HELP - AppIntegrator iView SSO to non-SAP J2EE

I've created some basic Application Integrator iViews that attempt to log in to our product via SSO using Login Tickets.
When I run our app "natively" on the SAP J2EE Engine (NetWeaver), it works fine... i get my MYSAPSSO2 cookie and I can parse it, etc.
If I try to point the same System to an instance of our app running elsewhere (on JBOSS in this instance), I am not getting the cookie, even though the configuration is exactly the same.
I'm a bit of a "newbie" so please let me know if I'm missing something obvious. There's so much documentation available, I'm not sure what applies to me.
Alternatively, I can discontinue the use of the tickets and simply put the username in a HTTP request header... but I'm unsuccessful in getting that to work as well.
Getting frustrated! Please help!

Can't anyone help me with this one?
I'm running myself around in circles.
I have now discovered (no small means), that my EP and target app server must be in the same domain... they are.
But when i fully qualify the domain name in my system definition, the iView no longer gets to the target system... i just get a blank page.
This is on NW SP16, if that's of any help.
This is getting urgent and I would appreciate any advice.

Similar Messages

SSO from non-SAP J2EE to NW04 ABAP WebService

Hello,
I currently have issues establishing SSO from a J2EE (which is NOT a NetWeaver system) server to a WebService that resides on a AS ABAP 6.40. When I look over the options I see no obvious SSO solution. I cannot be the only one in this situation. Which solution have you managed to implement.
I must stress that username/password is not a solution.
Withouth really understanding the different scenarios, I would prefer to make som sort of trust relation. And then just let the calling application supply the username in a header variable
Best regards,
Thomas Mouritsen

>
Thomas Mouritsen wrote:
> Hello,
>
> I currently have issues establishing SSO from a J2EE (which is NOT a NetWeaver system) server to a WebService that resides on a AS ABAP 6.40. When I look over the options I see no obvious SSO solution. I cannot be the only one in this situation. Which solution have you managed to implement.
>
> I must stress that username/password is not a solution.
>
> Withouth really understanding the different scenarios, I would prefer to make som sort of trust relation. And then just let the calling application supply the username in a header variable
>
> Best regards,
> Thomas Mouritsen
Well, the best solution would be using message-based authentication (WS-Security) - either "X.509 Token" (digitally signed message) or "SAML (1.1) Token". Unfortenately you are using an older ABAP system where this feature is not available.
Especially regarding Web Services it is definetly worth to consider upgrading to NWAS 7.0 Enhancement Pack 1 (or at least: NWAS 7.0 with SP14 or higher).
But it also depends on the capabilities of "your" J2EE server. Does it support WS-Security and SAML Tokens? Can it servce as SAML Source Site?
Transport-level security (e.g. SSL with X.509 client certificates) will not help in your scenario (system-to-system calls). It would only be an option if the WS Consumer is an User Agent (-> SSL client represents a single user); only then X.509 client certificates can be used for SSO.
Best regards, Wolfgang

SSO to non sap

We are trying configure SSO to non SAP system using the IIS web filter. We were able to configure the web filter to receive the header variable authentication but the non SAP system is not recognizing it. Could any one of you share the document or throw some ideas on this. Your help is much appreciated.

Dear Ramesh,
Check this note 735639.May be this note will give an idea to narrow down the problem.
Best Regards,
Shyam Dontamsetty

SSO from Non-SAP portal to EP

Hi.
We need SSO from Non-SAP portal to EP.
The Non-SAP Portal has publish Form-based authentification.
I mean userid&password set to URL.
Then the EP can generate SAP Logon ticket to backend system?
regards,

How to Enable Single Sign-on with Non-SAP Web Application
I have very good material coollected for the same implement this.
http://help.sap.com/saphelp_nw04/helpdata/en/12/9f244183bb8639e10000000a1550b0/content.htm
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a7b5ba90-0201-0010-4dbc-8f999dcd2798
Cheers!!
SJ.

SSO FOR NON SAP APPLICATIONS

SSO for non sap applications in EP on which siteminder sso is integrated
Posted: Aug 28, 2006 7:09 AM Reply E-mail this post
Hi ,
we have implemented Siteminder on SAP PORTAL 6 SP16 for authentication.I would like to integrate non sap application in Portal.I could not find any documentaion for setting up non sap application's in portal on which siteminder external authentication is implemented.
can anybody help for getting step by step document.
diff rewards to be given

Hi,
if you have access to service.sap.com via S-User, you can download "SAP Enterprise Portal Security Guide" in the portal section. It has dedicated descriptions about SSO-Settings, also about netegrity.
You can also search help.sap.com about "SSO" which gives you overview descriptions.
On SAP Service Net, there is also an pdf "Integrating Security functions" in the Netweaver 2004s Portal section, where the description of the Java API for the PDK is included. This is very helpfull for coding.

SSO to non SAP Application (ASP)

We have followed the sample steps for SSO to non SAP Applications in ASP, but we're receiving the following results:
Start SSO2TICKET main
Version: SAPSSOEXT 2
Ticket verifying failed. Return codes error=1 and ssf error=0
Does anyone know what the problem is and how to solve it?
Thanks!

hi ive,
u cn refer to this links.......these r some of the blogs that u cn go throu.its useful.
<b>User Mapping-based Single Sign On,
SAP Logon Ticket-based Single Sign-On>
regards
bhargava

Web Server Filter Based SSO to Non-SAP Apps

Hi,
I am following SAP Note 442401 for configuring the Non-SAP App for Web Server Filter based SSO using SAP Logon Ticket. Also, I have downloaded the 5_0_2_8.zip file.
The Readme doc of this zip file says:
"<b>Changes in Web server filter plugins
The Web server filter plug ins and the Ticket Toolkit now were separated.
See subdirectories for further information:
"C" the Ticket Toolkit
"filter" the Web server filter plug ins
This is the last released version (5.0.2.8) on SAPSERV.
Pleaser refer for newer versions to SAP Service Marketplace (http://service.sap.com/patches)
Technology Components-> SAP SSOEXT -> SAP SSOEXT</b>"
Zip file has two folders named "C" and "filter".
"C" folder has cpp code to varify the ticket.
"Filter" folder has DLLs for the different web servers.
So far so good . Now, what I want to know is that is placing the DLL from the Filter folder onto the respective web server and doing some configs, as per the PDF provided with ZIP file, enough?
Or do I need to do anything else, like writing any class to read and validate the Ticket?
Thanks,
Vivek

See Web Server Filter Based SSO to Non-SAP Apps

SSO from non-SAP to SAP apps

Hi All,
Currently We have SAP applications, non-SAP applications(java, .NET, PHP etc) in our landscape.
If the client tries to access any non-SAP application it should ask for authentication and thereby for any subsequent access to any URL's(SAP or NON-SAP apps) it should not ask for any authentication.
FYI:
The client logins into SAP Portal(SAP to NON-SAP) first and thereby able to achieve SSO for non-SAP applications as well.
Currently we are stuck for the scanerio of Non-SAP to SAP apps ?
Please suggest.......
Thanks,
Mano.

Hi samuli,
Using SPNEGO, we can incorporate windows authentication for SAP Portal ( after desktop authentication user can logon without userid/password). But for non-sap apps this would be challenge.
I have another option, using webdispatcher if we enable server redirect for all applications(SAP & NON-SAP) and get authenticated centrally by which SSO can be achieved across all the apps.
Would above solution work ?
Thanks,
Mano.

SSO to Non-SAP using login-tickets

Hi all,
I'd like to set up an SSO connection to a non-SAP HTTP system by using the SSO web filter (iis_sso.dll) on IIS 5.0.
I've created an iView (using the application integrator) with the URL template : http://<ip-address-host>:82/reqvars.asp?<Authentication> in which <Authentication> is MYSAPSSO2=<Request.SSO2Ticket>. The reqvar.asp page comes with the web filter as an example and displays all HTTP header fields. That way you can check whether the user-ID has been extracted successfully from the SAP logon ticket. However, I fail to get any value into the REMOTE_USER variable. The ISAPI filter (iss_sso) has been installed (global) successfully.
I'm using the following settings in the verify.properties files:
remote_user_alias = REMOTE_USER
pse_file = C:\SSOFilter\verify.pse
application = portal
log_file = C:\SSOFilter\filter.log
log_level = 3
Remark: in the original example the remote_user_alias is set to REMOTE-USER: However, I feel this is wrong since the actual variable is REMOTE_USER. Also I have seen this one in another forum post as being a working properties file. Or should I use original value?
No entries are being written to the log so I believe nothing is happening at all.
The SSOFilter folder contains the following files:
iis_sso.dll
sapsecu.dll
sapsecu.lib
verify.properties
verify.pse
mfc71.dll, mfc71u.dll, msvcp71.dll, msvcr71.dll and sapsecin.exe
This folder also has been added to the environmental PATH variable.
Any suggestions would be highly appreciated (and rewarded ,
Frodo

Hi,
I dont have much info related but i can giv u hint
refer OSS Notes 442401 and 723896.
When using SAP logon tickets for non-SAP applications, two different implementation options are available. The difference lies in where the ticket verification takes place.
In the first case, the SAP logon ticket is submitted to the web server filter located on the web server. The web server filter verifies the portal serveru2019s public key
certificate using its local Personal Security Environment (PSE) and then populates the HTTP header field with the user ID for SSO to the non-sap web application.
In the second case, the SAP logon ticket is sent to the non-SAP application, which then verifies it using the ticket verification DLL and submits the user ID to the application for SSO.
You can refer following link :-
http://help.sap.com/saphelp_nw70/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm
user authentication and SSO
http://help.sap.com/saphelp_nw70/helpdata/EN/8f/ae29411ab3db2be10000000a1550b0/frameset.htm
Authentication Using a Directory with SSO Integration Using Logon Tickets
http://help.sap.com/saphelp_nw70/helpdata/EN/f8/3b514ca29011d5bdeb006094191908/frameset.htm
SSO
SAP Logon Ticket-based Single Sign-On
http://help.sap.com/saphelp_nwce10/helpdata/en/45/b6af743753003ae10000000a11466f/frameset.htm

Configure sso to non sap

dear all,
i would like implement sso from ep to other web application ( non SAP )
the legacy system is using " PHP and Web Server APACHE "
there any want can help me how to configure the sso and how to create iview for my legacy system ( using URL iView or application integrator )
thanks for your help
echo

Hi Echo,
Single Sign On to non-SAP applications normally can't be done by configuration.
How SSO can be done depends on your application.
Maybe these few hints may help you:
You need the same usernames in portal and in your external application
You may integrate your app using an application integration iView
If your external application can be run in some kind of 'trusted' mode (this means, no password, just the username is required to log on as long as the request comes from certain IP adresses / your portal server) you can just pass the userid using the app integrator iView mechanism
SAP provides a library (currently written in C, but there is at least a java wrapper available) to decode the SAP SSO Ticket
You may extend your external applications logon mechanism to use the mentioned SSO ticket and do the login without password. Application Integrator is able to send the SSO ticket to your external app.
In less words: you need to do some coding on your external application
Hope this helps (or come back for more),
Carsten

SSO to non SAP Application using SAP Logon Ticket

Hi Experts,
I Have EP 7 SP 15 using SPNego Wizard to SSO with Active Directory and SSO between EP and ECC using SAP Certificates.
Now I have a demand to SSO some JAVA based applications (non SAP) to my portal using the SAP Logon Ticket.
I Have followed some blogs that directed me to use SAPSSOEXT (some libs) to read the MYSAPSSO2 cookie. The problem is that I didn't found this cookie, I even executed the command javascript:document to look for this cookie but the browser just show me the JSESSIONID info.
Does anybody knows where I can find this cookie or if there's a better way to set up this SSO? It´s necessary to say that I cannot SSO these application to the kerberos protocol because some security reasons on my company.
Thanks
Armando

Hi,
I dont have much info related but i can giv u hint
refer OSS Notes 442401 and 723896.
When using SAP logon tickets for non-SAP applications, two different implementation options are available. The difference lies in where the ticket verification takes place.
In the first case, the SAP logon ticket is submitted to the web server filter located on the web server. The web server filter verifies the portal serveru2019s public key
certificate using its local Personal Security Environment (PSE) and then populates the HTTP header field with the user ID for SSO to the non-sap web application.
In the second case, the SAP logon ticket is sent to the non-SAP application, which then verifies it using the ticket verification DLL and submits the user ID to the application for SSO.
You can refer following link :-
http://help.sap.com/saphelp_nw70/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm
user authentication and SSO
http://help.sap.com/saphelp_nw70/helpdata/EN/8f/ae29411ab3db2be10000000a1550b0/frameset.htm
Authentication Using a Directory with SSO Integration Using Logon Tickets
http://help.sap.com/saphelp_nw70/helpdata/EN/f8/3b514ca29011d5bdeb006094191908/frameset.htm
SSO
SAP Logon Ticket-based Single Sign-On
http://help.sap.com/saphelp_nwce10/helpdata/en/45/b6af743753003ae10000000a11466f/frameset.htm

SSO to non-SAP java running on Websphere

Hi,
I have an EP6 SP2 P5 and another java b2b app running on websphere app server and they are on different domains. I'm trying to figure out how to make sso to that app. There is a guide on SDN written by Tim Mullé, Stephan Boecker "Enabling Single Sign-On from SAP J2EE Engine/EP to Non-SAP Java Applications" . I'm wondering if can make it work if I follow that guide and also the cross domain integration guide for sending cookies across domains?
Regards
Ahmet

The process described in the cross-domain document will be necessary in order to get the MYSAPSSO2 cookies to your non-SAP application. You cannot get your browser to send domain1.com cookies to a domain2.com server. Therefro it is necessary to provide an alternate pathway - in this case using http POST. Then the target of the POST on domain2 can handle the data and return a cookie in its own domain. At that point you can either create your own cookie for websphere to use, or you can simply re-issue the cookie in domain2.com. SAP provides some libraries that will enable the other application to validate the cookie.
Nick

How to implement SSO to non-SAP systems using SAP logon ticket?

Hello,
We would like to implement Single Sign On between our SAP Netweaver system and a Siebel which is a non-SAP system using SAP logon tickets.
Can anyone please give me some leads on this, in particular:
1. Is there a JAVA API or an SAP plug-in that can be implemented on the Siebel machine to extract the SAP logon ticket?
2. As the other machine might seat on a complete different domain, is it possible to implement SAP logon ticket without using cookies (perhaps through the HTTP header?
3. In case you think using SAP logon tickets is not the best solution here I would be happy to hear any other suggestions you might have.
Roy

Hi,
I'm currently using SAML as well. Unfortunately the SAP J2EE cannot work as authority (identity provider) but what you can do is using an open implementation of SAML such as opensso which is an open version of SUNs Java System access manager.
There are a couple of other projects such as opensaml, apache's wss4j or shibboleth that might be interesting in this context.
I just installed opensso and got it working with SAP J2EE 7.0 using SAPs JAAS SAMLLoginModule to authenticate users within SAP J2EE.
In this scenario opensso serves as identity provider just as you need! There are a couple of Policy agents available on SUNs Download site you can use with Apache, Tomcat, JBOSS, WebSphere, Bea Web Logic etc. in order to authenticate! Otherwise you just directly authenticate against opensso. When installing opensso you can configure the type of user store you want to use! By default it uses LDAP but you can also use different types of user store using JDBC or other mechanisms. Since you have a Directory Service you could easily connect it to your existing directory.
There is also a way to map user ids directly in opensso by adding a uid mapping class. I created some documentation with lots of screenshots about using opensso with SAP J2EE. You can easily use opensso with any other system that supports SAML. In the case of SAP the usage is currently limited to SAML versions 1.0 and 1.1. Version 2.0 is not yet supported but should be in one of the following versions.
Here are some links you might want to check:
OpenSAML: https://spaces.internet2.edu/display/OpenSAML/Home
wss4j: http://ws.apache.org/wss4j/
shibboleth: http://shibboleth.internet2.edu/
opensso: https://opensso.dev.java.net/
On SDN you will find a documentation on how to connect SUN Java System Access Manager to SAP J2EE (see https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/906d9fc6-31b9-2910-1385-90edad7d7570). As I said opensso is based on the SUN Access Manager code and looks quite the same. So you can adapt this documentation in order to configure opensso or you can just ask me for the documentation.
Hope this is helpful...
Let me know if you need further assistance on this topic
Cheers

Sso to non sap systems

HI,
I am trying to setup SSO from our portal to plumtree portal. could some one please let me the steps for setting up the SSO.
Thanks

Hi Yogi,
Please check this link.
<a href="http://help.sap.com/saphelp_nw04s/helpdata/en/12/9f244183bb8639e10000000a1550b0/content.htm">Single Sign-On to Non-SAP Systems and Applications</a>
Regards,
Siva
P.S: Award points if you find this useful.

SSO to non SAP applications

Hi,
I am trying to implement SSO to SAP and JAVA applications in the process i need to verify the "PSE" file downloaded from the keystore administration and to decrypt the "SSO2 Cookie" in order to do this i hv downloaded the SAPSSOEXT.DLL file and placed it in "C:\Windows:\System32". and registed the DLL file using "REGSVR32 C:\Windows:\System32sapsso.dll"
But when i am executing the program i am getting the follwing error
java.lang.UnsatisfiedLinkError: no sapssoext in java.library.path
        at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1682)
        at java.lang.Runtime.loadLibrary0(Runtime.java:822)
        at java.lang.System.loadLibrary(System.java:993)
        at SSO2Ticket.<clinit>(SSO2Ticket.java:38)
at the line
System.loadLibrary("sapssoext");
Can some body please help me out how to add the downloaded dll file into java path.
Thanks in Advance

HIi check this Link
Hope it will be usefull.
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d0c78148-12de-2a10-27bf-960acc753aab
Also use this link
Single Sign-On to Non-SAP Java Applictions with SAPSSOEXTthanks
Rewards r welcome
Edited by: Mayank Saxena on Sep 6, 2008 1:24 PM

HELP - AppIntegrator iView SSO to non-SAP J2EE

Similar Messages

Maybe you are looking for