Skip to Content

Gartner just recently published the following report

http://www.gartner.com/newsroom/id/2326015

By the end of 2015, 50 percent of new retail customer identities will be based on social network identities, up from less than 5 percent today, according to Gartner, Inc. Along with federation technologies and mobile computing, social identity adoption will have a major impact on the practice of identity and access management (IAM) in 2013 and beyond.

Wow! from 5% to 50% in 2 years!!

What are we doing about this?


As a consumer, I now prefer mobile / web sites that offer “delegated authentication” using social media.

It just makes my experience so easy. It just makes sense. Why can’t we do this in SAP?

I went searching (as I always do) for a quick solution that will enable me to logon to SAP (at least the NW Portal) using my identity say in Facebook. Unfortunately, I couldn’t seem to find one.

An so with my cravings for problem solving (and “cant let go until it’s answered” attitude), this weekend was productive – spending a couple of hours at night to work on the solution

Anyway, enough of me. Here’s my solution to the question:

How do I single-signon to SAP NW Portal using my Facebook account?


1. I’m new to Facebook development, so searching for “Facebook in website” made me learn that FB is using OAuth. With the OAuth, Facebook and Java keywords, that led me to postings to very clever people. That sorted my questions on the Facebook’s mechanism for delegated authentication.

2. Next step is to enable fetching of the needed authentication data (tokens, userID, name, etc.) from Facebook. Facebook  offers very good instructions to become a developer and on how to create a simple application. True enough to claims, it takes less than 5 minutes to create my own application in FB. Important things note that FB app has an ID and secretkey, used to authenticate in accessing the app

3. Creating sample JSP pages in my NW Portal to test fetching data from FB through my new FB app was fun. Now how do I design my SSO? My FB app allows me to fetch data like First Name, Middle Name, Last Night, email, etc. For sure I can use any combinations of these but to keep things simple,  I came across id – I thought this would be a good and unique parameter to use to associate my identity to the Portal (this is numeric BTW). For simplicity, this means this id must be the same as Portal userID / logonID

4. An identifier from FB and how to fetch it? – sorted. Now how do I make the NW Java engine understand and trust this, and allow single-signon to the Portal? I had to admit this took the longest time as I tried many ways to make a simple mechanism work. I dont really want to develop a custom JAAS login module at first, I initially thought – can I use the HTTP Header Login module that now comes with the Portal? After so many attempts doing trial and error in setting a simple header parameter, in the end I changed my solution and  have to build my own Login Module instead. I developed a few Login Modules in the past since EP 6.0 and I just dreaded the tools and methods back then. With Portal 7.3 and up, I’m impressed as to how easy it is – the online help was very helpful

5. So the Login Module. I used the code from step#1 above, integrating the FB fetch mechanism. Once I get the “ID” parameter in FB, I set the username to this.

6. I then created a custom web application, assigning my custom Login Module – which mainly does three steps #1 Fetch FB ID and logon as that ID (userID), #2 Create Login ticket,  #3 redirect the page to the Portal (/irj/portal)

and Viola! It works 🙂

To recap, here the components in the order these are being accessed

Component# 1. Simple web page which contains the link to my FB app. This link also contains the link-back / redirect URL (component#3 below)

  1login.JPG

If I click on this link, it redirects me to my FB app prompting me to logon first (if I havent done so)

/wp-content/uploads/2013/02/2fb_185753.jpg

Component #2. FB App that provides Basic Info of the logged on FB user

If I havent authorised the app yet, then it asks me to authorise

/wp-content/uploads/2013/02/3fbapp_185756.jpg

Note authorisation is only one time and authorisation can be manually revoked anytime (if you’re familiar with FB apps). Once authorised, this screen wont show in my subsequent calls through this app.

Once this is completed, my session is redirected by FB to the redirect URL. FB also passes a code/token indicating successful logon and authorisation by the app

Component #3. JSP that is logon-protected by my custom JAAS LoginModule (component#4) and the CreateLogonTicket  LoginModule that creates SSO ticket upon successful logon call

I will get back to what this JSP does after explaining the LoginModule mechanism below.

Component #4. LoginModule

This LoginModule gets called when JSP page (component#3) is called. The LoginModule does the OAuth call (passing the FB code generated previously and secret code) to the FB app, and using URLConnectiona and BufferedReader, retrieves the ID. LoginModule then assigns the value to the pricincipal userID, meaning the session is now logged on to the SAP Java engine as this user. Once this is successful, the CreateLogonTicket LoginModule creates the SSO ticket

Back to component#3, the JSP is then run. The JSP just really contains a redirect to /irj/portal. Since SSO ticket is present, the Portal doesnt prompt for logon

4portal.JPG

That’s it! 😀

Still interested? Contact me via LinkedIn

Cheers! 🙂

To report this post you need to login first.

8 Comments

You must be Logged on to comment or reply to a post.

      1. Former Member Post author

        Thanks Jason Lax, I did notice that too! 🙂

        Though this solution that I wrote almost 2 years ago now is for actual NW Portal 7.x

        BTW I’m curious to know if SDN is fully running on NW Portal?

        “Imitation is the best form of flattery”

        (0) 
        1. Jason Lax

          Depends how you describe it.

          I mean, SCN (what I’m using right now) is hosted on Jive.  This goes for anything with scn.sap.com in the URL. 

          You asked about SDN, well, anything with http://www.sdn.sap.com is hosted on NW portal.  These are mostly documents, videos and some webpages.

          All use the same authentication, which features social sign on. 

          (0) 
          1. Former Member Post author

            Everything SDN now seemed really just points back to SCN

            Anyway I guess my other question is (and I guess Kirsten’s comment if I understood correctly), is this Social Signon feature available in standard NW Portal 7.x product now?

            (0) 
    1. Donka Dimitrova

      Hello Kristen,

      The social sign-on via Twitter, Facebook, LinkedIn and Google is available also for marketing SAP sites. It is available via SAP Cloud Identity service.

      It is known as “SAP ID Service” – this is the SAP tenant of the SAP Cloud Identity.

      Simply open go.sap.com, click Log-On and don’t use your certificate SSO, and you will see the SAP Cloud Identity service Login screen with the social sign-on buttons for Twitter, Facebook, LinkedIn and Google.

      Internally at SAP we don’t need this social sign-on, because we use SSO but it is available for our partners and customers.

      Best regards,

      Donka Dimitrova

      (0) 
  1. Former Member Post author

    Hi Krishna, just look for calling FB app with FB’s Graph API or bare Java HTTP URL connection and you’ll be on your merry way. If I remember correctly FB will respond with JSON formatted data which you will parse to validate on whether user has successfully logged on to FB or not

    (0) 

Leave a Reply