Deleting Logon Ticket

Hi all,
I am using EP6 here and ECC5. I am using SSO with logon tickets.
My logon ticket has expired. So i have to make a new one in visual administrator.
But it is not letting me delete that or not even rename that.
It gives an error message. I cant copy the error mesage that comes. And I cant find the same error in any file. may be i missed some file. Tell me where can i find that error so that i can paste the error message here.
Please tell me how too delete the logon ticket
Thanks
Tajinder

hi tajiinder,
Configuring the J2EE Engine to Accept Logon Tickets
Use
The J2EE Engine uses EvaluateTicketLoginModule to accept logon tickets for SSO. After receiving the logon ticket from the users Web browser, the J2EE Engine verifies the ticket signature based on the established trust relationship with the issuing system. Based on the ticket validity, the J2EE Engine authenticates the user.
For the case when you use authentication assertion tickets for SSO between the AS ABAP and the J2EE Engine, the corresponding module is EvaluateAssertionTicketLoginModule.
Prerequisites
To check the validity of a users logon ticket, the J2EE Engine must be able to verify the issuing servers digital signature.
●      If the J2EE Engine is both the ticket-issuing server as well as the accepting server, then it can automatically verify its own digital signature.
●      If the ticket-issuing server is a different one, then this servers public-key certificate must be available in the keystore view that the J2EE Engine uses for verifying logon tickets.
Procedure
The Trusted Systems ® SSO Wizard configuration functions of the SAP NetWeaver Administrator enable you to use wizard-based management of trust relationships for SSO with logon and assertion tickets. The configuration changes made with the wizard have a global effect for ticket-based SSO to the J2EE Engine.
       1.      Open the SSO Wizard.
Note the following:
○       If the ticket-accepting system is SAP NetWeaver 7.0 SP14 or higher, you can access the SSO Wizard by following the path System Management ® Configuration ® Trusted Systems.
○       If the ticket-accepting system is SAP NetWeaver 7.0 SP 13 or lower, first you must deploy the SSO Wizard. More information: SAP note 1083421.
The system which you configure is displayed in the Selected Accepting System section.
There are two ways to add a trusted system:
○       By connecting to the system and requesting its certificate.
If the ticket-issuing system is SAP NetWeaver 2004 SP20 or lower, or SAP NetWeaver 7.0 SP13 or lower, you must configure it so it can send a response to the certificate request. More information: SAP note 1083421.
○       By manually uploading the certificate of the system.
Adding a Trusted System by Connecting to It
                            a.      In the Trusted Systems section, choose Add Trusted System ® By Querying Trusted System.
                            b.      The System Landscape Directory (SLD) opens automatically and lets you select the system you want to add. Select the system and choose OK. The connection details for the selected system are displayed automatically.
If you cannot find the system you want to add, choose Cancel and provide the connection details:
                                                  i.       Select the type of the system from the System Type dropdown list.
                                                ii.       Enter the necessary connection details.
If you want to add an AS ABAP system, the field System Number appears. You can get the system number of an ABAP system by its license key which you received from SAP.
                            c.      Enter your user name and password in the provided fields and choose Next.
                            d.      The details about the selected systems certificate appear. To add the system, choose Finish. If you want to make changes, choose Back.
Adding a Trusted System by Manually Uploading its Certificate
Before you start the following procedure, you must export the trusted systems certificate. More information: Exporting the Ticket-Issuing Server's Public-key Certificate.
                            a.      In the Trusted Systems section choose Add Trusted System ® By Uploading Certificate Manually.
                            b.      Enter the System ID and Client in the provided fields.
                            c.      Browse to the location of the systems certificate. Select the certificate and choose Open.
                            d.      Choose Next. The information about the system and the certificate is displayed. To add the system as trusted, choose Finish. If you want to make changes, choose Back.
       2.      Add the login module EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) to the login module stacks for the J2EE Engine policy configurations of the application components that accept login tickets for SSO. To do this, use the Security Provider Service of the Visual Administrator.
                            a.      In the Security Provider Service choose Runtime ® Policy Configurations ® Authentication tab.
                            b.      Select the policy configuration for the application component to accept logon tickets from the Components list.
                            c.      Choose the Switch to edit mode button.
                            d.      Choose Add New. The list of available login modules for the component appears.
                            e.      Choose the EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) from the list and choose OK.
If you change the options of a login module in the user store, the changes will be inherited by all policy configurations that use this login module.
If you change the options of a login module in a single policy configuration, the change applies only to that policy configuration. In this case the login module will no longer inherit its options from the user store. To restore the inheritance change the options in the policy configuration or in the user store so that they are identical.
Result
After you complete the wizard, the ticket-issuing system is shown in the Trusted Systems list. The J2EE Engine accepts logon tickets that have been issued by the corresponding server.
if you have douts pls go thru the following urls
help.sap.com/saphelp_nw04/helpdata/en/71/c3d53a60ad204ce10000000a114084/content.htm - 30k
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/69d95112-0d01-0010-8297-fa31feea26e0
thanks karthikeya
dont forget to reawrd me if it helps you

Similar Messages

Error Runging the Transaction iview using SSO logon ticket

Hi I am getting the follwoing error in log file. when i am running the Transaction iview using SAP Loggon ticket.
#1.5 #005056A33F2000840000000500000600000456BC1060683F#1221265635404#com.sap.security.core.umap.imp.UserMappingDataImp#sap.com/irj#com.sap.security.core.umap.imp.UserMappingDataImp.getAuthenticationTicket()#Guest#0##n/a##28a92320812111ddb972005056a33f20#Thread[UWL Pooled Thread:2,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Usermanagement#Java###The attribute "" of the backend system with alias "" has the invalid value "".
Cannot generate an SAP authentication assertion ticket for user and the specified backend system.
Please adjust the value of the system attribute. Supported values are "" and "".#6#AuthenticationTicketType#"KPMGVM005_ALIAS"##"Stokkeland, Pauline" (unique ID: "USER.PRIVATE_DATASOURCE.un:P00024384")#SAP Logon Ticket#SAP Assertion Ticket#
I have imported the .der file of the portal in to the SAP ECC sytem.using STRUSTSSO2
Created the profile parameters using rz10 trnsaction.
login/create_sso2_ticket
login/accept_sso2_ticket
restarted the ECC system.
Created the system object using the follwoing parameters
WAS
Connector
Usermanagement
Under usermanagement
Authentication Ticket Type - SAP Logon TicketSAP
Logon Method -SAPLOGONTICKET
User Mapping Fields :<not selected>
User Mapping Type    :<not selected>
when i test the sytem object under connection test:showing the following error.
Test Details:
The test consists of the following steps:
1. Retrieve the default alias of the system
2. Check the connection to the backend application using the connector defined in this system object
Results
Retrieval of default alias successful
Connection failed. Make sure that Single Sign-On is configured correctly
But WAS, ITS, Connector are successfull. but above message is showing.
what could be the problem.
When i run one transaction iview with this system it is showing following error.
com.sap.portal.appintegrator.sap.Transaction::Transaction/WebGuiSSOITS640Layer
Parameter Dump
$DebugAction
$TimeStamp 1221268987126
ALLOW_BROWSER Yes
Alias
ApplicationParameter
ApplicationVariants GuiType
AuthScheme default
Authentication ******
AutoStart false
CachingLevel
ClassName com.sapportals.portal.appintegrator.layer.SingleSignOnLayer
ClientWindowID
CodeLink com.sap.portal.appintegrator.sap.Transaction
CommandField YTIME
CurrentWindowId WID1221260007272
CustomerExit.ParameterProvider
DR.TargetIDPropertyName TCode
DebugMode false
DynamicParameter
DynproFields
ExecutionLocation KPMGVM005_ALIAS
ExportParameters Authentication, LogonUser, RequestMethod
FederationAlias
ForcedRequestLanguage
ForwardParameters
ForwardParameters.Always sap-config-mode
ForwardParameters.Excluded
ForwardParameters.Forbidden ClientWindowID, Command, DebugSet, DynamicParameter, Embedded, InitialNodeFirstLevel, SerAttrKeyString, SerKeyString, SerPropString, SessionKeysAvailable, iview_id, iview_mode, windowId, sap-pp-producerid, sap-pp-consumerBaseURL, sap-pp-returnToConsumer, login_submit, j_user, j_password, j_authscheme, uidPasswordLogon, MappedUser, MappedPassword
GUSID
GuiType WebGui
GuiType.default WebGui
ITSVersion 640
JREPluginDownloadLocation
JREPluginMimeType application/x-java-applet;version=1.4.1_02
JavaGuiCodeBase
JavaGuiTraceFile
JavaGuiTraceKey
LAF
LoadingCacheKey <Portal.Version><LAF.Theme>
LogonMethod SAPLOGONTICKET
MandatoryParameters System
NavMode 1
NavigationTarget navurl://21635c17e11df05c58e1c07deaf5bed1
NextLayer Transaction/WebGuiESIDLayer
OkCode
OkCodeField
OptionalParameters
ParameterTemplate <ApplicationParameter[PROCESS_RECURSIVE]>;<ForwardParameters[QUERYSTRING]>;<DynamicParameter[PROCESS_RECURSIVE]>;
Portal
ProducerLocation Remote
REFRESH_CONTENT -1
ReuseWinguiConnection false
RoundtripURL
SSO2Template
SessionManagementVersion
SupportedUserAgents (MSIE, >=5.5, *) (Netscape, *, ) (Mozilla,,*)
SupportsUnicodeCodePages false
System KPMGVM005_ALIAS
System.type lookup:com.sapportals.portal.appintegrator.lookup.SystemLookup
TCode YTIME
Technique Standard
TopLayer Transaction/DragAndRelateLayer
Transactions_Require_SSF RRMX,RRMXP
URL
UnsupportedUserAgents
UseFrog true
UseSPO1 false
UserMappingTemplate sap-user=<MappedUser>&sap-password=<MappedPassword>
ValidityPeriod -1
Wizard.ApplicationVariantPane.Description
Wizard.ApplicationVariantPane.Title
Wizard.MandatoryParameters System, TCode, GuiType
Wizard.OptionalParameters ApplicationParameter, UseFrog, Technique
Wizard.ParameterPane.Description
Wizard.ParameterPane.Title
X509Template
com.sap.application_integration.ConfigurationServiceID Transaction_Configuration
com.sap.portal.ComponentType com.sapportals.portal.iview
com.sap.portal.activityreport.MonitorHits true
com.sap.portal.admin.propertyeditor.categoryName
com.sap.portal.iview.AccessibilitySupport
com.sap.portal.iview.Availability VISIBLE
com.sap.portal.iview.DisableChildrenDYN
com.sap.portal.iview.DisableChildrenRL
com.sap.portal.iview.DisableChildrenTC
com.sap.portal.iview.DragAndRelate false
com.sap.portal.iview.ExpansionMode Open
com.sap.portal.iview.HasContentPadding true
com.sap.portal.iview.Height 80
com.sap.portal.iview.HeightScale PIXELS
com.sap.portal.iview.HeightType FIXED
com.sap.portal.iview.HelpURL
com.sap.portal.iview.IsTemplate false
com.sap.portal.iview.MainObject
com.sap.portal.iview.MaxAutoHeight 1000
com.sap.portal.iview.MinAutoHeight 0
com.sap.portal.iview.SMiViewURL com.sap.portal.epsolman.EPSolman
com.sap.portal.iview.ShowDetails true
com.sap.portal.iview.ShowExpand true
com.sap.portal.iview.ShowHelp false
com.sap.portal.iview.ShowMinimize true
com.sap.portal.iview.ShowPersonalize true
com.sap.portal.iview.ShowRefresh false
com.sap.portal.iview.ShowRemove true
com.sap.portal.iview.ShowSMiView false
com.sap.portal.iview.ShowTitle true
com.sap.portal.iview.ShowTray true
com.sap.portal.iview.TitleURL
com.sap.portal.iview.TrayType PLAIN
com.sap.portal.iview.Width 400
com.sap.portal.iview.WidthScale PIXELS
com.sap.portal.iview.WidthType FIXED
com.sap.portal.iview.family
com.sap.portal.navigation.DragRelate 0
com.sap.portal.navigation.ExtWindowHeight 710
com.sap.portal.navigation.ExtWindowWidth 1014
com.sap.portal.navigation.Invisible false
com.sap.portal.navigation.JScript
com.sap.portal.navigation.MergeId
com.sap.portal.navigation.MergePriority 100.0
com.sap.portal.navigation.Mergible true
com.sap.portal.navigation.NavigationHierarchyMetadata Cacheable
com.sap.portal.navigation.Priority 100.0
com.sap.portal.navigation.QuickLink
com.sap.portal.navigation.ShowAddToFavorites true
com.sap.portal.navigation.ShowType 1
com.sap.portal.navigation.WindowName
com.sap.portal.navigation.view
com.sap.portal.pcd.gl.Collection IP_PTL_INITIAL_CONTENT
com.sap.portal.pcd.gl.CreatedAt Sat Sep 22 11:32:17 EDT 2007
com.sap.portal.pcd.gl.CreatedBy Administrator
com.sap.portal.pcd.gl.DeltaLinkState -1
com.sap.portal.pcd.gl.Domain EP
com.sap.portal.pcd.gl.LastChangedAt Fri Sep 12 19:24:19 EDT 2008
com.sap.portal.pcd.gl.LastChangedBy ksingh
com.sap.portal.pcd.gl.ObjectClass com.sapportals.portal.iview
com.sap.portal.pcd.gl.OriginalCountry
com.sap.portal.pcd.gl.OriginalLanguage en
com.sap.portal.pcd.gl.Responsible Administrator
com.sap.portal.pcd.gl.TransportDependencies pcd:com.sap.portal.system/archives/com.sap.portal.appintegrator.sap.par
com.sap.portal.pcd.role.EntryPoint false
com.sap.portal.pcm.Description VRB_com.sap.portal.pcm.Description
com.sap.portal.pcm.Title myTime
com.sap.portal.pcm.admin.Capabilities com.sap.portal.capability.delete,com.sap.portal.capability.link,com.sap.portal.capability.copy,com.sap.portal.capability.edit,com.sap.portal.capability.cut,com.sap.portal.capability.transportable,com.sap.portal.capability.launch,com.sap.portal.capability.editpermissions
com.sap.portal.pcm.admin.UseDefaultCapabilities true
com.sap.portal.private.iview.PropertiesUrl pcd:com.sap.portal.system/applications/com.sap.portal.appintegrator.sap/components/Transaction
com.sap.portal.reserved.iview.ButtonsURL
com.sap.portal.reserved.iview.EditorURL pcd:portal_content/com.sap.pct/admin.templates/iviews/editors/com.sap.portal.pcmEditor
com.sap.portal.reserved.iview.IconName
com.sap.portal.reserved.iview.IsolationMode URL
com.sap.portal.reserved.iview.NavPanelStatus Automatic
com.sap.portal.reserved.iview.ParamList *
com.sap.portal.reserved.iview.WizardURL com.sap.portal.appintegrator.iViewWizard
com.sap.portal.workDistributionTopic
com.sapportals.portal.navigation.FolderEntry false
com.sapportals.portal.navigation.Pictogram
com.sapportals.portal.navigation.WinFeatures resizable=yes,toolbar=no,menubar=no
propertyIdMapping
com.sap.portal.appintegrator.sap.Transaction::Transaction/WebGuiSSOITS640Layer
MandatoryParameters
System   SAP_LocalSystem KPMGSBBW_alis KPMGVM005_ALIAS SAP_BW SAP_CRM SAP_ECC SAP_RPM SAP_WEBDYNPRO_CRM_ALIAS TestECC_Alias Test_CRM_Alias WebEx XBICLNT100 XCRCLNT100 XECCLNT100
Is it required to add ECC certificate to Portal sytem?
we have created the same user id in both the sytems.
Please let me know what could be the error.
Regards

Vijay,
Please follow these steps and lemme know what you observe.
Go to system administration->support->sap application-> under test and configuration tools choose sap transaction
under the mandatory fields choose the system that you have created, choose a tcode (se16) and choose sap gui for windows and click go.
If you are able to logon to your ecc system, your sso works!
P.S Make sure the user name with which you are testing this, exists in the backend as well.
Good luck
Cheers,
Sandeep Tudumu

SAP GUI & logon tickets

We're setting up a bunch of iViews in our portal to provide transparent single-sign on to all our backend SAP systems. They run on Unix, so we'd need to purchase a third party product to do it directly with SAPGUI. I'm wondering if there's a technical reason why the SAP GUI client couldn't perform a standard NT authentication and then use logon tickets to grant backend access like the Portal does, assuming the userids are the same (I realize there's no place in SAPGUI to do user mapping if they're not).
Just curious. It would be a great way to provide single signon to SAP systems regardless of the server platform.
Thanks,
Rich

Hi Sanjay,
actually there was a handson given two years ago, exactly showing this on teched.
You may be able to find the contents at
elearning: https://www.sdn.sap.com/sdn/elearning.sdn?class=/public/eclasses/teched04/SCUR251.htm
presentation: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/single%20sign-on%20in%20heterogenous%20landscapes.pdf
This setup is used by some customers also to get an improved version of the SAP logon pad
Please be aware, that this only covers SSO to the SAP Gui connected system but not encryption.
Kind regards,
Patrick

SSO to non SAP Application using SAP Logon Ticket

Hi Experts,
I Have EP 7 SP 15 using SPNego Wizard to SSO with Active Directory and SSO between EP and ECC using SAP Certificates.
Now I have a demand to SSO some JAVA based applications (non SAP) to my portal using the SAP Logon Ticket.
I Have followed some blogs that directed me to use SAPSSOEXT (some libs) to read the MYSAPSSO2 cookie. The problem is that I didn't found this cookie, I even executed the command javascript:document to look for this cookie but the browser just show me the JSESSIONID info.
Does anybody knows where I can find this cookie or if there's a better way to set up this SSO? It´s necessary to say that I cannot SSO these application to the kerberos protocol because some security reasons on my company.
Thanks
Armando

Hi,
I dont have much info related but i can giv u hint
refer OSS Notes 442401 and 723896.
When using SAP logon tickets for non-SAP applications, two different implementation options are available. The difference lies in where the ticket verification takes place.
In the first case, the SAP logon ticket is submitted to the web server filter located on the web server. The web server filter verifies the portal serveru2019s public key
certificate using its local Personal Security Environment (PSE) and then populates the HTTP header field with the user ID for SSO to the non-sap web application.
In the second case, the SAP logon ticket is sent to the non-SAP application, which then verifies it using the ticket verification DLL and submits the user ID to the application for SSO.
You can refer following link :-
http://help.sap.com/saphelp_nw70/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm
user authentication and SSO
http://help.sap.com/saphelp_nw70/helpdata/EN/8f/ae29411ab3db2be10000000a1550b0/frameset.htm
Authentication Using a Directory with SSO Integration Using Logon Tickets
http://help.sap.com/saphelp_nw70/helpdata/EN/f8/3b514ca29011d5bdeb006094191908/frameset.htm
SSO
SAP Logon Ticket-based Single Sign-On
http://help.sap.com/saphelp_nwce10/helpdata/en/45/b6af743753003ae10000000a11466f/frameset.htm

SSO logon tickets not working in two different OS

HI All,
We have sucessfully implemented SSO logon tickets concept to access a j2ee application through portal on windows OS.
We could able to do the samething on two j2ee instances installed on two different machines on same domain. I mean, deploying our application in one j2ee instance and accessing the application thru portal of another j2ee instance thru SSO logon ticket by adding some configuration steps in Visual administrator given in help.sap.com. This also we did in same OS windows.
But now the problem is, when we try to implement the above scenario in two different OS, say application is deployed on HPUX machine, and accessing that application through Portal from Solaris machine, SSO logontickets is failing. Means we couldnt able to access the application. Both the OS are in same domain only.
What extra configuration steps need to be done in VA, to get work with two different OS?
Please share ur ideas.
Regards,
Satish.

Hi..
I guess probabaly the internet explorer doesnot accept the sso ticket.
What you can probably check is that the compatability of explorer for the solaris and HP UX os with Windows OS.
Also,please check whether the SSO ticket is getting populated and What error are you getting exactly when the SSO fails and that will give some idea to proceed further
<u>deploying our application in one j2ee instance and accessing the application thru portal of another j2ee instance[/u
What the above mean...how are you deploying ?? what tool ?? which J2EE instance out of the two ??
Thanks
Gopal

SSO using Kerberos with SAP Logon Tickets

Hi,
I am creating a Repository Manager for the Portal Knowledge Management System and I want to use SSO to a backend IIS application and I have a few questions here.
I have a three tiered architecture.
A. The presentation tier (SAP Portal which has my Repository Manager implementation)
B. ASP.NET web service data layer.
C. Backend document management system which runs on IIS.
I have installed the ISAPI filter on my ASP.NET application server and have enabled this HOST account for delegation in MSAD 2003. Server B will use Kerberos constrained delegation to access Server C, which is an IIS backend server.
My question is how do I pass an SAP Logon Ticket to an ASP.NET web service request from my Repository Manager implementation? Basically how do I just make an HTTP request to an ASP.NET application from some portal iView or WebDynPro code and pass along the SAP Logon Ticket in the request so it can be interpreted by the ISAPI filter on the IIS server. Does anyone have any sample code or an application here that does this?
Thanks,
Scott

Hi Scott
Did you managed to find out anything regarding how to pass SAP Logon ticket to ASP.NET Webservice. Can you share it with me?
regards
ram

SSO with Logon Ticket to non-SAP Unix based application

Hi all,
Anyone has implemented SSO with Logon Ticket to a Unix box ?
We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
-> Are there any Java libraries that are available to both:
. verify the logon ticket with the deployed Portal public key
. decrypt/extract the authenticated username from this ticket ??
I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
Any hint is very much appreciated.
Thanks a lot
Olivier

Check these links for reference regarding AIX and Apache using X.509 certificates:
http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
And just using cookies -
http://forums.devshed.com/archive/t-105611 (perl based)
You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
Nick
Nick

SSO Help - Portal to ABAP via logon tickets

Hi All,
I've done this configuration in the past but it seems that the process has changed a bit and I'm in need of some advice.
I have a portal system which I've setup SSO. The SSO is done through Kerberos and the users are pulled from LDAP. Users login to their windows account, they hit the portal without having to login again, perfect. I used the new SPNego setup wizard to do this.
Now the issue I'm having. Portal user ID's are not the same as ABAP ID's. I have used a blank attribute in Active Directory (specifically "extensionAttribute7") to fill in the ABAP user ID's. I have modified the data source XML file in the portal to look like this:
<nameSpace name="$usermapping$">
<attributes>
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="extensionAttribute7" />
</attribute>
</attributes>
</nameSpace>
I have changed the UME property to look like this:
ume.usermapping.refsys.mapping.type = attribute
When I try to access an SAP report through the portal I get the error:
The initial exception that caused the request to fail was:
Ticket contains no / an empty ABAP user ID (see note 1159962)
My ABAP system is setup to create and accept logon tickets. Certificates have been exchanged on both systems (checked through NWA). It looks like the saplogonticket isn't picking up the ABAP user ID that I've stored in AD and mapped to in the XML file.
In the Java system, my logon ticket stack looks like this:
EvaluateTicketLoginModule SUFFICENT
SPNegoLoginModule OPTIONAL
CreateTicketLoginModule SUFFICENT
BasicPasswordLoginModule REQUIRED
CreateTicketLoginModule REQUIRED
Can anyone see an obvious step that I'm missing? Any tips would be appreciated.
Portal system is running 7.01 sp8
ABAP is running 7.01 sp8
Cheers,
Richard

Hi Arjun,
No I'm not using user mapping. I want to pass my ABAP user ID from an attribute I'm using in Active Directory. For some reason the sap logon ticket isn't picking up my username from the attribute when I try to go from portal to ABAP.
Hi Samarth,
Not sure I understand the request. The user is coming from the portal and is attempting to run a ABAP report from the portal. The user names are not the same. I am attempting to map the ABAP user ID to an Active Directory attribute that I can pass to the sap logon ticket.
Hi Siva Kumar,
Yes I checked the VA as well, the entries are there.
Thanks all for the suggestions. Keep them coming if you have more, they are greatly appreciated.
I basically followed this from SAP to set it up
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/0b/d82c4142aef623e10000000a155106/frameset.htm
You are using an LDAP directory as a data source for the User Management Engine (UME). The user IDs for ABAP systems are already available in the LDAP directory. You no longer need to define a user mapping for each user, as the data is already available in the LDAP directory.
Cheers,
Richard

SSO to SAP R3 thru ITS 6.20 with Logon tickets

Hi All,
I am trying to configure SSO to R3 thru ITS with the Logon Tickets.
I have configured R3 to accept the tickets using STRUSTSSO2.
Downloaded the verify.der file from Portal and imported to R3
And tried to test the System connection.
If I use <b>SAP GUI for Windows</b>,the logon ticket is passed and SSO happens
with out any problem.
But If I use <b>SAP GUI for html</b>,then ITS Logon screen appears and once I
enter the user id and password it logs in.
In ITS global.srvc file I have added the following parameter
<b>~mysapcomusesso2cookie 1</b>
I also have the following parameters in the global.srvc file
<b>~login <space>
~password <space></b>
Do I need to configure any thing more in ITS.
Where am I going wrong.
I have read regarding <b>Pluggable Authentication Service(PAS)</b>.Is this mandatory for SSO thru ITS
Please let me know
I am working on EP6 SP14
Any help is really appreciated
Thanks in advance
Regards,
Santhosh

Hi,
IWithin System definition of R/3 System, you've to give the FQDN of ITS just same as Portal system. For example if your Portal system's FQDN is below:
http://portal.hedehode.com:50000/irj
then the ITS Server definition (parameter ITS Hostname) must be:
itsserver.hedehode.com:port
for portal to resolve itsserver.hedehode.com host, you may need to enter its IP address into hosts (c:\windows\system32\drivers\etc\hosts) file of portal system.
<ip> itsserver.hedehode.com

How to implement SSO to non-SAP systems using SAP logon ticket?

Hello,
We would like to implement Single Sign On between our SAP Netweaver system and a Siebel which is a non-SAP system using SAP logon tickets.
Can anyone please give me some leads on this, in particular:
1. Is there a JAVA API or an SAP plug-in that can be implemented on the Siebel machine to extract the SAP logon ticket?
2. As the other machine might seat on a complete different domain, is it possible to implement SAP logon ticket without using cookies (perhaps through the HTTP header?
3. In case you think using SAP logon tickets is not the best solution here I would be happy to hear any other suggestions you might have.
Roy

Hi,
I'm currently using SAML as well. Unfortunately the SAP J2EE cannot work as authority (identity provider) but what you can do is using an open implementation of SAML such as opensso which is an open version of SUNs Java System access manager.
There are a couple of other projects such as opensaml, apache's wss4j or shibboleth that might be interesting in this context.
I just installed opensso and got it working with SAP J2EE 7.0 using SAPs JAAS SAMLLoginModule to authenticate users within SAP J2EE.
In this scenario opensso serves as identity provider just as you need! There are a couple of Policy agents available on SUNs Download site you can use with Apache, Tomcat, JBOSS, WebSphere, Bea Web Logic etc. in order to authenticate! Otherwise you just directly authenticate against opensso. When installing opensso you can configure the type of user store you want to use! By default it uses LDAP but you can also use different types of user store using JDBC or other mechanisms. Since you have a Directory Service you could easily connect it to your existing directory.
There is also a way to map user ids directly in opensso by adding a uid mapping class. I created some documentation with lots of screenshots about using opensso with SAP J2EE. You can easily use opensso with any other system that supports SAML. In the case of SAP the usage is currently limited to SAML versions 1.0 and 1.1. Version 2.0 is not yet supported but should be in one of the following versions.
Here are some links you might want to check:
OpenSAML: https://spaces.internet2.edu/display/OpenSAML/Home
wss4j: http://ws.apache.org/wss4j/
shibboleth: http://shibboleth.internet2.edu/
opensso: https://opensso.dev.java.net/
On SDN you will find a documentation on how to connect SUN Java System Access Manager to SAP J2EE (see https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/906d9fc6-31b9-2910-1385-90edad7d7570). As I said opensso is based on the SUN Access Manager code and looks quite the same. So you can adapt this documentation in order to configure opensso or you can just ask me for the documentation.
Hope this is helpful...
Let me know if you need further assistance on this topic
Cheers

SSO to Web Service using SAP Logon Ticket

Hi,
I have to do SSO using SAP Logon Ticket between my portal and a Java Web Service that is accessible over internet. I do have the WSDL file of this Web Service.
I want to know:
1. What changes are required in Web Service to configure it to read and accept Logon Ticket?
2. What am I supposed to do at portal end to enable this process?
Thanks,
Vivek

Hi Vivek & Raja,
> is it that if the WS is a third party WS and running on a Non-SAP J2EE Server,
> we can't implement SSO from Portal to it using SAP Logon Ticket?
Right, if you cannot extend it's functionality, how should it do the ticket verification...
@Raja:
> SAP Logon Ticket is for authenticating to a SAP system, since yours in a
> thirdparty ws, there is not need of SAP logonticket.
On the other hand, that's not true. It is possible as well as often done to verify the SSO ticket on some third party system. This is also supported, for Java as well as for other systems, different articles about such scenarios have been published, also here on SDN.
Hope it helps
Detlev
PS: Vivek, please consider rewarding points for helpful answers on SDN. Thanks in advance!

SSO with SAP logon tickets to non-SAP web app

I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work. I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal. Anyone tried similar?
Cindy

Hi Cindy,
If it is EP6 SP2 probably you can checkout the following document.
http://service.sap.com/ep60
Go to Documentation Help>How-To-Guides>Current How To Guides section.
checkout the following how to guide.
Perform Cross Domain SSO with SAP Logon tickets zip file.
If you want the zip file please send an e-mail to
[email protected]
Regards
-Venkat Malempati

Java client application + SAP Logon Tickets (SSO)

Java client application + SAP Logon Tickets (SSO)
Hello
I have the following question, it is about connection between SAP Enterprise Portal and Java Application.
After registration in Enterprise Portal (with Internet Explorer Browser) request is passed on to SAP backend system - cFolders (SSO methode)
With internet browser functioned everything.
How can one get, however, this Logon tickets with Java application and then be of use later for SOAP connection
(everything with client java application)
Thanks for quick help
Edo

Hi Edo,
look at this https://media.sdn.sap.com/javadocs/NW04/SPS15/um/com/sap/security/api/ticket/TicketVerifier.html
Best Regards
Oliver

How can I process an SSO Logon Ticket in ColdFusion 9?

Hi,
We want to integrate some CouldFusion templates on the SAP portal and I try to process the SSO Logon Ticket using the following code:
<cfif IsDefined("Cookie.MYSAPSSO2") AND Cookie.MYSAPSSO2 neq "">
<cfscript>
    ticket = Cookie.MYSAPSSO2;
    sso = createObject("java", "SSO2Ticket");
    version = sso.getVersion();
    Application.CertPath = "/opt/coldfusion9/lib/verify.pse";
</cfscript>
<h2>Ticket cookie:</h2>
<cfdump var="#ticket#">
<h2>Version:</h2>
<cfdump var="#version#">
<h2>Certification path:</h2>
<cfdump var="#Application.CertPath#">
<cfscript>
    result = sso.evalLogonTicket (ticket, Application.CertPath,"");
    sapUser   = result[1]; //First element is the SAP system user
    sysID = result[2]; //Second element is the id of the issuing system
    client = result[3]; //Third element is the client of the issuing system
    portalUser = result[5]; //Portal user
    validityInSeconds = result[7]; //Validity in seconds
</cfscript>
<h2>Ticket content:</h2>
<cfdump var="#result#">
<cfelse>
    SAP Logon Ticket not found - Extranet content can only be accessed through SAP Portal.
</cfif>
The certificate verify.pse and the current version of the libraries libsapcrypto.so, libsapssoext.so and libslcryptokernel.so are stored at the same location.
After logging in into a SAP portal I get following error when executing the script:
Ticket cookie:
AjExMDAgAAxwb3J0YWw6VG90aEyIABNiYXNpY2F1dGhlbnRpY2F0aW9uAQAFVE9USEwCAAMwMDADAANEUDIEAAwyMDE0MDYyNTEzNTMFAAQAAAAICgAFVE9USEz/AQUwggEBBgkqhkiG9w0BBwKggfMwgfACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGB0DCBzQIBATAiMB0xDDAKBgNVBAMTA0RQMjENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQwNjI1MTM1MzQ3WjAjBgkqhkiG9w0BCQQxFgQU2lImEL6oxLc/4ZdXYTDJudUNhOIwCQYHKoZIzjgEAwQvMC0CFQC4ftTFs8COV0ThRZH5lJxY9ITqfQIUMSugOMEkhmQHqBZD!ZHQ1Tb9e90=
Version:
SAPSSOEXT 4
Certification path:
/opt/coldfusion9/lib/verify.pse
The web site you are accessing has experienced an unexpected error.
Please contact the website administrator.
The following information is meant for the website developer for debugging purposes.
Error Occurred While Processing Request
MySapEvalLogonTicketEx failed: standard error= 9, ssf error= 0
The error occurred in /opt/coldfusion9/wwwroot/ExtranetMod/authTest.cfm: line 20
18 : 19 : <cfscript> 20 : result = sso.evalLogonTicket (ticket, Application.CertPath,""); 21 :     sapUser   = result[1]; //First element is the SAP system user 22 :     sysID = result[2]; //Second element is the id of the issuing system
Resources:
Check the ColdFusion documentation to verify that you are using the correct syntax.
Search the Knowledge Base to find a solution to your problem.
Browser
Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0
Remote Address
172.20.231.111
Referrer
Date/Time
25-Jun-14 04:23 PM
Stack Trace
at cfauthTest2ecfm1658987646.runPage(/opt/coldfusion9/wwwroot/ExtranetMod/authTest.cfm:20)
java.lang.Exception: MySapEvalLogonTicketEx failed: standard error= 9, ssf error= 0 at SSO2Ticket.evalLogonTicket(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:97) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2360) at cfauthTest2ecfm1658987646.runPage(/opt/coldfusion9/wwwroot/ExtranetMod/authTest.cfm:20) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:360) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:94) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:200) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.http.WebService.invokeRunnable(WebService.java:172) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
I would be most thankful for any hints that could bring me further...
Many thanks
Lajos

Thank you for your assistance in this matter.
This has been frustrating the crap out of me for the last week (not that the photo is important, it is just that I like to conquer and solve this types of issues)
I was shooting with an aperture of 7.1.
I changed the exposure on the photos as you had done previously but this only blew out the watch and I couldn't recover it afterwards and the alignment was no better any way. So then I started experimenting as you suggested, and I don't know if what I am about to write is acceptable in an Adobe forum, but here goes.
I tried Helicon Focus and it was terrible, but I must admit I didn't know how to really use it, it doesn't seem to have any alignment function and is very difficult to try to use and understand.
then I tried Hugin and I am not even sure if this is image stacking software or just an alignment software, anyway that didn't work either and kept saying the output was a very bad match.
THEN I downloaded and tried zerestacker (free 30 day trial) (after reading about it in a google search) and WOW, it worked amazing, see below photo, it was so easy to use and the interface is easy as well and it does the alignment and stacking in the same process and you can see the image output show up on the left of the screen. Sorry PS but I will be using ZS for photostacking from now on. Adobe need to buy this company and incorporate it in to PS CC6.
This is just so much better than anything I got out of PS, there is no ghosting or blurring and the alignment is perfect and it is so simple to use.

Error in the configuration for sap logon tickets

Hi Forum,
I use Tcode crmd_order_bp to see the BP cockpit and the error message displays as
<b>Error in the configuration for SAP logon tickets</b>
But if I click "Yes", system displays cockpit.
How can I avoid this error.
Thanks in advance
Regards
Shridhar

You will still need to configure SSO (either by logon ticket or username/password). The data source access is done using the username/password configured in the UM Config dialog box.
I can see where you're coming from with your thinking, however logon-ticket-based SSO is probably the best approach.
Cheers,
Darren.

Deleting Logon Ticket

Similar Messages

Maybe you are looking for