Single Sign On with External ID implemented in Ruby

In my Blog Setup data encryption between RFC Client and Web AS ABAP with SNC I showed how SNC can be setup for RFC Connections. Here’s the promised use: Single Sign On with External ID implemented in Ruby. This is possible with the Function Module SUSR_CHECK_LOGON_DATA.

SUSR_CHECK_LOGON_DATA is able to return a SAP SSO2 Ticket for an external ID when the RFC Call is encrypted by SNC. Due to the great support from Piers Harding the Ruby connector to SAP (saprfc) since Version 0.30 supports Strings. This made it possible to use the connector with SUSR_CHECK_LOGON_DATA which returns the Ticket in a String type export variable.

Preparation: Map External ID to SAP User

Before we start implementing the client a Mapping between an External ID and a SAP User has to be maintained. This is done in Transaction SM30 with the View VUSREXTID. I’ve used an External ID of type NT which is a Domain User consisting of domainuser in my example

Don’t forget to activate the User:

Proof of concept

As the Ruby connector is based on the RFC SDK it also supports SNC. So we have to setup the system exactly as I’ve described in my Blog Setup data encryption between RFC Client and Web AS ABAP with SNC. Done that we can implement a proof of concept script for the command line:

require "lib/SAP/Rfc"   
SAP::Rfc.useCache = false
# Establish first connection using a X.509 Certificate 
rfc = SAP::Rfc.new(
  :ashost   => "zappod.csw.local", 
  :sysnr    => 00, 
  :lang     => "EN", 
  :client   => "800", 
  :x509cert => "Base64 Encoded Certificate in one line", 
  :snc_mode   => 1, 
  :snc_qop    => 3, 
  :snc_myname => "p:CN=RFC, OU=IT, O=CSW, C=DE", 
  :snc_partnername => "p:CN=IDS, OU=IT, O=CSW, C=DE", 
  :snc_lib => "/usr/sap/IDS/SYS/exe/run/libsapcrypto.so", 
  :trace => 0
)   
# get the connection ID 
puts "Connection id: " + rfc.connection.to_s   
# test the connection 
puts "Are we connected: " + rfc.is_connected().to_s   
# look up the interface definition for SUSR_CHECK_LOGON_DATA 
irep = rfc.discover("SUSR_CHECK_LOGON_DATA") 
# Set the Import Parameters required for external authentication 
irep.AUTH_METHOD.value = "E"
irep.AUTH_DATA.value   = 'SITECO\G.WOLF' 
irep.EXTID_TYPE.value  = "NT" 
rfc.call(irep)   
# What User have we logged in to? 
puts "USER_ID: " + irep.USER_ID.value.to_s   
# Establish a second connection with Ticked from "SUSR_CHECK_LOGON_DATA" 
call ticket = irep.TICKET.value.to_s 
rfc2 = SAP::Rfc.new(
  :ashost => "zappod.csw.local", 
  :sysnr => 00, 
  :lang => "EN", 
  :client => "800", 
  :mysapsso2 => ticket, 
  :trace => 1 
) 
# get the connection ID 
puts "Connection id: " + rfc2.connection.to_s   
# test the connection 
puts "Are we connected: " + rfc2.is_connected().to_s   
# Get the interface of function module created for the Blog 
# Authenticate from PHP to a Web Service using X.509 Certificates 
# Authenticate from PHP to a Web Service using X.509 Certificates 
irep = rfc2.discover("Z_HELLO") 
irep.NAME.value = "Gregor" 
rfc2.call(irep) 
puts "GREETING: " + irep.GREETING.value.to_s   
# close connection 2
#
print "close connection 2: ", 
rfc2.close(), "
"   
# close connection 1 
print "close connection 1: ", 
rfc.close(), 
"

I call this script from the command line and got the following result:

/usr/local/src/saprfc-0.30# ruby test/ext-logon.rb 
Connection id: 1 
Are we connected: true USER_ID: G.WOLF 
Connection id: 2 
Are we connected: true GREETING: Hello Gregor , you are logged in as G.WOLF 
close connection 2: 1 
close connection 1: 1

We see that it’s possible! In the next step we create a Ruby on Rails Application which runs on Apache Web Server. Apache will handle the Authentication i.e. via NTLM, Kerberos, LDAP or any other supported Authentication module. The Rails Application get’s the ID of the user and forwards it to SUSR_CHECK_LOGON_DATA for authentication. A Ticket is retrieved and this can be set as a Cookie. With that Cookie the User can also access BSP Applications, the SAP Enterprise Portal or BW Web Reports. To be continued.