Gartner just recently published the following report
By the end of 2015, 50 percent of new retail customer identities will be based on social network identities, up from less than 5 percent today, according to Gartner, Inc. Along with federation technologies and mobile computing, social identity adoption will have a major impact on the practice of identity and access management (IAM) in 2013 and beyond.
Wow! from 5% to 50% in 2 years!!
What are we doing about this?
As a consumer, I now prefer mobile / web sites that offer “delegated authentication” using social media.
It just makes my experience so easy. It just makes sense. Why can’t we do this in SAP?
I went searching (as I always do) for a quick solution that will enable me to logon to SAP (at least the NW Portal) using my identity say in Facebook. Unfortunately, I couldn’t seem to find one.
An so with my cravings for problem solving (and “cant let go until it’s answered” attitude), this weekend was productive – spending a couple of hours at night to work on the solution
Anyway, enough of me. Here’s my solution to the question:
How do I single-signon to SAP NW Portal using my Facebook account?
1. I’m new to Facebook development, so searching for “Facebook in website” made me learn that FB is using OAuth. With the OAuth, Facebook and Java keywords, that led me to postings to very clever people. That sorted my questions on the Facebook’s mechanism for delegated authentication.
2. Next step is to enable fetching of the needed authentication data (tokens, userID, name, etc.) from Facebook. Facebook offers very good instructions to become a developer and on how to create a simple application. True enough to claims, it takes less than 5 minutes to create my own application in FB. Important things note that FB app has an ID and secretkey, used to authenticate in accessing the app
3. Creating sample JSP pages in my NW Portal to test fetching data from FB through my new FB app was fun. Now how do I design my SSO? My FB app allows me to fetch data like First Name, Middle Name, Last Night, email, etc. For sure I can use any combinations of these but to keep things simple, I came across id – I thought this would be a good and unique parameter to use to associate my identity to the Portal (this is numeric BTW). For simplicity, this means this id must be the same as Portal userID / logonID
4. An identifier from FB and how to fetch it? – sorted. Now how do I make the NW Java engine understand and trust this, and allow single-signon to the Portal? I had to admit this took the longest time as I tried many ways to make a simple mechanism work. I dont really want to develop a custom JAAS login module at first, I initially thought – can I use the HTTP Header Login module that now comes with the Portal? After so many attempts doing trial and error in setting a simple header parameter, in the end I changed my solution and have to build my own Login Module instead. I developed a few Login Modules in the past since EP 6.0 and I just dreaded the tools and methods back then. With Portal 7.3 and up, I’m impressed as to how easy it is – the online help was very helpful
5. So the Login Module. I used the code from step#1 above, integrating the FB fetch mechanism. Once I get the “ID” parameter in FB, I set the username to this.
6. I then created a custom web application, assigning my custom Login Module – which mainly does three steps #1 Fetch FB ID and logon as that ID (userID), #2 Create Login ticket, #3 redirect the page to the Portal (/irj/portal)
and Viola! It works 🙂
To recap, here the components in the order these are being accessed
Component# 1. Simple web page which contains the link to my FB app. This link also contains the link-back / redirect URL (component#3 below)
If I click on this link, it redirects me to my FB app prompting me to logon first (if I havent done so)
Component #2. FB App that provides Basic Info of the logged on FB user
If I havent authorised the app yet, then it asks me to authorise
Note authorisation is only one time and authorisation can be manually revoked anytime (if you’re familiar with FB apps). Once authorised, this screen wont show in my subsequent calls through this app.
Once this is completed, my session is redirected by FB to the redirect URL. FB also passes a code/token indicating successful logon and authorisation by the app
Component #3. JSP that is logon-protected by my custom JAAS LoginModule (component#4) and the CreateLogonTicket LoginModule that creates SSO ticket upon successful logon call
I will get back to what this JSP does after explaining the LoginModule mechanism below.
Component #4. LoginModule
This LoginModule gets called when JSP page (component#3) is called. The LoginModule does the OAuth call (passing the FB code generated previously and secret code) to the FB app, and using URLConnectiona and BufferedReader, retrieves the ID. LoginModule then assigns the value to the pricincipal userID, meaning the session is now logged on to the SAP Java engine as this user. Once this is successful, the CreateLogonTicket LoginModule creates the SSO ticket
Back to component#3, the JSP is then run. The JSP just really contains a redirect to /irj/portal. Since SSO ticket is present, the Portal doesnt prompt for logon
That’s it! 😀
Still interested? Contact me via LinkedIn