Monday, April 30, 2012

Execution flow of Duet Enterprise single sign-on

One of the much appreciated Duet Enterprise "plumping" capabilities is single sign-on (SSO) from SharePoint farm into the SAP landscape. This capability is achieved by reusing available capabilities in both SharePoint 2010 and SAP NetWeaver platforms. For SharePoint this is BCS WCF Connector, Secure Token Service application and SAML2 support; at SAP side the existing table for external users 'VUSREXTID' and also SAML2 support.
How does Duet Enterprise authentication and single sign-on work out at runtime moment? The end-user starts at SharePoint front-end, thus authenticated as SharePoint user. The SharePoint authentication can be via any authentication provider. However, if you also intend to use the Duet Enterprise Roles Synchronization capability, this requires Claims-Based authentication. Upon invoking a call via SharePoint BCS through Duet Enterprise connnectivity handling to the SAP NetWeaver Gateway system, Duet Enterprise maps the authenticated SharePoint account onto a SAP accounts. The staps in this user mapping are:
  1. The SharePoint authenticated user identity is sent to Microsoft Business Connectivity Services Windows Communication Foundation connector.
  2. The BCS WCF connector invokes the SharePoint Security Token Service to retrieve the user token for this SharePoint user identity.
  3. The SharePoint Security Token Service returns a token that identifies the SharePoint user.
  4. Duet Enterprise SSO handling sends the received token to SAP NetWeaver Gateway, packaged within a SOAP request
  5. SAP NetWeaver Gateway uses the received token to identify the external user, and locate in the user mapping table (VUSREXTID) the associated SAP user with this credential
  6. The SAP user account that is mapped to the SharePoint user is returned to SAP NetWeaver Gateway.
  7. SAP NetWeaver Gateway uses the SAP user account to request access to information in the SAP backend.
  8. If the user is authorized to access the information, the requested information is sent to SAP NetWeaver Gateway.
  9. SAP NetWeaver Gateway sends the requested information to the Microsoft Business Connectivity Services WCF connector as a SOAP response.
  10. The Microsoft Business Connectivity Services connector passes the information to the SharePoint front-end side; e.g. to display via an External List or any of the other BCS Business Data webparts.
For this SSO pipeline to actually work, requires and strongly depends on correct execution of Duet Enterprise configuration of SharePoint and SAP mutual authentication. SAP Gateway must be configured for SAML2 usage, a trust relationship must be configured between SharePoint and SAP, SSL certificates have to be exchanged between SAP and SharePoint. But this is only a one-time, at configuration step. Afterwards you can rely and profit on Duet Enterprise Single Sign-On capability, without need to maintain the supporting code.