Single Sign-On to Non-SAP Systems and Applications

The SAPSSOEXT library provides functions that enable non-SAP applications to verify SAP logon tickets and extract the user ID from the logon ticket. The library is coded in C and has a JNI Java interface and a COM (Windows) interface. The library comes with Java, C, and C# sample files that demonstrate how you can implement the library in the source code of a high level programming language such as Visual Basic, C, Java, or .NET.

For more information about platform support, see the download area on SAP Service Marketplace.

Download

From SAP Service Marketplace at service.sap.com/patches → (Downloads tab) → SAP Support Packages   →Support Packages and Patches → Entry by Application Group → Additional Components → SAPSSOEXT → <platform> → SAPSSOEXT lib for SAP logon ticket.

Documentation

Documentation is included in the archive file containing the library.

SAP offers an extension of SAPSSOEXT with Web server filters. You can use the filters to implement Single Sign On with logon tickets to Web-based applications that support authentication with an HTTP header variable. The filter verifies the logon ticket using the public-key certificate for the logon tickets. Then the filter extracts the name of the authenticated user from the logon ticket, and writes it into the HTTP header. You specify the name of the HTTP header variable in the remote_user_alias parameter in the filter configuration file.

The Web server filter supports the following Web servers:

• Apache Web Server
• Microsoft Internet Information Server (IIS)
• Sun Java System Web Server

  Formerly Sun ONE Web Server and iPlanet Web Server

For more information about Web server releases and operating systems supported, see SAP Note 442401.

Documentation

• Included in the archive file containing the filter
• SAP Note 442401: Web server filter for SSO to third-party

The SSO22KerbMap Module is an ISAPI filter that uses the new delegation features that are available with Microsoft's Kerberos implementation in Windows Server 2003 and Active Directory 2003. The filter securely identifies the user through the SAP logon ticket and requests a constrained Kerberos ticket from Active Directory on behalf of that user. The Kerberos ticket can than be used for SSO to a Microsoft Web-based application.

A typical scenario for this filter is when setting up SSO with logon tickets to Outlook Web Access integrated in SAP NetWeaver Portal.

The filter can be used with the following systems:

• SAP Enterprise Portal 6.0 SP2 Patch 4 and higher or SAP NetWeaver Portal 7.0 and higher
• Microsoft Windows Server 2003, Active Directory 2003

Download

From SAP Service Marketplace at service.sap.com/patches → (Downloads tab) → SAP Support Packages → Support Packages and Patches → Entry by Application Group → Additional Components → SAPSSOEXT → Windows Server on IA32 32bit → SSO2 To Kerberos Mapping Filter.

Documentation

• From SAP Service Marketplace at service.sap.com/patches → (Downloads tab) → SAP Support Packages → Support Packages and Patches → Entry by Application Group → Additional Components → SAPSSOEXT → Windows Server on IA32 32bit → SSO2 To Kerberos Mapping Filter Docu.
• .NET Interoperabilitysection in SAP Developer Network (SDN). You can find this at www.sdn.sap.com . Under Developer Areas, choose SAP NetWeaver Platform → .NET Interoperability
• SAP Note 735639 SSO2 To Kerberos Mapping Filter: Known issues