Installation guide
Architecture Details
148 Sun ONE Identity Server Policy Agents 2.1 • Web Policy Agents Guide • April 2005
Sun ONE Identity Server along with Sun ONE Identity Server Policy Agent
provides a natural integration between the SAP applications and non-SAP
applications through the use of the SAP Pluggable Authentication Service (PAS).
Architecture Details
SSO is achieved through the use of PAS provided by SAP. PAS supports several
types of external authentication methods, including X.509 Certificates, NTLM,
NTPassword, LDAP, HTTP and dynamic libraries (DLL). This SSO solution, using
Sun ONE Identity Server, uses the DLL method for external authentication. This
scenario offersSSO usinga partner-specificlibrary, whichis ashared libraryand is
developed using SAP’s SDK for PAS. SAP’s SDK has four functions, and provides
an interface to the ITS system without the knowledge of the XGateway interface of
the ITS itself.
The process flow in the SSO environment is as follows:
1. A user issues an HTTP request to a SAP service named
sapdll
.
2. The request is intercepted by the policy agent. Since there is no valid
SSOToken in the request, the user is redirected to Sun ONE Identity Server for
authentication.
3. Upon successful authentication, theuserisgranted access to the
sapdll
service.
This is the PAS dynamic link library which communicates with Sun ONE
Identity Server and verifies the validity of the SSO Token.
4. The PAS dynamic link library then sets the value of ~login to that of the user
who authenticated with Sun ONE Identity Server and is mapped in the SAP
system.
5. PAS then issues a SAP logon ticket for the user, which is set in the user’s
browser.
6. PAS reroutes the user to the requested service (such as Webgui).
Prerequisites
The following steps are prerequisite to ensuring that SSO scenario works properly:
• Install and configure two ITS instances. The first instance is the regular ITS
which hosts the Webgui service, and the second instance is the ITS
administration which hosts the PAS service.