.Net is a development platform used for many of desktop applications running on Windows. It has support for web services as well as support for WS-*. .Net can also be used for developing server applications running on an application server.
Several options exist for single sign on from .Net using web services.
Single Sign on from a desktop application
SSO from a desktop application to a web service running on AS ABAP or AS Java can either be implemented using X.509 certificates or using SAML 1.1 Holder-of-Key.
Using X.509 for SSO
- Supported with AS ABAP 6.40 and later.
See Teched presentation SIM208 SSO for SAP NetWeaver Leveraging X.509 Certificate Auto Enrollment in Microsoft Active Directory
"Automatic enrollment of user certificates using Microsoft Active Directory provides a quick and simple way to issue X.509 certificates to users and to enable single sign-on using a public key infrastructure (PKI). User auto-enrollment minimizes the high cost of normal PKI deployments and reduces the total cost of ownership (TCO) by providing SSO for an SAP NetWeaver system landscape leveraging the resources of an existing Microsoft Active Directory infrastructure."
Using SAML Holder-of-Key for SSO
- Supported with AS ABAP 7.01 SP5, AS ABAP 7.11 SP3
SAML Holder-of-Key requires an security Token Service (STS) to issue a SAML 1.1 tokens accepted by SAP systems (see SAML). A WS consumer sends a requets to issue a SAML assertion to the STS, typically using Windows integrated authentication for authentication at the STS. The ws consumer then uses the SAML assertion for authentication.
The book "Single Sign-on mit SAP" (http://sappress.de/2409) covers several scenarions for SSO between .Net and AS ABAP. Examples are:
1) Single Sign on from a .Net office application (Microsoft Excel) to AS ABAP 7.01 using Microsoft AD FS 2.0
2) Single Sign on from AS ABAP 7.01 to an .Net WCF service using Microsoft AD FS 2.0
3) Single Sign on from AS ABAP 7.01 to an .Net WCF service using assertions issued locally by an internal AS ABAP STS
Further information:
1) Handon SIM264 on Teched 2010
Single Sign on from a server application
- SAML Sender-vouches is supported with releases AS ABAP 7.00 (SP 15) and higher. Please ensure the following SAP notes have been applied:
- AS ABAP 7.00: SAP Note 1325457
- AS ABAP 7.10: SAP Note 1325457
In this scenario a (web) application running on a server makes a ws call. The application requires authentication and the application should call the ws using the authenticated users identity. Solution for this is to use SAML Sender-Vouches authentication, but .Net 3.5 has no direct support for SAML Sender-Vouches authentication, as it is lacking the SecurityTokenReference transform.
Workaround to this is using a custom behavior, and setting this on the proxy:
/* instantiate ws proxy */ MyWS client = new ... // set behaviour client.Endpoint.Behaviors.Add(new SamlSVBehavior());
The beaviour is available through SDN Code Exchange at https://cw.sdn.sap.com/cw/groups/wcf-saml-sender-vouches-for-net
5 Comments
Kenneth Moore
How about SAP Logon Ticket?
Mathias Essenpreis
SAP recommends to use SAML as this is the more interoperable and more secure format.
Unknown User (k3ozegn)
Hi,
I would like to confirm the system requirements for SSO using the SAML Sender-Vouches configuration. I initially found the SIM 207 presentation which states that the Sender-Vouches scenario is supported on ABAP 7.00 SP14 and higher. However this article states that SP15 and SAP Note 1325457 is required. Which is correct?
Thanks,
Rhys.
Steven Tilashalski
It would nice if someone updated this to include OAuth options.
Mathias Essenpreis
Hi Steven,
please note that OAuth is only implemented and specified for OData/REST services. OAuth is not implemented for SOAP services in AS ABAP 7.xx this WIKI is about.
SAML to the contrary is a wide concept that is constantly being applied to all kinds of use cases. There are bindings for browser based SSO, for SOAP service SSO and for OData Services in conjunction with OAuth 2.0.
Mathias