Show TOC Entering content frame

Function documentation Using Header Variables for User Authentication Locate the document in its SAP Library structure

Use

The SAP Web Application Server Java supports the use of header variables for Single Sign-On. This means that you can use an external product, called a Web Access Management (WAM) product, to authenticate your users. The WAM product returns an authenticated user ID as part of the HTTP header. Users only have to authenticate once against the external product and can then access applications on the Web AS Java, such as the portal, with Single Sign-On.

This is useful if, for example, you are already using an external WAM product to protect other resources in your company, or if you wish to use authentication mechanisms that are not directly supported by the SAP Web AS Java, such as token cards or biometrics.

Integration

The Web AS Java provides a login module called HeaderVariableLoginModule that reads a user ID from the HTTP header variable and then uses this user ID to authenticate the user.

For example, authentication with an external WAM product works as follows: The WAM product authenticates the user and returns an authenticated user ID to the Web AS Java as part of the HTTP header. The Web AS Java compares this returned user ID against the user data sources and grants the user access to the required application upon finding a match. The user must exist in the UME user data sources.

Using Header Variables for Integrated Windows Authentication (Deprecated)

Prior to SAP NetWeaver ’04 SPS15, this option was used to support integrated Windows authentication. In this case, the Microsoft Information Server (IIS) was used as an intermediary server and the user information was passed to the J2EE Engine by the IISproxy module in a header variable. However, support for this option is deprecated with SAP NetWeaver ’04 SPS15.

As of SAP NetWeaver ’04 SPS15, we support integrated Windows authentication by supporting the Simple and Protected GSS API Negotiation (SPNego) Mechanism, which provides authentication using Kerberos. For more information, see Using Kerberos Authentication for Single Sign-On.

Recommendation

Unless a specific application still requires the use of the IIS and the IISproxy module, we recommend using the Kerberos authentication instead of the IIS and IISproxy module for integrated Windows authentication.

Prerequisites

·        To use an external product with the header variable login module for authentication, you must have an external Web server in front of the SAP Web AS Java. All requests must pass through the external Web server.

·        The user ID that the external product returns in the HTTP header must exist in the user management data sources.

Security Measures

If appropriate security measures are not taken, authentication using header variables can allow attackers to impersonate a user by sending a request with a user ID in the appropriate header variable to the SAP Web Application Server. To prevent this, you should do the following:

·        Using appropriate measures, make sure that the HTTP and HTTPS ports of the Web AS Java or portal cannot be directly accessed by client browsers, for example by using firewalls. The Web AS should only be accessed through its Web server. This prevents attackers from bypassing the Web server and impersonating authenticated users.

·        If it is not possible to block the HTTP and HTTPS ports of the Web AS Java, you must configure Secure Sockets Layer (SSL) with mutual authentication between the Web server that authenticates the user and the SAP Web AS Java. In this way, the Web AS Java can trust the user information contained in the header variable.

To set this up, you must add the certificate of the Web Server to the list of trusted root certificates in the J2EE Engine. Then you configure the J2EE Engine to only accept incoming requests that are signed with this certificate. For more information, see Structure linkUsing SSL With an Intermediary Server.  

Activities

The exact steps for setting up authentication with header variables depends on the product you use. In all cases you will need to adjust the login module stacks or templates of the applications that are to use header variable authentication. For details, see Adjusting the Login Module Stacks for Using Header Variables.

If you are using authentication with header variables in the portal, you can configure what happens when users log off from the portal. By default users are redirected to the default logon screen after they log off. If the portal uses an external Web access management tool to authenticate users, the portal logoff cannot delete the session identifiers created by the external tool and users are automatically logged on again, so it is impossible for them to log off the portal. To prevent users from being automatically logged on again, you can redirect users to a screen other than the default logon screen after they log off the portal. For more information, see SAP Note 696294.

 

 

...

Leaving content frame