Skip to main content
Version: 7.2402.x.x RR

SAP integration plug-ins

Introduction and overview

SAP's products use SAP SSO logon tickets for integration into an SSO space. nevisAuth is capable of issuing such tickets, so that SAP products can be integrated into a Nevis setup. SAP SSO logon tickets are built in the following way:

  • A preamble defines the version of the ticket (currently always "2") and the SAP code page number in which the ticket is encoded (see the property encoding).
  • A sequence of InfoUnits, values with numeric key identifiers. The properties of the AuthStateare transformed into such InfoUnits.
  • A final InfoUnit containing a PKCS7 compatible signature that signs the previous content of the ticket.
  • The resulting byte string is encoded in Base64. Then, a translation of some Base64 characters is performed.

Some SAP applications (in particular those running as native processes) do not support all possible character encodings. In such cases, error messages may be misleading. Usage of the encoding ISO8859-1 (ISO-LATIN-1) is encouraged as this seems to be supported by all SAP products.

SAPTicketIssuer

The SAPTicketIssuer AuthState may be used to issue an SAP SSO logon ticket for consumption by SAP products and compatible applications. The issued ticket may either be propagated to the client as a cookie (for pseudo-federated scenarios based on shared cookie domain spaces) or propagated to a backend application behind a nevisProxy instance using a DelegationFilter with CookieDelegation.

Description

The following table describes the characteristics of the AuthState.

TopicDescription
Classch.nevis.esauth.auth.states.sap.SAPTicketIssuer
LoggingSAP
Auditingnone
Markernone
Methodsprocess (all events)

Properties

  • userIdSource (string, ${request:userId})

    Source of the user ID to set for the issued SAP ticket.

  • applicationMappings (string, ${request|loginId|.+|portal:$0})

    Whitespace-separated list of user ID mapping of the form <application>:<ID> to be inserted in the ticket. This will be used by SAP services to retrieve local user IDs. SAP NetWeaver Portal CRM plays a special role here as its user management is based on UME and, typically, has distinct IDs.

  • ttl (duration in seconds, 8h)

    Time-to-live for issued ticket. Note that the validity period of SAP tokens is specified in hours and minutes. Therefore, no finer granularity than minutes is possible. The specification in seconds of this property will be converted to hours and minutes automatically.

  • encoding (string, "UTF-8")

    Encoding to use for the SAP token. Note that some SAP applications (in particular those running as native processes) do not support all encoding. In such cases, error messages may be misleading. Usage of the encoding "ISO8859-1 (ISO-LATIN-1)" is encouraged as this seems to be supported by all SAP products.

  • systemId (string, ${system:host})

    Identifier of issuing system (or issuer). This must match the key under which the issuer certificate was configured in the consuming service.

  • systemClient (string, "000")

    Identifier of client. See SAP documentation of SAP SSO logon tickets for more information. Default value is SAP's default and should be correct for most cases.

  • authScheme (string, "default")

    Authentication scheme associated with this ticket. See SAP documentation of SAP SSO logon tickets for more information. Default value is SAP's default and should be correct for most cases.

  • recipientClient (string, -)

    See SAP documentation of SAP SSO logon tickets for more information. Setting no value for this property should be correct for most cases.

  • recipientSID (string, -)

    See SAP documentation of SAP SSO logon tickets for more information. Setting no value for this property should be correct for most cases.

  • cachingAllowed (boolean, -)

    If resolving to true, this property enables the CachingAllowed flag in the issued ticket. See SAP documentation of SAP SSO logon tickets for more information.

  • keystoreref, keyobjectref (string, -)

    This property configures the key and certificate to use when signing the SAP ticket.

  • includeCertificate (boolean, false)

    When enabled, the signer's certificate is inserted into the issued SAP ticket.

  • setCookie (string, -)

    If set, this property must specify the value of the HTTP header "Set-Cookie". The cookie will be issued to the client by nevisAuth such that a cookie-based SSO federation with SAP applications is possible. This property is evaluated after the ticket has been issued, so the variables listed in the topics "Notes" and "Output" can be used (see further below). You can either set a custom value for this property or set it to true which will result in the following Set-Cookie header - as expected by SAP products:

    MYSAPSSO2=${outarg:sap.ticket}; Version=1; Path=/; Secure; HttpOnly; Max-Age=${notes:sap.ticket.maxAge}; Expires=${notes:sap.ticket.expires};

Input

none

Transitions

  • ok

    Ticket issued successfully.

Output

  • sap.ticket

    The SAP SSO logon ticket issued. Encoded in Base64 and with SAP's proprietary re-encoding applied.

Errors

none

Notes

  • sap.ticket.maxAge

    TTL of issued ticket in seconds, for use in the MaxAge directive of the HTTP header "Set-Cookie".

  • sap.ticket.expires

    Expiration date of ticket issued, formatted for use in the Expires directive of the HTTP header "Set-Cookie".

Example

<AuthState name="IssueSapTicket" final="false" class="ch.nevis.esauth.auth.states.sap.SAPTicketIssuer" >
<ResultCond name="ok" next="AuthDone"/>
<Response value="AUTH_ERROR">
<Gui name="AuthErrorDialog">
<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}" />
</Gui>
</Response>
<property name="userIdSource" value="${notes:customSapUserId}" />
<property name="applicationMappings" value="portal:${notes:customSapPortalUserId}" />
<property name="encoding" value="ISO8859-1" />
<property name="keystoreref" value="SAPKeyStore" />
<property name="keyobjectref" value="Signer" />
</AuthState>