.Net is a development platform used for many of desktop applications running on Windows. It has support for web services as well as support for WS-*. .Net can also be used for developing server applications running on an application server.
Several options exist for single sign on from .Net using web services.
Single Sign on from a desktop application
SSO from a desktop application to a web service running on AS ABAP or AS Java can either be implemented using X.509 certificates or using SAML 1.1 Holder-of-Key.
Using X.509 for SSO
- Supported with AS ABAP 6.40 and later.
See Teched presentation SIM208 SSO for SAP NetWeaver Leveraging X.509 Certificate Auto Enrollment in Microsoft Active Directory
"Automatic enrollment of user certificates using Microsoft Active Directory provides a quick and simple way to issue X.509 certificates to users and to enable single sign-on using a public key infrastructure (PKI). User auto-enrollment minimizes the high cost of normal PKI deployments and reduces the total cost of ownership (TCO) by providing SSO for an SAP NetWeaver system landscape leveraging the resources of an existing Microsoft Active Directory infrastructure."
Using SAML Holder-of-Key for SSO
- Supported with AS ABAP 7.01 SP5, AS ABAP 7.11 SP3
SAML Holder-of-Key requires an security Token Service (STS) to issue a SAML 1.1 tokens accepted by SAP systems (see SAML). A WS consumer sends a requets to issue a SAML assertion to the STS, typically using Windows integrated authentication for authentication at the STS. The ws consumer then uses the SAML assertion for authentication.
The book "Single Sign-on mit SAP" (http://sappress.de/2409) covers several scenarions for SSO between .Net and AS ABAP. Examples are:
1) Single Sign on from a .Net office application (Microsoft Excel) to AS ABAP 7.01 using Microsoft AD FS 2.0
2) Single Sign on from AS ABAP 7.01 to an .Net WCF service using Microsoft AD FS 2.0
3) Single Sign on from AS ABAP 7.01 to an .Net WCF service using assertions issued locally by an internal AS ABAP STS
1) Handon SIM264 on Teched 2010
Single Sign on from a server application
- SAML Sender-vouches is supported with releases AS ABAP 7.00 (SP 15) and higher. Please ensure the following SAP notes have been applied:
- AS ABAP 7.00: SAP Note 1325457
- AS ABAP 7.10: SAP Note 1325457
In this scenario a (web) application running on a server makes a ws call. The application requires authentication and the application should call the ws using the authenticated users identity. Solution for this is to use SAML Sender-Vouches authentication, but .Net 3.5 has no direct support for SAML Sender-Vouches authentication, as it is lacking the SecurityTokenReference transform.
Workaround to this is using a custom behavior, and setting this on the proxy:
The beaviour is available through SDN Code Exchange at https://cw.sdn.sap.com/cw/groups/wcf-saml-sender-vouches-for-net