Skip to Content

(Link to the article “Using OpenID with SAP NetWeaver“)

image

You may have noticed that an increasing number of web sites these days are adopting a new technology for Single Sign-On (SSO) called OpenID. You can sign on with a simple URL-like identifier instead of remembering a username and password for each and every site, thus relieving you from pasting stickies with password hints all over your computer monitor. You may already have an OpenID if you are a user of services like Yahoo, Technorati or LiveJournal. If not, you can get one like mine for free at MyOpenID, ClaimID or any other OpenID Provider.

OpenID Overview

Figure 1: OpenID Overview

So the other day I was wondering what it would take to implement OpenID as an authentication mechanism for internal or Internet-facing portals running on SAP NetWeaver? After doing some research on the Internet I discovered that most proposed solutions on OpenID-enabling a site basically follow a CGI-/Servlet-based approach to handle the communication between the web site and the OpenID Provider based in the OpenID protocol defined in the OpenID specifications.

image

Figure 2: OpenID-enabled login at AOL’s Developer Network Site

In the SAP NetWeaver Application Server Java, authentication is performed in a pluggable fashion by login modules based on the Java Authentication and Authorization Service (JAAS). This permits applications to remain independent from underlying authentication technologies and new technologies like OpenID can be plugged in without requiring modifications to the application itself.

So I got my hands dirty and started with an implementation of an OpenID Login Module. The result of this exciting exercise can be downloaded here. Along with the code, I’ve written an article that introduces OpenID in more detail and explains the architecture of the solution and how to deploy it in your SAP NetWeaver system landscape. Please note that this is still a proof-of-concept and not a production-level piece of software.

OpenID Logon Page in SAP NetWeaver

Figure 3: OpenID-enabled logon page in SAP NetWeaver

I hope this blog and my proposed solution will start a lively discussion around OpenID-support in SAP NetWeaver and I am very interested in your feedback.

  • Link to the Article “Using OpenID with SAP NetWeaver
  • Code Archive with the OpenID Login Module
To report this post you need to login first.

19 Comments

You must be Logged on to comment or reply to a post.

  1. Richard Hirsch
    I saw the article yesterday and was discussing it on twitter with a few others who were also interested in OpenID and NetWeaver.  The topic is definitely interesting, especially for those corporations with external facing portals.

    Looking foward to other articles discussing some of the open issues that are described in the last few pages of article.

    Dick

    (0) 
  2. Darren Hague
    Martin,

    That’s a really good article & code. I wish I’d noticed it being published on SDN – I started writing my own OpenId login module just a week or so ago, based on the OpenId4Java libraries, and then Richard alerted me to your article on Twitter yesterday. I guess I can stop debugging my code now… 🙂

    You may find that using the OpenId4Java libraries satisfies some of the points you addressed in the bullet points at the end of your article.

    Well done,
    Darren

    (0) 
    1. Martin Raepple Post author
      Hi Darren,

      thanks for your feedback!

      I actually tested the OpenID4Java and the JOID libraries in the beginning of the project. A common issue in both libraries for me has been the missing option to set an HTTP Proxy for the direct communication with the OpenID Provider which is required if the portal is behind a firewall. Therefore I found it helpful to use SAP’s HttpClient library in my implementation.

      Another issue with JOID was that it is not possible to deploy the library along with the login module on SAP NetWeaver AS Java without modifying the tsik.jar file in the default distribution. I could only fix the problem by removing the “Main-Class” attribute from MANIFEST.MF file in the tsik.jar file.

      In the end I found it easier to implement the OpenID 2.0 spec messages for the relying party on my own instead of using a modified version of the open source libraries. I’ll report these issues on the two projects.

      Thanks again and best regards
      Martin

      (0) 
      1. Darren Hague
        Hi Martin,

        The SampleConsumer code from OpenId4Java that I’m using as the basis for my module (openid4java 0.9.3) has the following code:
                    // — Forward proxy setup (only if needed) —
                    // ProxyProperties proxyProps = new ProxyProperties();
                    // proxyProps.setProxyName(“proxy.example.com”);
                    // proxyProps.setProxyPort(8080);
                    // HttpClientFactory.setProxyProperties(proxyProps);

        So it looks like you can may now be able to use a proxy server with openid4java. My current problem with openid4java is a strange URI-related problem which appears to be related to the underlying XML parser.

        Best regards,
        Darren

        (0) 
  3. Tulsan Mady
    Hi Martin,
    For some reason the pdfs are not readable. I’ve tried it with many pdf opening softwares and looks like the documents are corrupted. Could you please check?

    Thanks,
    KK.

    (0) 
  4. Dagfinn Parnas
    Thank you.

    Would love to see this as a standard feature of SAP NetWeaver.

    Regards
    Dagfinn

    (0) 
  5. Yatin Bhatt
    Hi Guys,

    I am very much impressed with integration. but considering another side of the internet, opening your SAP system facing the internet may include many corporate employees as well as public personalitis and 90% of who can be caught by openId scams very easily.

    How that impacts the corporate data accessed by those people , If openID are captured.

    Another point is, when users of SAP systems implementing openID modules needs to be authenticated across the landscapes, how secure is the interface communicating with the openID sites verifying the user identity ?

    Just thoughts, will put more I come across.

    Thanks
    Yatin

    (0) 
  6. Rohit Channazhi
    Thats just plain awesome. I am delighted to note that SAP now entertains and attempts to embrace web2.0 more than ever.
    Open ID is the strongest move towards single signons and if SAP supports such a cause, there is nothing more significant.
    (0) 
  7. Rajeev Das
    Hi Martin,

    Indeed a good post. It would be quite good to have it integrated with SAP systems in the landscape, since many clients are using portals.

    I’m unable to open your pdf document, I’m afraid.

    Regards,
    Rajeev

    (0) 
  8. Frederic Ahring
    Thanks for this great work!

    I’ve been using OpenID for my personal diary since the day it came out and thought about integration with SAP. Now you have done it – great 🙂

    Just a question, since I only know the original spec, not the current one, have the security issues been taken care of?

    (0) 
  9. Karan Singh
    Hi Martin,
    I hope you are doing great. I have one doubt about OpenID. Can it be used when the SAP portal is not over internet. And if yes, what are choices of Identity provider?

    Warm Regards,
    Karan

    (0) 
    1. Martin Raepple Post author
      Hi Karan,

      you should be able to use the OpenID solution I’ve developed as part of the article/blog even if your SAP Portal is located in your intranet. Then you have two choices:
      a) If you have a connection to the Internet via your firewall/HTTP proxy from your Poral, just use the login module options as mentioned in the article to configure the host and port of your HTTP proxy. The login module will then send any direct requests to the OpenID Identity Provider on the Internet via this proxy.
      b) If you don’t have connection to the Internet, then you basically have to setup your own internal OpenID Identity Provider. There are some Open Source solutions out there that can be used to run your own provider. One of them is phpMyID (http://siege.org/projects/phpMyID/) that implements a very lightweight provider which seems to be easily configurable (I haven’t tested it yet). If you want to invest a little bit more in your solution, take a look at one of the OpenID programming libraries at http://wiki.openid.net/Libraries. Most of them include the APIs required to implement the Identity Provider functionality and also include samples that show how this is done for your own standalone provider.

      HTH & best regards
      Martin

      (0) 
  10. Jansen Low
    Hi Martin,

    Thank you for your great article!

    Just to check if the implementation is also applicable to ERP2005. (Web AS 7.0)

    I was looking through the examples and found the directory structure of the my version somewhat different from yours. My NWDS was not able to import a WAR file. Is there any plug-ins, SCs that I need to patch? Thank you.

    Best Regards,
    Jansen

    (0) 
    1. Martin Raepple Post author
      Hi Jansen,

      I’ve implemented the solution with SAP NetWeaver Developer Studio 7.1 and deployed it on the AS Java 7.1. Development of JAAS-based login modules in 7.1 is slightly different to 7.0 due to a different deployment configuration. So I’d expect that you cannot run the code as provided in the code archive on AS Java 7.0.

      However, migrating the code to 7.0 shouldn’t be that complicated because the APIs used in the solution haven’t changed much. The major difference is the way login modules are deployed in 7.0: Instead of creating an EAR file with the LoginModuleConfiguration.xml file described in the article for 7.1, one would have to create a Library project in NWDS 7.0 that contains the login module JAR file which is deployed on AS 7.0.
      I also plan to migrate and test the code to 7.0 but won’t be able to do so before TechEd in September.

      Best regards
      Martin

      (0) 
      1. Joris van de Vis
        Hi Martin,

        Great feature you’ve created. Did you already find some time to port the development to the AS-Java 7.0? Or stil recovering from Teched? 😉

        Best Regards,

        Joris.

        (0) 
        1. Martin Raepple Post author
          Hi Joris,

          actually I am already in preparation mode for TechEd Berlin! I’ll give a session at community day in Berlin on the OpenID login module. So if you are at TechEd next week, please join us! We are discussing the 7.0 downport internally but haven’t started yet. May be I find some volunteers in my session who could help me …!

          Best regards
          Martin

          (0) 
  11. Ana Caorsi

    Hi Martin.

    Is this still solution still possible with the new ERP versions? We want to connect our clients to SAP using OpenID as the main identity propagation method.

    Thanks,

    Ana

    (0) 

Leave a Reply