I assume the external users aren't maintained in your AD? That rules out Kerberos. You are left with SAML and X.509 since you don't have a portal to issue the SAP Logon Tickets. How many external users are there? Do you have a PKI in your IT infrastructure that you could use to issue X.509 certificates for external users? I myself would use SAML since you could use the same implementation for internal and external users, no need for two parallel solutions. If SAP GUI for Windows or NWBC for Desktop is in the picture (for internal users) and SSO is a requirement, SAML isn't the recommended option so you will end up with two parallel solutions. It believe NWSSO can be used as PKI to also issue long term certificates so you could have a global solution based on X.509 certificates. The external users would authenticate against the Secure Login Server to receive their X.509 certificate.
↧