Thank you Chris. Good to know the standalone ITS server is not an option.
Unfortunately we have already explored a number of the other options you mention before we had to put our entire Supplier Portal System (running SCM / SNC ) into the DMZ to pass the security policy requirements.
the handhelds do use a user logon when they reach SAP.
and we pass through a web dispatcher in the DMZ, but have been unable to convince our corporate security team that is anything more than a "reverse proxy" type of path through. The user sessions still passes to ECC inside the firewalls. And there concern is that then the session can some how be "hi-jacked" and used to get to other parts of our network. We even had SAP experts in to try to explain it to them, and failed.
We use SSO with our other application, but the hand held users have real SAP id's, and we don't need to use that. But that is authentication at the end, when session reaches SAP. We could potentially add the front end Ldap logon, and even have two log ons.. but.. session is still passing to inside the firewall, so I don't think that will actually change much in the situation.
Ruth