Technical Overview: Add-On Solutions for eTrust SiteMinder

eTrust SiteMinder SSO Agent for SAP Web Application Server

With eTrust SiteMinder and SAP, users benefit from extending the eTrust SiteMinder Single Sign-On (SSO) experience to SAP solutions. The eTrust SiteMinder SSO Agent for SAP Web Application Server (Web AS) coupled with eTrust SiteMinder provides a single sign-on environment for Web Applications and SAP solutions.
Solution Benefits Improved user experience and satisfaction Enhanced security Supported Platforms ENTERPRISE APPLICATIONS SAP NetWeaver: SAP Web AS, SAP Enterprise Portal OPERATING SYSTEMS Microsoft Windows, IBM AIX, HP-UX, Sun Solaris Installation Prerequisites SAP NetWeaver: SAP Web AS, SAP Enterprise Portal eTrust SiteMinder Software: eTrust SiteMinder Policy Server, eTrust SiteMinder Web Agent

Background
While ERP applications are recognized as mission critical pieces of infrastructure, they are only one of many such applications in a typical enterprise. As businesses have moved to a webbased approach for their applications, the need to extend SSO across the enterprise has become a requirement. In addition, companies are also seeking to standardize and centralize specific aspects of their infrastructure, in particular, access management. With the continued expansion of online business initiatives, many companies also seek to provide access to data stored within their ERP and other internal systems to external customers and business partners, not just employees. SAPs current architecture, commonly known as the SAP NetWeaver Architecture is based on SAPs web application server, SAP Web AS. SAP Web AS supports J2EE and ABAP and therefore provides the dual capability of deploying the ABAP-based Business Sever Pages and web applications compliant with J2EE. The eTrust SiteMinder Single Sign-On Agent for SAP Web Application Server was designed to enable SSO integration among non-SAP, non-Web AS, SAP, Web AS J2EE, and Enterprise Portal applications. It provides integration between eTrust SiteMinder and the SAP Web Application Server enabling SAP customers to extend SSO to their corporate Web and application servers. Additionally, eTrust SiteMinder allows administrators to select a variety of authentication methods to protect their sensitive resources.

Technical Overview: Add-On Solutions for eTrust SiteMinder

Specific Capabilities
Features Single Sign-On Description Extends eTrust SiteMinder Single Sign-On for protected Web applications to SAP applications. Provides support for a variety of authentication methods. Provides a single authentication point for all applications. Tier 2 integration moves the point of trust from the web server to the SAP Web AS J2EE Engine. eTrust SiteMinder and SAP sessions are linked. When the eTrust SiteMinder session ends, the corresponding SAP session is no longer available. Benefits Rich user experience, increased security, reduced customer support costs.

Authentication Management

Increased security, lower application development costs, reduced administrative costs. Increased security. An attack on a web server is less likely to compromise key business systems. Increased security. Helps prevent misuse of critical, confidential business data.

Enhanced Security

Session Synchronization

Figure 1. eTrust SiteMinder Federation Security Services.

Figure 1. eTrust SiteMinder SSO Agent for SAP Web AS.

Technical Overview: Add-On Solutions for eTrust SiteMinder

How It Works
1. User HTTP-based web client accesses the Web AS J2EE engine application or Enterprise Portal via the front end web server. 2. eTrust SiteMinder Web Agent, hosted on the web server, intercepts the request and checks if the accessed application or resource is protected by eTrust SiteMinder. If the resource is protected, the user is challenged to provide authentication credentials. 3. eTrust SiteMinder authenticates the user and checks for the users access permissions to the protected resources. If the user has access to the application, the Policy Server returns the Web AS Username in the form of an HTTP header response along with the SessionLinker header response. The SessionLinker response returns the cookie names (JSESSIONID and MYSAPSSO2) against which the eTrust SiteMinder session is tracked. 4. Once eTrust SiteMinder allows access to the protected application or resource, the web server forwards the request to the J2EE engine. The J2EE engine invokes the eTrust SiteMinder login module, protecting the Web AS deployed application or the Enterprise Portal application. 5. The eTrust SiteMinder login module validates the eTrust SiteMinder session information against the Policy Server. 6. The Policy Server returns success if the eTrust SiteMinder session is valid, and returns the Web AS username. The eTrust SiteMinder login Module confirms that the session does indeed belong to the requesting Web AS user. If the session is not valid, the authentication attempt fails and access to the requested resource is prohibited. 7. If the eTrust SiteMinder login module successfully validates the user session, the module sets the user Principle to the Web AS username. The Web AS J2EE engine invokes the CreateTicket login module, which creates the MYSAPSSO2 ticket for the authenticated Web AS user. The J2EE engine services the request for the application if both login modules succeed. 8. The SessionLinker on the web server maintains a track of the eTrust SiteMinder session against the Web AS session identified by the JSESSIONID and MYSAPSSO2 cookies. If access is illegal, the cookies are emptied. If access is legal, the requested application or resource is presented to the user.

For more information, call 1- 800-875-9659 or visit ca.com

Copyright 2006 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

MP310081106