none
Guidance on SSO with BizTalk and SAP RRS feed

  • Question

  • Hi All,

    I have a couple of questions related to a post that was answered, and I'm hoping someone here has some answers or can point me in the right direction :)

    I noticed in the hotfix for supporting logon tickets the line "Logon tickets are not supported when you are using the SAP adapter with BizTalk Server". If we want to use BizTalk to submit data to SAP using the originating user's credentials, what is the best way to approach this? I'll provide a high level summary of the environment for this situation at the end of this post.

    If we are using the adapter to submit data to SAP, what mechanisms do we have available to us to retrieve a SAP Logon Ticket for the currently logged in user? The description I received from the SAP consultant on how the SAP Portal carries out SSO for domain users is as follows:

    1. The Web client accesses a J2EE Engine resource (Portal) with a GET request.
    2. The J2EE Engine (Portal) sends back a 401 response code (unauthorized) with a request to initiate SPNego authentication by setting the HTTP  header “WWW-Authenticate” to “Negotiate”.
    3. The Web client recognizes that the J2EE Engine (Portal) host is a member of the Kerberos Realm and procures a Kerberos Client/Server Session Ticket for the J2EE Engine from the KDC.
    4. The Web client then sends the Kerberos Client/Server Session Ticket to the J2EE Engine wrapped as a SPNego token in the HTTP authorization header.
    5. The SPNegoLoginModule reads the token from the HTTP request and feeds the Kerberos implementation of the JDK with it.
    6. The result is either successful client authentication or failure when the client request is rejected or another roundtrip to the KDC is necessary. In the case of failure, the Kerberos JDK implementation of the J2EE Engine generates and sends back to the Web client an output token. The output token is wrapped as a SPNego token and sent in the HTTP authorization header.

    Do you know if there is an SAP Web Service that can be called to retrieve a SAP Logon Ticket for the currently logged in domain user? Are there other techniques that can be used to retrieve this token?

    For the solution where we would like to use BizTalk to submit data to SAP, the process starts in SharePoint (MOSS 2007) where the user will fill out the necessary data and submit it to a WCF BizTalk EndPoint where the information will be transformed into the structure SAP requires and will be submitted to SAP using the adapter from the 2.0 Adapter Pack.

    We need to have the "submit to SAP" action take place under the SAP account from the user that submitted the data from SharePoint. As I mentioned above, they currently have the SAP Portal setup to create a SAP Logon Ticket for domain authenticated users ... so I was wondering if this is the correct approach. If not, what other options should I be looking at? I know BizTalk has an SSO database where you can setup affiliate applications, but I have not been able to find any examples on how this can be setup to keep Windows and SAP usernames and password in sync. If this is the approach I should be looking at, I would greatly appreciate an example on how this should be setup.

    Thanks in advance.
    Mike

    Wednesday, May 12, 2010 6:24 PM

Answers

  • I would like to point out one caveat that you should keep in mind when you are using logonTicket with dynamic ports.

    To set the logonTicket in a dynamic port, you will be setting the WCF.BindingConfiguration property in your message. This value cannot exceed 256 characters, which may not be the case when your logonTicket is larger.

    Thanks,

    Jeevitha

    Friday, May 14, 2010 6:10 AM

All replies

  • Nothing official here, but it might work...

     

    We use the SPnego module to retrieve SAP DMS documents. So maybe this could help you:

    When you call a WebService based on the J2EE stack you can authenticate via SPnego. Using a trused RFC connection to ABAP would log on the J2EE user in the ABAP stack (simple with UME linked to SAP, but also possible with an own UME database - equality of user ids). So if you code a generic J2EE Webservice calling a SAP function this will be executed under the credentials of the current Windows account.

    If this won't work: Build a webservice for each requested SAP function.

    In addition: Check if the user exists in the ABAP stack before using trusted RFC. If it doesn't exist, use a system user with basic credientials for "low level" function calls. Saves user licenses.

     

    Further possibilities: SNC configuration (SAP side) enables "out of the box"-SSO for ABAP stack.

    Or: Create a ABAP Logon Ticket. There should be a function for it. You could call it with a system account and afterwards use it for the real logon. But I don't know the exact workflow at the moment. Would have to try myself if you're intrested.


    If you like my post or consider it as a valid answer, please use the buttons to show me - Oliver
    Wednesday, May 12, 2010 7:09 PM
  • One way to get a logon ticket is to use the RFC SDK function -
     RfcGetTicket(connectionHandle, ticket);
    It just needs a valid connection handle (either username/password or SNC can be used for authentication)

    #define SAPwithUNICODE
    #include "saprfc.h"
    #include <stdio.h>


    void print(  RFC_CHAR* input);
    int main(int argc, char* argv[])
    {
     RFC_ERROR_INFO_EX errorInfo;
     rfc_char_t* connstring = L"ASHOST=**** SYSNR=10 CLIENT=800 USER=*** PASSWD=*** LANG=EN GETSSO2=1";
     RFC_HANDLE connectionHandle = RfcOpenEx(connstring,
      &errorInfo);

     if(connectionHandle == RFC_HANDLE_NULL)
     {
      print(errorInfo.message);
     }

     RFC_CHAR* ticket = (RFC_CHAR*)malloc(2048*sizeof(RFC_CHAR));
     RfcGetTicket(connectionHandle, ticket);
     print(ticket);
     RfcClose(connectionHandle);

     return 0;
    }

    void print(  RFC_CHAR* input)
    {
     int i=0;
     while(input[i]!='\0')
      printf("%c", input[i++]);
     printf("\n");
    }


    In the hotfix we added support for  both Impersonation and logon tickets.

    In you scenario I would suggest you use Impersonation  using the following binding properties -

    • ExternalIdentificationData
    • ExternalIdentificationType

    By using this , you will nither have to worry about "how to genrate the ticket" or about "the ticket getting expired".

    These  properties are binding properties.
    So, if you use static port in Biztalk , then you can impersonate only a single user ,
    or use only a single logon ticket (the ticket will expire very soon- this is the reason we don't  support logon tickets with BizTalk).

    However , you  can use both Impersonation and logon tickets using biztalk dynamic ports, creating a new biding for every request ,
    and setting the ExternalIdentificationData /LogOnTicketPassword for the current user .

    hope this helps !

     

    Thursday, May 13, 2010 10:57 AM
  • Thanks Oliver and Rohit for your suggestions.

    Unfortunately SNC is not an option as this is not currently setup in the SAP environment and their consultants didn't seem very keen on setting it up; they've just gone through the process of setting up the SPNegoLoginModule to give users SSO in their SAP Portal.

    Thanks for letting me know that the hotfix will work with dynamic ports ... I was confused as to why the adapter would work in the WCF Service Model (or Channel Model) scenario but not when used within BizTalk since the send port is using the same WCF adapter.

    For the moment, I'm thinking of using the approach outlined in this SAP article that basically retrieves the SAP Logon Ticket by making an HTTP request to the SAP Portal. However, I'd be curious to see how you could retrieve an SAP Logon Ticket for a different user than the system account - Oliver, if you are able to elaborate on that I'd love to hear how this can be accomplished.

    Also, do either of you have any thoughts on how the BTS SSO Affiliate Applications could be used in this scenario?

    Thanks again for your help.

    Mike

    Thursday, May 13, 2010 4:55 PM
  • I would like to point out one caveat that you should keep in mind when you are using logonTicket with dynamic ports.

    To set the logonTicket in a dynamic port, you will be setting the WCF.BindingConfiguration property in your message. This value cannot exceed 256 characters, which may not be the case when your logonTicket is larger.

    Thanks,

    Jeevitha

    Friday, May 14, 2010 6:10 AM
  • Thanks for pointing that out Jeevitha - is there a character limit on the LogonTicket property when you use this hotfix outside of BizTalk i.e. hosted in a WCF service?
    Saturday, May 15, 2010 3:43 AM
  • The SAP adapter doesn't impose any explicit limit. The limits in that case will be the standard limits on binding properties imposed by WCF.
    This limit should be much larger than the size of a normal logon-ticket.

     

    Saturday, May 15, 2010 11:45 AM