Obtaining "SAP logon ticket" via ADFS using windows login name RRS feed

  • Question

  • Hi,

    First of all, I’m new in the AD FS. I need an advice about the scenario described below.

    The company where I’m working wants to use SSO login to its application. The application is standalone and it’s written in JAVA. The application requires login by a user. The user accounts are stored in a database which is running on a different machine.

    The idea was quite simple: get the windows username, who is currently login and use it for login to our application. But the customer requires using “SAP logon ticket” for login. So now we think about using the AD FS to receive the “SAP logon ticket”.

    The idea is: using the current windows username for receiving the “SAP logon ticket”, which should be used for login to our application.

    Is this scenario realistic and what do we need for this scenario? I suppose we need one Federation Server on our side, then another Federation Server on SAP side and then one PC where the application will be running. It’s possible to avoid the Federation Server on our side somehow?


    I hope I described the scenario understandably.

    Thank you for your suggestions

    Friday, August 26, 2016 8:57 AM

All replies

  • Not sure I completely follow your scenario (what's the relationship between Java App and SAP?). You mention customer requires "SAP logon ticket" for login.... to what? SAP and the Java app? Normally with federation we move responsibility for authentication/access away from the application :)

    You can logon to Windows and have SAP trust your AD FS instance  as an identity provider. In this scenario, AD FS is the logon provider and responsible for grabbing the login ticket and handing that to SAP. Typically, this ticket would then match/correspond to a SAP ID/profile . To make it work this would require Netweaver configured as a SAML 2.0 Service Provider...


    Friday, August 26, 2016 2:12 PM
  • If you want SSO with an application, your application need to trust ADFS. So the application has to support some federation protocol.

    If the application is expecting a separate set of credentials for the users federation is not going to work. However, you can have a look at Password based SSO with Azure AD and Azure AD proxy (where basically a user will be invited to store its app credentials into a cloud base locker and the next time the user access to the app, the form will be automatically filled up, which give an "impression" of SSO).

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, August 26, 2016 2:21 PM
  • Thank you for your answer and your hints about NetWeaver. I made some more investigation in this direction. I found out SAP should support Windows Authentication as one of external authentication. If someone is interested follow the link <cite>www.stechies.com/sap-pdf-books-download/EP_ADMIN330491328605327.pdf</cite><cite>. So I’ll focus on SAP now. Thank you</cite>
    Monday, August 29, 2016 9:00 AM