Show TOC

Integration into Single Sign-On EnvironmentsLocate this document in the navigation structure

Use

SAP Jam Integration supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Security Guide also apply to SAP Jam Integration.

For more information about the available authentication mechanisms, see the SAP Library for SAP Single Sign-On on SAP Help Portal at http://help.sap.com/nwsso and search for Administration for User Authentication and Single Sign-On (SSO).

The ABAP SMI OData API can only be consumed locally and thus does not provide any security mechanisms for its own software parts. It must however have a secure connection to the external service provider – transparent to the using application. This is guaranteed as follows:

  • Definition of specific authentication methods (per service provider and endpoint)
  • Support of OAuth 1.0 authentication based on SAML assertions (SAML bearer flow)
  • User-based authentication or application-based authentication, depending from the scenario or endpoint
  • Data transfer with SSL
  • Trusted connection to the service provider based on an exchange of certificates (transaction STRUST)
  • Support of RSA SHA1 encryption

Collaboration Component - Feed Component

SAP Jam provides an API to allow for a trusted back end (back channel) to request a single use token. This token can be requested and promoted to the UI using OData; however, the authentication methods are not exposed by the OData API.

Authentication

The ABAP SMI API performs the authentication in SAP Jam. As the required authentication method depends on the specific Jam REST or OData resource, different methods have to be supported by ABAP SMI as well. The authentication method is assigned separately to each endpoint of a service provider. To allow for more flexibility (for example, with regard to the cryptographic procedure), the assignment at the time of development only defines an authentication context, and lets each system assign the appropriate authentication method for this context.

The authentication context must be assigned in each system and client with transaction CLB2_PLATF. For more information, see Customizing for SAP NetWeaver under Start of the navigation path UI Technologies Next navigation step SAP Jam Integration Next navigation step Define Server Settings End of the navigation path.

The following authentication contexts are delivered with the ABAP SMI API:

Authorization Context Description
APPLI

Application context, not user-related - not actively used by ABAP SMI.
APPUSR

Application context with user authentication - not actively used by ABAP SMI.
NONE

No authentication - actively used by ABAP SMI for requests that do not need authentication such as access to $metadata or for requests that have already been authenticated and that have a session ID or token.
USER

User context - actively used by ABAP SMI.

If a USER context is used, ABAP SMI uses SAML2.0 assertions for the authentication. This means, that the USER context is linked with the SAML_20 method in the delivery Customizing. Using SAML2.0 assertions has the advantage that no user secrets have to be stored in the back end.
Note OAuth 2.0 is currently not supported by ABAP SMI.