Authentication: SSO With Logon Tickets
Nakisa Authentication through SSO with Logon Tickets
Nakisa OrgChart 4.0 Solution
In the SSO with logon Ticket process you have 4 major items involved
- The user
- The portal
- Nakisa application
- SAP back-end
- he user logs onto the portal
- The portal issues a logon ticket (that comes from SAP back-end). The ticket is valid for only a period of time. The maximum life span of the logon ticket is specified in the ticket-issuing system’s parameters. The logon ticket is stored as a non-persistent cookie in the user’s Web browser with the name MYSAPSSO2. It is deleted when the user logs off or closes his or her Web browser.
- The Nakisa application is called. It first validates to see if a MYSAPSSO2 ticket exists. If it doesn’t, the Nakisa application throws an error that the ticket is invalid or that the user is trying to access the build from outside the portal. **
- Nakisa collects the MYSAPSSO2 ticket from the cookie and directly sends it to the SAP backend system by opening a connection to the backend system using SAPJCO. The SAP system will then authenticate the Portal generated MYSAPSSO2 ticket and validate the certificate associated to the ticket. Configuration is done in the Nakisa Admin Console to indicate the SAP system that will authenticate the SSO ticket. The SAP ASHOST, CLIENT, and SYSNR is configured.
- While passing the ticket to the SAP backend for validation, the Nakisa application collects another ticket and using a Base 64 decryption, decrypts part of the ticket to collect User ID and timestamp.
- If the MYSAPSSO2 ticket (which is still encrypted) is authenticated successfully by the SAP backend, Nakisa sends another call using SAPJCO (to open the connection) and SAP Functions to the SAP backend to authorize the user that was retrieved from the ticket. Configuration is done in the Nakisa Admin Console to indicate the SAP system as well as a communication user that will be used to authorize the user. This communication user validates the user against the AGR_USER tables. User Name and Role will be sent back to Nakisa using SAP Functions.
- Within Nakisa, the SAP role that is returned is validated against a Nakisa Role. Depending on the configuration of the applications, based on Nakisa Role, it will determine what the user has access to within the application.