Handling a Valid SSO but Invalid Portal login

Suppose we have a user who's in LDAP, but not in the Portal (for whatever reason). That is, the user successfully authenticates to the SSO client, those credentials are passed to the portal where they are not valid, the portal isn't able to create a session so the user is NOT logged on. Instead the Portal simply shows the Portal login page. We'd like to avoid seeing the Portal login page ever, instead it should show the user a message (html page) saying you're not a valid portal user...see your administrator etc...
What is the best way to handle this scenario?
Is there a way to check from say a PEI (i.e.LoginAction's OnBeforeLogin()) to see if the SSO credentials being passed in are valid for this portal user? If not, display this HTML page.
I want to avoid having to modify any of the Plumtree Portal SSO code (for upgrade reasons etc).

Hi Paul,
No Not solved it. We are seeing a similar problem. External Access via our firewall is fine. Internal access causes the login page to freeze once the button is pressed.
Strangely, if you deliberatley enter an incorrect password for the user, then the error message occurs and after that Login is fine. I am continuing to investigate.
Regards
Steve

Similar Messages

  • Not able to pass portal login page with valid credentials using WebDispatch

    Hi,
    We are implementing SAP BillerDirect Portal. To make BillerDirect Portal available over the internet, we Configured SAP WebDispatcher with SSL termination.  We followed the steps mentioned in SAP Help Documentaion for SAP WebDispatcher with SSL termination.
    http://help.sap.com/saphelp_nw2004s/helpdata/en/76/6d4fa247d0d647b5bd40745400d873/frameset.htm
    We created certificate  and send it to CA (TrustCenter CA). We received the CA response and we imported the certificate.
    AS mentioned in the help document, we configured the SAP Web Dispatcher profile to support SSL termination
    We tried to access our BillerDirect Portal over the internet using below link
    https://company.com/bd
    We are getting login page, once we enter correct user ID and Password, portal is not loading (not going to next page) portal remains on same login page.
    If we enter invalid credentials portal login page is giving u201CUser Authentication Failedu201D error.
    If we try to access any portal login pages which brings a pop-up for login, login gets succeeded and we are able to see next pages
    Examples
    1)     https://company.com/bd/admin/xcm/init.do
    2)     https://company.com/monitoring/SystemInfo
    All pages which bring up portal login page without pop-up, not able to pass through portal login screen.
    We Tried the ProxyMapping option on Dispatcher using Visual admin. This option also didnu2019t work for us.
    Here is the WebDispatcher Profile
    SAPSYSTEMNAME = xxx
    SAPGLOBALHOST = xxxxx
    SAPSYSTEM = 00
    INSTANCE_NAME = W00
    DIR_CT_RUN = $(DIR_EXE_ROOT)\$(OS_UNICODE)\NTI386
    DIR_EXECUTABLE = $(DIR_CT_RUN)
    Accesssability of Message Server
    rdisp/mshost = hostnameofportalserver with FQDN
    ms/http_port = 8101
    Configuration for medium scenario
    icm/max_conn = 500
    icm/max_sockets = 1024
    icm/req_queue_len = 500
    icm/min_threads = 10
    icm/max_threads = 50
    mpi/total_size_MB = 80
    SAP Web Dispatcher Ports
    icm/server_port_0 = PROT=HTTPS,PORT=443
    icm/server_port_1 = PROT=HTTP,PORT=80
    icm/HTTPS/verify_client = 0
    SAP Web Dispatcher Web Administration
    icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=D:\usr\sap\xxx\W00\data\icmanroot\admin,AUTHFILE= D:\usr\sap\xxx\SYS\global\security\data\icmauth.txt
    Parameters for the SAP Cryptographic Library
    ssl/ssl_lib = D:\usr\sap\xxxW00\sapcrypto.dll
    ssl/server_pse = D:\usr\sap\xxx\W00\sec\SAPSSLS.pse
    ssf/name = D:\usr\sap\xxx\W00\sec\SAPSSLS.pse
    ssf/ssfapi_lib =  D:\usr\sap\xxx\W00\sapcrypto.dll
    sec/libsapsecu =  D:\usr\sap\xxx\W00\sapcrypto.dll
    wdisp/ssl_cred = D:\usr\sap\xxx\W00\sec\SAPSSLC.pse
    Parameters for Using SSL to the backend server
    wdisp/ssl_encrypt = 1
    wdisp/ssl_auth = 1
    wdisp/ssl_cred = D:\usr\sap\xxxW00\sec\SAPSSLC.pse
    wdisp/ssl_certhost = hostnameofportalserver with FQDN
    wdisp/ssl_ignore_host_mismatch = true
    #ICM Parameters
    icm/HTTP/j2ee_0 = PREFIX=/, HOST =hostnameofportalserver with FQDN PORT=50000,SPORT=50001, SSLENC=1,TYPE=1, CRED =D:\usr\sap\xxx\W00\sec\SAPSSLC.pse
    We also tried below options in WebDispatcher profile but we are getting same problem.
    wdisp/add_client_protocol_header = true
    wdisp/add_clientprotocol_header = 1
    wdisp/ssl_ignore_host_mismatch = true
    #ICM Parameters
    icm/HTTPS/forward_ccert_as_header = true
    icm/HTTPS/trust_client_with_issuer = *
    icm/HTTPS/trust_client_with_subject = *
    we also tried
    wdisp/ssl_encrypt = 0
    wdisp/ssl_auth = 0
    we also tried
    wdisp/ssl_encrypt = 2
    wdisp/ssl_auth = 2
    We are not able to resolve issue. Please help us on resolving this issue.
    Thanks
    Praveen

    ' in Host Names is not allowed. Our hosname has '_'.
    http://help.sap.com/saphelp_nw70ehp1/helpdata/en/67/be9442572e1231e10000000a1550b0/frameset.htm

  • SSO b/w portal and webdynpro application customized login??

    Hi,
    I  have one webdynpro application which has a login screen (Created as Webdynpro view). If user enters user/passord, the same gets checked from a custom table in the db (Method for checking user credtentials has been written in view controller). if user credentials are correct it performs some actions defined in webdynpro application.
    I want to configure SSO b/w portal and this webdynpro application sothat when user logon to the portal and open this webdypro application, Login page of webdynpro application should not be shown i.e user credentials should be passed from portal and corresponding authentication method in webdynpro should be called to authenticate the user.
    How to do the same without touching webdypro application ?
    Can we call a method of webdynpro application from portal?
    Regards
    Deepak

    1) To enable ticket authentication for the web dynpro iviews, you must maintain the definition of the system running the Web Dynpro application and set logon method to "SAPLOG"
    2)Since you have customized login screen, you need to bypass this screen manually when you login from portal.
    Add parameter to the application while defining the iview.Give some constant value.
    Check value of this parameter in webdynpro and fire to next view.

  • Portal Login Broke after Db Upgrade to 9.0.1.3

    Hi -- My portal web page login doesn't work after upgrading my portal database version from 8.1.7.1 to 9.0.1.3. All the scripts I ran (Note 159657.1 and Chap. 7 of 9i Database Migration Manual) ran ok. I also applied whatever patches/fixes required to get Oracle 9iAS 1.0.2.2.2 working with database version 9 per the certification matrix pages. I am still using Oracle 9iAS 1.0.2.2.2 on the middle tier and have only upgraded the database version. Also, I am not using LDAP for authentication.
    After the database upgrade, the portal web login page comes up fine, but after I execute a login attempt I get a "Page Not Found" in my browser. This error shows up in apache's error_log:
    [Mon Oct 7 03:54:41 2002] [error] mod_plsql: /pls/ssodad/portal30_sso.wwsso_app_admin.ls_login ORA-1403
    ORA-01403: no data found
    ORA-06512: at "PORTAL30_SSO.WWSSO_APP_ADMIN", line 391
    ORA-06512: at "PORTAL30_SSO.WWSSO_APP_ADMIN", line 669
    ORA-06510: PL/SQL: unhandled user-defined exception
    ORA-06512: at "PORTAL30_SSO.WWSSO_LS_PRIVATE", line 358
    ORA-06510: PL/SQL: unhandled user-defined exception
    ORA-06512: at line 8
    [Mon Oct 7 03:56:07 2002] [warn] mod_plsql: Stale Connection due to Oracle error 1400
    [Mon Oct 7 03:56:07 2002] [error] mod_plsql: /pls/ssodad/portal30_sso.wwsso_home.home ORA-1400
    ORA-01400: cannot insert NULL into ("PORTAL30_SSO"."WWCTX_SSO_SESSION$"."SUBSCRIBER_ID")
    ORA-06512: at "PORTAL30_SSO.WWCTX_SSO", line 2215
    ORA-06512: at "PORTAL30_SSO.WWCTX_SSO", line 1053
    ORA-06510: PL/SQL: unhandled user-defined exception
    ORA-06512: at "PORTAL30_SSO.WWCTX_SSO", line 1261
    ORA-06512: at "PORTAL30_SSO.WWCTX_API", line 179
    ORA-06512: at "PORTAL30_SSO.WWSEC_APP_PRIV", line 529
    ORA-06512: at "PORTAL30_SSO.WWSSO_HOME", line 322
    ORA-06512: at line 8
    Everything worked fine prior to the upgrade. There are no invalid objects causing this and I can log into the portal database fine through a sqlplus session. Does anyone know why portal login is broke after database upgrade? Has anyone upgraded their portal database versions in place with this issue afterwards?
    Thanks for any help anyone can offer...!
    Kate

    Hi Benjamin,
    Thanks for your reply. I already had a working 9iAS Release 1 with a 8.1.7.1.0 database. All I did was upgrade the database from 8i to 9i on the database server. I also applied the jdbc patch on the 9iAS app server so a connection with the 9i database could be established. As far as I know, there's no portal configuration assistant step here because I already had a complete fully-functioning portal install before the database upgrade to 9i. Is there something I'm missing about your suggestion?
    Thanks.

  • Portal Login id and Credatinal pass to dot net application

    Hi Experts,
    I want to know is it possible to pass the portal login id and other details like Name and organization to an dotnet application.
    If it is then how can we do it.
    Please do the needfull. Important
    Regards,
    Swapnil

    Hi Sarbjeet,
    I first thought of creating URL Iview and passing the user id and other required details as parameter to that URL Iview.
    Then reading your mail i thought of creating a web dynpro java application and then pass all the required values to the url in the application only but i am confussed how i will call the dot net application.
    If you have a better suggestion please let me know how to do it.
    Regards
    Swapnil

  • How to access Sap portal login user in ejb web service

    Hi,
    I wnt to access SAP Portal login user in my ejb application which resides on the same server.
    I am using following code
    try {
         IUser user =null;                         IWDClientUser wdUser = WDClientUser.getCurrentUser();
                                  user = wdUser.getSAPUser();
                             } catch (WDUMException e) {
                                  // TODO Auto-generated catch block
                                  e.printStackTrace();
    Some additional jar files are required for this?
    The same code works fine with webDynpro but not with ejb.
    Thanks in advance     
    Best regards,
    Nilesh

    Thanks for reply.
    I have already added com.sap.security.api in my EJB module project classpath. How to add the same in EJB application Project (application-j2ee-engine.xml)?
    Best regards,
    Nilesh

  • SSO between SAP Portal 7.3 and Ruby on Rails

    Hello Everyone,
    We are planning to integrate SAP Portal 7.3 and a RoR application and I am wondering If someone can share some experience (If you have any of course) on how to establish SSO between SAP Portal and RoR.
    The SAP Portal will act as service provided and RoR as a consumer, we don't have LDAP, so the Portal UME is in ABAP and RoR uses an own UME database. We have SSO between our Portal and SAP Backend systems.
    In RoR customers will have access to their own information (Invoices, etc..) that will be provided by the backend system.
    URL transaction and iFrames is not an option for us.
    The second option is to call Web Services, directly or through the SAP Portal (we are using a central sr).
    I am a NetWeaver consultant who heard about RoR but have no experience in this field.
    All help and tips are greatly appreciated!.
    Regards,
    Ridouan

    We used Client certificates. Still working on the PoC.

  • How to set up SSO between e-portal employee node & ebill customer node?

    We have a requirement to set up SSO between e-portal employee node & ebill customer node.
    I am told that sso is possible only between 2 employee nodes.
    Please advise.

    Not sure I understand which part is failing.
    Is it the C program calling your packaged function? Or does the error occur in the PL/SQL code, in which case you should be able to pinpoint where it's wrong?
    A few comments :
    1) Using DOM to build XML out of relational data? What for? Use SQL/XML functions.
    2) Giving sample data is usually great, but it's not useful here since we can't run your code. We're missing the base tables.
    3) This is wrong :
    vStrSqlQuery := 'SELECT * FROM ' || vTblName                     || ' WHERE record_update_tms <= TO_DATE(''' || TO_CHAR(vLastPubTms, 'MM/DD/YYYY HH24:MI:SS') || ''', ''MM/DD/YYYY HH24:MI:SS'') ' ;
    A bind variable should be used here for the date.
    4) This is wrong :
    elmt_value := xmldom.createTextNode (doc, l_clob(1));
    createTextNode does not support CLOB so it will fail as soon as the CLOB you're trying to pass exceeds 32k.
    Maybe that's the problem you're referring to?
    5) This is most wrong :
         l_clob(1):=REPLACE(l_clob(1),'&lt;?xml version=&quot;1.0&quot;?&gt;', NULL); 
         l_clob(1):=REPLACE(l_clob(1),'&lt;', '<'); 
         l_clob(1):=REPLACE(l_clob(1),'&gt;', '>'); 
    I understand what you're trying to do but it's not the correct way.
    You're trying to convert a text() node representing XML in escaped form back to XML content.
    The problem is that there are other things to take care of besides just '&lt;' and '&gt;'.
    If you want to insert an XML node into an existing document, treat that as an XML node, not as a string.
    Anyway,
    Anyone that can help me to find out the required magic number
    That would be a bad idea. Fix what needs to be fixed.
    And please clearly state which part is failing : the C program or the PL/SQL code?
    I'd vote for PL/SQL, as pointed out in [4].

  • XML Validation in PI 7.1 - Restart and skip validation possible, but how?

    Hello all,
    I read about schema validation in PI 7.1 and did a few tests on my own, but could not restart and skip validation for invalid payloaded messages. The documents say it is possible.
    Anyone know how? Thanks.
    BTW, I really think putting the schemas in server file system will cause a lot of authorization trouble in enterprises. No one gives access to the server filesystem and I don't think they will also like to open the required subdirectories for share. Asking the basis team to create the folder structures and maintaining schemas would be another pain. Don't you also think that SAP could find a better approach, like automatically uploading the schemas to the filesystem, or validating them from repository directly if possible?
    Kind regards,
    Gökhan

    Hi Gökhan,
    I am facing the same issue.
    I set up outbound xml validation in receiver agreement and tested it with valid and invalid messages.
    The validation works fine.
    But in case of validation error I tried to restart with skipping the validation. But this wasn't possible.
    I am always facing the same valdiation error.
    I already tried all different tools I know (sxi_monitor, message monitoring in rwb and in nwa)
    I am working on PI 7.11 SP6
    Did you find a solution for skipping the validation for a single message out of the monitoring?
    I know that there is the possibility of deactivate the validation in receiver agreement but thid doesn't meet the requirement of skip the validation only for a single message.
    Maybe anyone else faced and solved this issue already.
    Thanks in advance
    Jochen

  • Session state always invalid after login

    Hello community,
    i have a functional login process which uses my own login with username and password. After login i branch to application start page, but this session now is different from the start login session, so every login is invalid and will branch to authentication scheme invalid page.
    My login url is: f?p=100:100:123456
    After correct login (i have tested in the database with a lot of inserts into tmp_table)
    i want to branch with the standard login procedure wwv_flow_custom_auth_std.login() to page 1000.
    The correct url is shown in the browser, but the current page is the login page 100, because (i think) the session is invalid. In the authentication theme the invalid session page is set to page 100.
    I have tested several pages and always this page is branched.
    So im shure, that the session state is always invalid after login.
    But why ????
    Has anyone an idea ?
    Thank you for responding.
    Frank

    Hi Jari,
    problem was solved.
    The IE8 has cached an invalid site.
    I know now were it is come from.
    I have an after submit process which sets the cookie with following code:
    owa_util.mime_header('text/html; charset=UTF-8;', FALSE);
    owa_cookie.send(
    name=>'DHW_COOKIE',
    value=>utl_raw.cast_to_raw(dbms_obfuscation_toolkit.md5(input_string => ':P100_REGCODE' || :P100_USERNAME ))
    owa_util.http_header_close;
    But this results in display on the screen like html text without tags, so it looks like text on the screen header.
    It shows "content-type=text/html charset=WINDOWS 1252 .......
    The cookie is not set to the disk and now the IE8 explorer is dead.
    The described problem of this thread is shown.
    If you close all sessions and restart IE8 then the error is fixed.
    Also i have disabled the after submit process with setting the cookie.
    So i live now without having a cookie set.
    Do you have any idea for this behaviour ?
    Frank

  • SSO issue in portal and BW report resources

    Hi
    I have a BW reports displayed in portal. user mapping is configured in such a way thta multiple users in portal are mapped with single user of BW system.
    When BW report is displayed on portal, some of resources ( like images and js files as i see in http watch) are not fetched with reports and for those we need to login again as BW user.
    i checked SSO configuration between portal and BW, it seems to be correct as data is displayed in BW report.
    could you please suggest the solution of getting it fixed?
    Thanks in advance
    Pranav

    Hi,
    The problem is in the BEx Web configuration.
    Check whether the the Mime repository has the images or not in BI 7 server.
    If Mime has the images then the BI and portal configuration is not done properly using the BI template installer.
    You need to set the set the BWMANDT in table RSADMINA to current used default client.
    Also try to set the BEx web,
    The problem might get resolved after setting BEx Web.
    Required Steps
    You can perform an initial check of the automatic configuration with the
    following steps:
    Note 917950 - SAP NetWeaver 2004s: Setting Up BEx Web
    1. Execute the report RSPOR_SETUP with transaction SE38 (or SA38; or you
    can execute the report from the SAP Reference IMG, see Documentation
    below)
    2. Use value help of entry field Program ID (or RFC Destination) to
    choose <BI_SID>_<J2EE_HOSTNAME>_<J2EE_SID> as RFC Destination (this
    destination is created by the Template Installer)
    3. Enter Portal SID (required to check step 10)
    4. Press button Execute
    Placeholder <BI_SID> correspond to the field BACKEND_SID of the Template
    Installer's Data Entry. <J2EE_HOSTNAME> correspond to the field J2EE HOST
    and <J2EE_SID> to J2EE SID.

  • May I use Exception Handling for validation ?

    Hello All,
    Can any one know about that may i use exception handling for validation in my report program.
    Please if its possible then give me some Example...
    Thanks.

    Hi Niraj,
    Exception is not at all raised or handled in the given example.
    There are so many document available in the SCN regarding OO ABAP you can read that.
    As far as validation of a field ( Selection screen ) of course we can do that but I don't see any advantage more over it will make your code unnecessarily complex.
    Regards
    Bikas

  • MAXL ERROR - 1013145 - Invalid agent login id

    All,
    We are trying to automate the process of data load and Calculations using Maxl. Unfortunately we see the below mentioned error while performing the calculation in MAXL.
    MaxL command:
    execute calculation app.dbname.test;
    ERROR - 1013145 - Invalid agent login id
    But while executing the same command in Maxl editor, it works fine.
    Regards,
    Nainitha.

    Are you doing a stop and/or start app command(or disconnect users) anywhere near while executing the mentioned calc scripts/data loads? I have seen on some occasions that these errors also come up due to stale ESSSVR processes in the background (rare, although possible)
    As an example, you might be logged in as admin ID but however, if anywhere there might be a MAXL command and or activity that is causing the app to disconnect users/sessions (idle of course) before running the calcs. This error might be the result of that?
    All this is assuming that the security set up for the admin ID is correct, right?
    Also, since you mentioned that this error is coming only on Data exports/calc scripts. I am assuming this error comes up only when Essbase is trying to output a file to the drive/path. Does the OS environment login/ID credentials have that authority?
    From whatever i could deduce of this, this might be happening because of either one of two reasons :
    1.) Security is not setup correctly for that operation to complete (export to that path might not be authorized?)
    2.) The user ID is being logged off/disconnected before that operation kicks off.
    Thanks and regards,
    Harsh Warikoo

  • Popup Portal Login / Authentication

    I am having problems finding good examples of how to enable a portal login authentication portlet in a popup window. The scenario, is that I will programatically change a web service to require portal role base security. When this occurs the next time this web service is accessed, it should reject that access or block and pop up the portal login window. When I sucessfully log on, then it should return the results and I can close that login window at my leisure. I do not want to keep the login portlet displayed in the main page of the portlet, it should not appear until it is needed. This is a really urgent request if anyone can help me with this. I really appreciate the help!

    Anyone that is still looking at this, I have figured out how to do the popup in the pageflow. I have collected a username and password and placed it in my formbean. Now I need to get that username and password into the header of a web service using the OASIS ws-security standard spec. There is an example of placing the username and password token into the SOAP header in the weblogic examples, but it uses a java proxy class to call the web service itself. I am currently using a java control to call the web service. I would like to adapt the code in the example called WebServiceBClient.java under the /workshop/samplesApp/proxyClient/WSSE/token directory to be able to perform this action but call the web service from a control.

  • Invalid Portal Session

    While browsing through the forums, I got the message below :
    Invalid Portal Session*
    An error was encountered while processing your Portal request, because your portal session is no longer valid. You have been logged out and you will automatically be redirected to the OracleAS Portal home page in 30 seconds. Click OracleAS Portal home page to go directly to the OracleAS Portal home page, or if your browser does not automatically redirect you. If you continue to have problems while accessing OracleAS Portal, close all your browser instances and try again.
    Nicolas.

    user11945767 wrote:
    Hello,
    In our case, I have tried Opera, Safari, Chrome and Mozilla browsers and none of them show 'Invalid Portal Session' error. It only occurs with Microsoft Internet Explorer. And this happens consistently with IE. Not a single time it succeeds unless F5/Refresh is hit.
    What could be the reason for this and how can it be resolved. We are running Oracle 10.1.2 AS.
    Thanks.Nicolas asked the question about the Oracle Forums. Since this is a Forums Community issue, he correctly asked it in the "Community Feedback and Suggestions (Do Not Post Product-Related Questions Here)" Forums area.
    You seem to be asking the question about the Oracle Application Server Portal product. Even though it appears your question and Nicolas' may be related, you are probably asking the question in the wrong area.
    Your question is likely better asked
    1) of Support (by opening a service request) and/or
    2) asking in http://forums.oracle.com/forums/category.jspa?categoryID=193 and/or
    3) asking in http://forums.oracle.com/forums/category.jspa?categoryID=196

Maybe you are looking for