Configure SSO for ITS to R/3 using SNC/Kerberos

Similar Messages

• How to set "Configuration Variant" for a sales order item using function

  Hello All,
  I use function module 'SD_SALES_DOCU_MAINTAIN'  to create Customer Indep. Requirements but how to set "Configuration Variant" for a sales order item.
  Is their any idea or sample code?

  Hi Zhijun zhang,
  <u>http://help.sap.com/saphelp_nw2004s/helpdata/en/c0/98038ce58611d194cc00a0c94260a5/content.htm</u>
  <u>http://help.sap.com/saphelp_nw04/helpdata/en/c0/980374e58611d194cc00a0c94260a5/content.htm</u>
  A variant is simply an SAP report where the parameters for running the report have been set by the user and then saved with unique name. This allows future retrieval and execution of the report faster without reentering the parameters. As a convention the variant name should start with with the digits 50 so searchs for LHU variants is easier and quicker.
  The first link will guide you by screen shot wise.
  Award points if it adds information.
  Thanks
  Mohan

• "SSO" for non-sap web application using SAPGUI to browse?

  I have a web application (non SAP) and the user base are also SAP users in an ABAP system.
  To strengthen the authentication in the web app, I wanted to implement SSO 
  authentication as we pity the users for having to remember so many strong pw's and I
  dont like LDAP based pw sync or other technology I dont understand, because then we are
  just yet another application with the same pw...
  We are having technical problems implementing SSO on the web app side, and are anyway a
  bit sceptical about the user admin / role admin assignment if we get it to work.
  So I have created a transaction in SAP which browses the web app and the intention is to
  send the SAP sy-uname as the web app user. We can control this using s_tcode, and
  an own auth object on the WAS side and a check on the session type before the connection is
  established. In this sense we are dependent on the SAP concept implemented, but even so:
  The role assignment is controlled in the web app itself -> so assume that I am not overly
  worried about unauthorized access to the web application, as they would not have any
  system role for it as their sy-uname does not exist. (Infact we can monitor this)
  The browser on the front end is the SAPGUI with html controls on the SAP side.
  I would be interested in knowing whether anyone else has experience with this approach, and
  whether there are any areas to be carefull of?
  I would also like to know whether this is a strategic error?
  Kind regards,
  Julius

  Hi Julius,
  well, if that web application would run on the same ABAP backend system then the solution described in <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/0612670">SAP Note 612670</a> would be applicable:
  a so-called "Re-entrance ticket" (based on the "SAP logon ticket" SSO proceedings) is issued, transported via the SAPGUI connection and back to the system via the invoked HTML control.
  But for non-SAP web applications that does not help.
  In that case only X.509 client certificates can be used for SSO. Actually, the web application could then also be invoked directly (independent from the SAPGUI session). The user is authenticated based on the X.509 client certificate - and not based on the ABAP userID (of the SAPGUI session).
  Well, if you don't mind the effort you could also use the "SAP Logon Ticket evaluation library" (sapssoext, see <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/0304450">SAP Note 304450</a>) to evalute the SAP logon ticket externally. You'll then need to have a "stub application" at the ABAP side that triggers the http redirect to your external web application. Not a nice solution but a possible one.
  In the future SAML browser artifacts would be an option (preferable to integrate non-SAP applications). But currently that's not available (for NWAS ABAP).
  Cheers, Wolfgang

• How to configure SSO for web dynpro ABAP (not web dynpro Java)

  Hi Experts,
      I am testing SSO in IDES for web dynpro ABAP (Not for web dynpro Java / not for portal). When I am entering url of web dynpro application in web browser like internet explorer, then it should ask for user id and password first time, after login whenever user would access that url, it must not ask for user ID and password (url would be access web browser in mobile). For this I select to configure single sign-on for web dynpro ABAP. I have done below works:
  1). I have created a web dynpro application having url: http://susws076.sap.swk:<port>/sap/bc/webdynpro/sap/zadb_hello_world2
  2). I run TCode SICF and access service node to "Zadb_hello_world2". Double click on it, hit change. pressed "logon data" tab, select "Alternative logon
       procedure"
     Then deleted all logon procedure other than "SSO Authentication" and saved.
  3). Go to "STRUST" and create certificate, choosed "Environment==> Logon Ticket" fill the required parameters and execute. It is OK (no red traffic
       signal).
  4). Execute TCode "RZ10" to change profile parameter, insert new parameter (indicated by red arrow)
  After all this settings I opened a browser enter above URL and hit enter but there is an error
  There is no login page. It directly showed this error page. No cookies is saving.
  Can anyone tell me what all the settings/configuration other than this I have to do. And is there any wrong setting done by me?
  How to set the for single sign-on?
  Thanks in Advance
  Regards
  Piyush

  Hi Piyush,
  Pls refer below links,
  Single Sign On with ABAP WebDynpro
  http://help.sap.com/saphelp_nw70ehp2/helpdata/en/5e/6c85c3edf942f39349a1e337434d29/content.htm
  Regards
  K.N

• How to configure SSO for WAS Java stack

  Hi all,
  I want to configure our WAS server with java stack as a SAP ticket issuing system. This system does not have Portal installed on it.
  I want to know weather it is possible or not. if possible how it can be done.
  actually ABAP stack their are transaction like SSO2,SSO to do the task. but what about WAS with Java stack?
  Thank all.

  HI Kumar
  Follow this link.
  http://help.sap.com/saphelp_nw04/helpdata/en/53/695b3ebd564644e10000000a114084/frameset.htm
  Hope this helped you
  Reagrds,
  RK

• Configuring TREX for HCM Talent management functionality using Nakisa

  Hi,
  We are configuring the Talent Management functionality in ECC-HR system.We have installed TREX 7.1 patch number 36 and Nakisa.
  We are using the 'embedded search' functionality.
  Now, also and are trying to create indexes using the Administration cockpit (tcode ESH_COCKPIT).
  However we are getting the error 'System DHS, client 100: A connection already exists' while creating a 'search connector' in the cockpit.
  Also, we are getting the below log error in the system in SM21:
  ''TREX_ICM - Send_Error; return code = 112, return text =HTTPIO_PLG_ICM_CONNECT_FAILED-Fehle''
  Kindly let us know what should be done.
  Thanks & Regards,
  Kunal.

  Hi,
  Now the initial error we were getting is resolved by applying one note suggested by SAP OSS.
  However, now we have another issue, while creating indexes using tcode ESH_COCKPIT in the backend system.
  We get error when we try to go to tcode TREXADMIN --> TREX
  ABAP Customizing --> 'Net Performance'.
  It gives the error below:
  ERROR
  Remote communication failure with partner http://:33003/ICMConnectTest
  HTTP Status 507: Kernel error:ICM_HTTP_CONNECTION_FAILED (400 )
  Kindly let us know why we get the error because even while recreating
  the indexes we get similar error i.e. Remote communication failure with
  partner http://cca1cs0872:33003/asxml/multiIndexCellTable
  The icm timeout parameter is sufficiently large i.e. around 30 minutes.
  Also, the RFC (TREX_DHS) from ECC-HR system to the TREX is working fine.
  Thanks & Regards,
  Kunal.

• SSO for MS outlook, OWA and Sharepoint using SSO 2.0

    Hi,
  We have installed the secure login server 2.0. And configured SSO for SAP (ABAP, JAVA) systems using X.509 certificate. it is working fine.
  We want to configure SSO for some non SAP applications like MS outlook, Outlook Web Access, Sharepoint.
  I dont see any documentation in the implememntation guide of NW SSO 2.0 for how to configure these non sap applications to accept X.509 certificates.
  Anyone please share the details of how to configure SSO for MS outlook, OWA and Sharepoint
  Regards,
  Yogesh Kumar D

  Hello Yogesh,
  Secure Login Server generates short lived certificates, this means after a configured time (or even
  after an logout, because the Secure Login Client does not persist the private
  keys in the file system) the private key and certificate is gone.
  So using this for long term encryption is not practicable (because decryption
  will be very very hard after a certificate/key renew...)
  For a signature only solution the problem would be the signature validation, because it needs the
  public key/certificate from the signer. This is usually included into the
  PKCS#7 signature format, but its not guaranteed (depends on the application settings as example in outlook etc.). So this would be theoretically possible, but unlikely.
  For long term encryption/signatures you need persistence certifkate/keys.
  So thats the reason there is not documentation about that use case in Secure Login Server.
  best regards
  Alex

• SSO between ITS 620 R/3 and EP

  Hi,
  I need to use ITS 620 for R/3 4.7 and EP 6.0 for ess/mss implementation
  I have to configure SSO between R/3 and EP.
  Do I also need to configure SSO between ITS and R/3 , ITS and EP also for this?
  If yes can any one tell me the steps in configuring SSO between ITS and R/3, ITS and EP ?
  advance thanks,
  PK

  UPDATE:
  I have installed a portal (SAp netweaver 7.0 Java stack) and have connected it to a ECC6.0 SR3 backend and I needed only to configure the SSO between portal and backend abap instance, and all worked fine. There was no need to configure the SSO between the integrated ITS and abap instance.
  About the error  message mentioned in my previous forum entry:
  I did not only do the steps for SSO between portal and backend as described in the blog "Configuring the Business Package for Employee Self-Service (ESS)", but I also did all the additional steps as mentioned in "10 golden rules of SSO".
  After that the error message "SSO logon not possible; logon tickets not activated on the server" did not appear anymore. (Instead a screen that asks for username and password always appears with the warning "No switch to HTTPS occurred, so it is not secure to send a password". But I think that's ok.)

• How to configure sso with SSL step by step

  Purpose
  In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
  Overview
  In this document we will demonstrate:
  1.     How to configure OHS support SSL
  2.     How to Register SSO with SSL
  3.     Configure SSO for certificates
  Prerequisites
  Before start this document, you should have:
  1.     Oracle AS 10g infrastructure installed (10.1.2)
  2.     OCA installed
  Note:
  1.     “When you install Oracle infrastructure, please make sure you have select OCA.
  2.     How Certificate-Enabled Authentication Works:
  a.     The user tries to access a partner application.
  b.     The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
  c.     The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
  Enable SSL on the Single Sign-On Middle Tier
  The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
  l     You must configure SSL on the computer where the single sign-on middle tier is running.
  l     You are configuring one-way SSL.
  l     You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
  1.     Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
  2.     In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
  <ias-component id="HTTP_Server">
  <process-type id="HTTP_Server" module-id="OHS">
  <module-data>
  <category id="start-parameters">
  <data id="start-mode" value="ssl-enabled"/>
  </category>
  </module-data>
  <process-set id="HTTP_Server" numprocs="1"/>
  </process-type>
  </ias-component>
  3.     Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
  4.     Reload the modified opmn configuration file:
  ORACLE_HOME/opmn/bin/opmnctl reload
  5.     Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
  6.     Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
  Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
  <VirtualHost ssl_host:port>
  RewriteEngine on
  RewriteOptions inherit
  </VirtualHost>
  Save and close the file.
  7.     Update the distributed cluster management database with the changes:
  ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
  8.     Restart the Oracle HTTP Server:
  ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
  9.     Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
  Reconfigure the Identity Management Infrastructure Database
  Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
  1.     Change Single Sign-On URLs
  Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
  UNIX:
  $ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
  Windows:
  %ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
  In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
  Here is an example:
  ssocfg.sh https login.acme.com 4443
  2. Restart OC4J_SECURITY instance and verify the configuration
  To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
  If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Then try logging in to the single sign-on server at its SSL address:
  https://host:ssl_port/pls/orasso/
       3. Back up the file targets.xml:
  cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
  4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
  ·     HTTPMachine—the server host name
  ·     HTTPPort—the server port number
  ·     HTTPProtocol—the server protocol
  If, for example, you run ssocfg like this:
  ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
  Update the three attributes this way:
  <Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
  <Property NAME="HTTPPort" VALUE="4443"/>
  <Property NAME="HTTPProtocol" VALUE="HTTPS"/>
  5.Save and close the file.
  6.     Reload the OracleAS console:
       ORACLE_HOME/bin/emctl reload
  7. Issue these two commands:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Registering mod_osso
  1.     This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
  $ORACLE_HOME/sso/bin/ssoreg.sh
       -oracle_home_path $ORACLE_HOME
       -config_mod_osso TRUE
       -mod_osso_url https://myhost.mydomain.com:4443
  2.     Restarting the Oracle HTTP Server
  After running ssoreg, restart the Oracle HTTP Server:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  Configuring the Single Sign-On System for Certificates
  1.     Configure policy.properties with the Default Authentication Plugin
  Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
  DefaultAuthLevel = MediumHighSecurity
  Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
  MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
  2.     Restart the Single Sign-On Middle Tier
  After configuring the server, restart the middle tier:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Bringing the SSO Users to OCA User Certificate Request URL
  The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
  The URL for the SSO certificate Request is:
  https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
  You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
  To link the OCA server to OracleAS SSO server, use the following command:
  ocactl linksso
  opmnctl stoproc type=oc4j instancename=oca
  opmnctl startproc type=oc4j instancename=oca
  You also can use ocactl unlinksso to unlink the OCA to SSO.

  I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
  The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
  on a URL that looks like this :
  http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
  and gives the error :
  ( Forbidden
  You don't have permisission to access /sso/auth on this server at port 7777)
  when I manually change the URL to :
  https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
  the SSO works correctly.
  The question is :
  How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
  Any ideas ?
  Thanks in advance

• Cannot start SIA in BI4.1 while configuring SSO

  Hi All,
  I am trying to configure SSO for windows AD.   My environment is Windows 2012 server and BO 4.1 SP2. 
  i have followed all the guides and previous discussions but i am getting stuck when I need to set the SIA to use the service account we created. 
  All my SPNS look fine, users mapped ok in CMC, added service account to local admin group as well as "part of operating system policy" but once i stop SIA and enter the service account and PW i get an error "Access Denied"
  i have not seen any other discussions with my exact environment of Windows 2012 and BI 4.1 SP2
  Any suggestions?
  Daniel

  Hi Daniel,
  Few suggestions from my side.
  1. Along with "Act as a part of Operating System" grant the user "Logon as Batch Job" and "Logon as service".
  2. Explicitly grant the user Full control over the install directory of BI 4.1
  3. I have never worked on Windows 2012 but assuming it will have UAC as in Windows 2008. So while opening CCM, right click CCM and specify "Run as Administrator" and try doing the changes.
  Hope this helps.
  Regards
  Chinmaya

• SSO For Jabber 10.5

  Hi,
  Has anyone Configured SSO for Jabber successfully with CUCM 10.5 Version.
  I am getting following error after Exchanging Meta Data with ADFS Server.
  Can anyone suggest further troubleshooting steps. Of if there is any detailed guide for SSO with jabber please advice.
  Thanks

  You may verify your configuration from the below guides. There are sample configurations.
  Enable SAML SSO in Jabber Clients Configuration Example
  http://www.cisco.com/c/en/us/support/docs/unified-communications/jabber-windows/118774-configure-jabber-00.html
  AD FS Version 2.0 Setup for SAML SSO Configuration Example
  http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118771-configure-samlsso-00.html
  Unified Communications Manager Version 10.5 SAML SSO Configuration Example
  http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-version-105/118770-configure-cucm-00.html
  Unity Connection Version 10.5 SAML SSO Configuration Example
  http://www.cisco.com/c/en/us/support/docs/unified-communications/unity-connection/118772-configure-ucxn-00.html
  SAML SSO Setup with Kerberos Authentication Configuration Example
  http://www.cisco.com/c/en/us/support/docs/unified-communications/jabber-windows/118773-configure-kerberos-00.html

• I'm trying to use a madcatz controller on the mac but it turns on for 2 seconds and turns off. the system profiler picks it up as a xbox 360 gamepad but says its not been configured. how can i allow my self use this with my games.

  i'm trying to use a madcatz controller on the mac but it turns on for 2 seconds and turns off. the system profiler picks it up as a xbox 360 gamepad but says its not been configured. how can i allow my self use this with my games!

  I have exactly the same problem.
  I'm a little peed-off with Microsoft on this. The original wireless controller I have doesn't work either since the cable I'm using is 'just' the charge and play cable, so a direct connection to my Mac won't work with this cable. It's a cable for god's sake. Why on EARTH put any limitations on this!?!?
  Next I learn I need an additional USB wireless receiver from Microsoft to get my original 360 controller to talk to my Mac. As I certainly don't want to fork any more microsoft dollars on this, this is not an option.
  Next I think, yes! I have a MadCatz 360 wired USB controller. This should surely do the trick just plugging it in and the way I go. But oh no, for some reason I plug my MadCatz Xbox360 controller in, it flashes a few times then switches off and can't be turned on again.
  The System Profiles recognizes it as a MadCatz 360 device controller but that is about it, but the ontroller software I download for the System Prefs (360Controller, USBOverdrive etc) don't even recognize the controller as being plugged in.
  What the **** Is The Microsoft Deal with all of this!?!?
  PS: Oh, and I forgot to mention, there are No drivers for device 4716 that I can find on the MadCatz website, or am I going blind?
  If anyone has a link, it would be appreciated.
  Message was edited by: nostrawaggus

• Problem in configuring SSO using SAML for applications hosted on diff m/c

  Hi Techies,
  I am stuck in a weird problem for past month or so without any resolution. Not much help by googling. So I hope i get the answer from the mouth of the horses -
  I am trying to use SSO using the sample application appA and appB as stated in the tutorial of SSO by BEA.
  I am summarizing the problem below -
  Steps followed for Configuring SSO using SAML
  1. Created 2 domains on 2 seperate machines namely domainA and domainB
  2. Source appliction is deployed on domainA and the target application is deployed on domaninB
  The steps mentioned in the following tutorial has been followed-
  http://dev2dev.bea.com/pub/a/2006/12/sso-with-saml.html
  3. As mentioned in the tutorial the certificate is generated using keytool utility. The same certificate is copied
  to WEBLOGIC_HOME/server/lib of destination machine.
  4. The certificate was successfully registered on desitnation or host 2 but while activating the configuration
  changes(SSL client Ientity Alias and SSL Client Identity Pass Phrase) for Federation services the following error
  is thrown -
  " SAMLBeanUpdateListener: SAMLKeyManager.prepareUpdate() failed with exception:
  weblogic.descriptor.BeanUpdateRejectedException: SAML key Manage failed to validate key (SSL Client) configuration
  in the FederationServicesMBean, key alias: testalias "
  The interesting bit of the problem is that the same configuration works on 2 domains created on same machine. The
  problem only occurs when domains are created on seperate machines.
  Alterative to the problem: when the certificate is generated seperately for domainB and copied to
  WEBLOGIC_HOME/server/lib, it works. However, the certificate generated in domainA should have been copied.
  Note: I am using Weblogic portal 9.2.1
  Any quick replies will be much appreciated. Thanks.
  Edited by saurabh.agrawal at 02/06/2008 2:01 PM

  Hi François,
  You are right about the use of the NameID format. But the issue here is/was that OIF at SP is integrated with OAM, and the authenticated user at OIF-SP and OAM will be the Anonymous user rather than the user who was identified at the IdP even though the remaining attributes sent are for the IdP user. I think these attributes can be used by with OAM for authorization using custom authorization plug-ins but haven't tried that one out.
  As for the attribute sharing profile, it's this one - http://www.oasis-open.org/committees/download.php/18058/sstc-saml-x509-authn-attrib-profile-cd-02.pdf, although for the life of me, I cannot remember why I suggested this in the first place!
  -Vinod

• How do we use SSO for both Windows AD and Trusted authentication?

  We want to have the majority of our users access the BO 4 BI Launchpad using SSO with Windows AD authentication.  We have set this up and it's working ok.  We also have a subset of external users and need to configure SSO with Trusted authentication for their Enterprise accounts.  Support says we can only have SSO for one authentication type.  I'm assuming we can work around this by installing a 2nd Tomcat instance on our Linux server.  Has anyone done this type of config successfully?  Any other ideas would be greatly appreciated.  Thanks!

  Hi Collins,
  BOE's CMS can be accessed from multiple application servers.
  Please have a look on this new article [here|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00240702-8343-2f10-ed9a-85ece14c93db] .
  You may use this method for other application servers(not only NW) but just dont add the file "web-j2ee-engine.xml" as its not  needed.
  regarding sections 4.2.4 on the document, On one application server just set "authentication.default" property under the file BIlaunchpad.properties, to "secWinAD"(for win AD). and on the other set it to "secEnterprise".
  please report any problems you may encounter,
  thanks,
  Idan

• How to configure Oracle SSO for forms and apex

  Hi All,
  I am trying to configure oracle SSO for forms and apex using third party external authentication. Please help me how to configure. I a have tried all possible things
  from web but I am not able to do it. Is there any doc or links are much appreciated.
  Info: Some reason my oiddas web link is not working it used to work fine before and also the from /pls/orasso/ link I am not able to login may be because of my oiddas issue
  Thanks

  Hi Andreas,
  Thanks you for your help. I am trying to implement third party external LDAP authentication for APEX and Forms.
  So I started with OID and SSO setup to create external Partner Applications. Some reason my oid and sso web login links are not working. I didn't find any errors. I need some help in finding the problem and direction, I already read docs on web but no proper direction. I appreciate your help.
  Thanks