Pluggable Authentication Service

Pluggable Authentication Services (PAS) allows a SAP user to be authenticated outside of SAP. When the user is authenticated by an external service, the PAS will issue an SAP Logon Ticket or x.509 Certificate which will be used for future authentication into SAP systems. The PAS is generally regarded as an opportunity for companies to either use a new external authentication system or an existing external authentication system. In some cases, the PAS is used with an external single sign-on system that uses SAP Logon Tickets or x.509 certificates.

External authentication systems

 * Windows NT LAN Manager Authentication
 * Windows NT domain controller (i.e., User ID and password verification)
 * Binding LDAP to a directory server
 * Authentication using the Secure Sockets Layer (SSL) protocol and x.509 certificates
 * HTTP header variables (mapping userIDs)
 * Authentication mechanism through the AGate

Prerequisites

 * One system must be configured as the ticket-issuing system.
 * Other SAP systems must be configured to accept logon tickets (and therefore preconditions for logon ticket configuration or non-logon ticket configuration, such as certificate, must be met prior).
 * Usage of Secure Network Communications because authentication occurs externally.
 * Ticket-issuing SAP system must be able to recognize user's ID.