Start of Content Area

Procedure documentation Microsoft .NET Passport

You can use external authentication mechanisms such as Microsoft .NET Passport to determine which user to log on to the SAP system. This mechanism is similar to using X.509 certificates as discussed above. Instead of asking the SAP system to examine the certificate, we determine the user identity through some other means (for example the Passport API). Over a trusted SNC connection to the SAP system we tell the SAP system which user to log on. It is important that the IIS service user is a trusted SNC user in the SAP system. For more information, see to the section on establishing an SNC connection between IIS and the SAP system above.

The EXTIDDATAtag is the external user ID as defined in view VUSREXTID for type ID.

The tag EXTIDTYPEshould be equal to ID as that is the generic external user type. Other external user types, for example type DN (certificates) do not work in this scenario.

 

// Example connection string for passport type authentication

string ConnStr = "ashost=pcintel11 sysnr=0 client=0 snc_mode=1 snc_partnername=\"p:SAPServiceCS2@nt5.sap-ag.de\" type=3 EXTIDDATA=<passport_id> EXTIDTYPE=ID";

 

To verify that the external user really has logged on, set abap_debug = 1 in the connection string. Then examine the list of logged on users in the SAP users overview screen, which you can access in the SAP menu under System Monitoring. Alternatively, use transaction SM04.

In the future, both SAP and Microsoft will offer more direct support for Passport authentication. For more information, refer to Microsoft’s Federated Security and Identity Roadmap at: http://msdn.microsoft.com

 

End of Content Area