAS, see the following topics:

Process Flow

See the graphic below:

Using an Arbitrary Authentication Mechanism on the Web Server

This graphic is explained in the accompanying text

The process is as follows:

  1. The user accesses the PAS service for using the arbitrary authentication mechanism (for example, saphttp).
  2. The user is authenticated by the external authentication mechanism. (Depending on the authentication mechanism used, the user may have to provide authentication information, for example, user ID and password.)
  3. If the authentication was successful, the authentication mechanism sets the user’s ID in the HTTP header variable.
  4. The WGate retrieves the user ID from the HTTP header variable and passes it to the AGate, which passes it to the SAP system application server.
  5. If the user ID that is passed is not the SAP user ID, then the SAP system searches for a matching user ID in the user external ID mapping table.
  6. If successful, the PAS issues the user a logon ticket, which it sets in the user’s Web browser.
  7. The PAS redirects the user to the desired service (for example, myservice).

Result

The user accesses the SAP service after authenticating him or herself using the arbitrary authentication mechanism.

When the user accesses further SAP services, the logon ticket is used for Single Sign-On access.

 

 

 

 Leaving content frame