There are various options for securely connecting SharePoint users to SAP and these options are available for customers, based on their requirements and technical landscape.
One of the reasons why Enterprise Cloud Connect™ utilizes standard WCF Adapter technology by design is because of the 4 delivered options for user authentication supported by the adapters:
1. Basic authentication – SAP user name and password is used for every BAPI call
2. Windows Authentication – Assumes Kerberos delegation and Windows authentication has been configured between Windows logon and SAP
3. SNC (secure network communication) – This option utilizes special DLLs and Active Directory (AD) configuration to address user mapping. SAP security would also need to be configured for SNC as well. The SAP LDAP Connector tool is often used to facilitate synchronization of user credentials. Currently there are hot fixes available to allow SNC authentication to be used for SharePoint.
4. X.509 certificates – Network administrator deploys browser certificates for every user who needs access to Enterprise Cloud Connect™. Also requires SAP BASIS and security configuration.
Enterprise Cloud Connect™ also provides support for the following composite security approaches, which leverage current standard Active Directory, SharePoint and SAP tools:
1. Enterprise Cloud Connect™ Service – In this approach, a service account is used to call the BAPI in SAP but only the SAP user ID is used to determine the data returned. i.e. each employee is only able to see his or her own data. Ideally the AD user name is the same as the SAP user name. If the AD user name is different, the service reads AD to get the SAP credentials. The Enterprise Cloud Connect™ service leverages Active Directory’s capability to save various SAP user type data that can be used to identify the employee record in SAP. Additionally, the Enterprise Cloud Connect™ Service methods are able to support any common or published authentication service available such as Windows Live, Gmail, etc. Please see Figure 1.
2. Microsoft Office SharePoint Server Single Sign-On (MOSS SSO) for SharePoint 2007, or Secure Store Service (SSS) for SharePoint 2010 – In this approach, standard SharePoint provides the authentication details to be configured directly within a separate encrypted database. SharePoint provides the ability to SAP user ID and password, SAP personnel number, email addresses, or virtually any user data within the SQL security database. The Enterprise Cloud Connect™ web parts call the BAPI using the credentials stored in the secure database. Please see Figure 2.
3. SAML (Security Assertion Markup Language) on SharePoint 2010 – SAML sign-in enables web-based authentication and authorization scenarios including single sign-on (SSO) typically used in enterprise scenarios. SAML sign-in is also deployed to provide access to internal users whose accounts reside in a domain that is not part of the forest that contains SharePoint Server 2010. SharePoint supports natively SAML 1.1 for claim-based authentication.
Figure 1. Service Account Authentication
Figure 2. MOSS Single Sign-On (SSO)
Other Useful Resources
Configuring MOSS SSO for SharePoint 2007
Plan the Secure Store Service (SharePoint Server 2010)
Configure the Secure Store Service (SharePoint Server 2010)
Configure Authentication using a SAML security token (SharePoint Server 2010)
Integration of SAP and Active Directory using the LDAP Connector