Previous Topic: Case 1: SiteMinder Agent for SAP Web AS SSO Mode

Next Topic: Case 2: Federation Manager with the SiteMinder Agent for SAP Web AS

SiteMinder Agent for SAP Web AS GuideSiteMinder Agent for SAP Web AS Deployment ExamplesCase 1: SiteMinder Agent for SAP Web AS SSO ModeHow Use Case 1 Works

How Use Case 1 Works

The interaction between the components in SSO mode is shown in the following illustration:

The SiteMinder Agent for SAP Web AS works according to the following process:

  1. User (HTTP-based web client) accesses the Web AS J2EE engine application or Enterprise Portal using the front-end web server.
  2. SiteMinder Agent for SAP Web AS, hosted on the web server, intercepts the request, and determines whether the SiteMinder Policy Server is protecting the requested application or resource. If the resource is protected, the user is challenged for authentication.
  3. SiteMinderauthenticates the user and checks for the access permissions to the protected application. If the user has access to the application, the Policy server returns the Web AS username in the form of an HTTP header response along with the SessionLinker header response. The SessionLinker response contains the cookie names (MYSAPSSO2 and JSESSIONID) against which the SiteMindersession is tracked.
  4. Once SiteMinderallows access to the protected application or resource, the web server forwards the request to the J2EE engine. The J2EE engine invokes the SiteMinderlogin module, protecting the Web AS deployed application or the Enterprise Portal application.
  5. The SiteMinderlogin module validates the SiteMindersession information against the Policy server.
  6. The Policy Server returns success and the Web AS username if the session is valid. The SiteMinderlogin module confirms that the session does indeed belong to the requesting Web AS user. If the session is not valid, the authentication attempt fails. Access to the requested resource is denied.
  7. If the SiteMinderlogin module successfully validates the user session, the module sets the user Principal to the Web AS username. The Web AS J2EE engine invokes the CreateTicketLoginModule, which creates the MYSAPSSO2 ticket for the authenticated Web AS user. The J2EE engine services the request for the application if both login modules succeed.
  8. The SessionLinker on the web server tracks the SiteMindersession against the MYSAPSSO2 and JSESSIONID cookies of the Web AS session. If access is illegal, the cookies are emptied. If access is legal, the requested application or resource is presented to the user.