h3. Summary: The SAP Web Application Server Java supports the use of header variables for Single Sign-On.This means that you can use an external product, called a Web Access Management (WAM) product (Ex: Juniper), to authenticate your users. The WAM product returns an authenticated user ID as part of the HTTP header. Users only have to authenticate once against the external product and can then access applications on the Web AS Java, such as the portal, with Single Sign-On. h3. About Juniper: Juniper Networks delivers a host of application acceleration and security solutions that accelerate SAP performance over WAN, improve SAP response times for remote users, while providing anytime, anywhere access, and complete visibility in SAP performance on the network. Below are the key areas where Juniper significantly enhanced the SAP environment: 1.Accelerating performance over the WAN 2.Improving response times for remote and mobile users 3.Providing secure anytime, anywhere access 4.Ensuring operational continuity in downtime situations 5.Delivering complete visibility into SAP performance on the network. Juniper received the SAP certification on 08/29/2007. You can get more information about Juniper Network and their products in this link. [http://www.juniper.net/us/en/ | http://www.juniper.net/us/en/] h2. Juniper Configuration: You have to configure the following parameters in Juniper Web Access Management tool. 1. Website URL : http://hostname:port/irj/portal (http://%3chostname%3e:%3cport%3e/irj/portal) (Provide your Portal URL) 2. Header variable name : REMOTE_USER 3. Header variable value : userid (You have to pass this parameter to Portal to receive the user id entered by the user) You need to enable Auto Policy: Web Access Control and add the URL like below: [http://hostname:80/ | http://hostname/]* – Allow [http://hostname:443/ | http://hostname:443/]* – Allow [http://hostname/irj/portal/ | http://hostname/irj/portal/]* – Allow h2. Portal Configuration: h3. Using Header Variables for User Authentication : As explained earlier,in our case we are using Juniper (external web access management tool) for Authenticating the users against LDAP. Juniper returns an authenticated user ID as part of the HTTP header. Users only have to authenticate once against the Juniper and can then access Portal applications. h3. How Juniper – Portal SSO works: The Web AS Java provides a login module called HeaderVariableLoginModule that reads a user ID from the HTTP header variable and then uses this user ID to authenticate the user. 1.Juniper authenticates the user and returns an authenticated user ID to the Web AS Java as part of the HTTP header. 2.The Web AS Java compares this returned user ID against the LDAP data sources and grants the user access to the Portal upon finding a match. The user must exist in the UME user data sources. h3. Prerequisites 1.To use Juniper with the header variable login module for authentication, you must have an external Web server in front of the SAP Web AS Java. All requests must pass through the external Web server. For more information on using SSL with Intermediary server, go through the below SAP Help [http://help.sap.com/saphelp_nw70ehp1/helpdata/en/23/871e3e3986f701e10000000a114084/frameset.htm | http://help.sap.com/saphelp_nw70ehp1/helpdata/en/23/871e3e3986f701e10000000a114084/frameset.htm] 2.The user ID that juniper returns in the HTTP header must exist in the user management data sources. h3. Security Measures If appropriate security measures are not taken, authentication using header variables can allow attackers to impersonate a user by sending a request with a user ID in the appropriate header variable to the SAP Web Application Server. h5. To prevent this, you should do the following: 1.Using appropriate measures, make sure that the HTTP and HTTPS ports of the Web AS Java or portal cannot be directly accessed by client browsers, for example by using firewalls. [http://help.sap.com/saphelp_nw70/helpdata/EN/0a/0a2e1bef6211d3a6510000e835363f/frameset.htm | http://help.sap.com/saphelp_nw70/helpdata/EN/0a/0a2e1bef6211d3a6510000e835363f/frameset.htm] 2.The Web AS should only be accessed through Load Balancer. This prevents attackers from bypassing the LB and impersonating authenticated users. *Using an Intermediary Server to Connect to the AS Java:*
[http://help.sap.com/saphelp_nw70/helpdata/EN/b5/814d28e7b16d418917ca08b85a9921/frameset.htm | http://help.sap.com/saphelp_nw70/helpdata/EN/b5/814d28e7b16d418917ca08b85a9921/frameset.htm]
h3. Add Header variable Login Module:
When a user is authenticated on the SAP Web Application Server Java, the server processes the stack of login modules that apply to the application that the user accesses.
The header variable login module is not automatically included with the default login module stacks. Therefore, if you wish to use header variables for authentication, you must adjust the login module stacks for those applications that will use header variables to authenticate a user.The login module HeaderVariableLoginModule exists in the active user store.
(To check if it exists, in the Security Provider service, choose Runtime -> Policy Configurations, select any component in the component list, and choose the Add New button to add a new login module to the login module stack.A list of all available login module appears.)
If it does not exist, then make it available as follows:
a. In the Visual Administrator, choose Security Provider.
b. Choose the User Management tab and choose Manage Security Stores.
The currently active user store and the login modules for that user store are displayed.
c. Choose Add Login Module.
A dialog box prompting you to choose an editor for the login module option appears.
d. Choose OK. a dialog box prompting you to add a login module appears.
e. Fill in the fields as follows:
Choose OK. The HeaderVariableLoginModule now appears in the list of login modules
for the active user store.
h3. Configure Header Variable Login module:
Add the HeaderVariableLoginModule to the appropriate login module stack or template and
configure the options as follows:
1. In the Visual Administrator, choose Security Provider.
2. Choose Policy Configurations -> select ticket ->Authentication.
3. For each template or application that is to support header variable authentication:
a. Add the login module HeaderVariableLoginModule to the login module stack.
See below of what position in the login module stack to add the module.
b. Set the option Header to the name of the header variable that contains the user ID.
The default value is REMOTE_USER.
Have a look at SAP Help website for more information about Adjusting Login module stack for using Header Variables:
[http://help.sap.com/saphelp_nw70/helpdata/EN/68/5ddc40132a8531e10000000a1550b0/frameset.htm | http://help.sap.com/saphelp_nw70/helpdata/EN/68/5ddc40132a8531e10000000a1550b0/frameset.htm]
h4. Login Module Stack with Header Variable Authentication: