Ignore MYSAPSSO2 Logon Ticket from Portal in BSP

Hi all,
We have a WAS which is configured to access MYSAPSSO2 logon tickets from our EP 6.0 Portal. However, we have BSP's connected to the portal, and others to be used independently from the portal. The problem is that if we launch the portal as a new window of the BSP application, a MYSAPSSO2 logon ticket is created, so the BSP application, we refreshed, now changes the logged on user to the one on the logon ticket!
So the bottom line is: Is it possible to prevent accepting logon tickets for a specific BSP?
Thanks for your time and help.
Regards,
Nuno Vitorino

Hello Jain,
Thanks for your answer. Actually, it solved the problem the other way around. In the local hosts file, we set a different domain for the WAS (In productive, we'll add the new address in the DNS). Then launching the BSP with this new domain, we were able to launch the portal and the MYSAPSSO2 logon ticket generated is not accepted by the BSP. We couldn't change the portal server address, because that way, the SSO within the portal wouldn't work.
Anyway, you've set me in the right direction so I'm giving you 10 points.
Thanks and kind regards,
Nuno Vitorino

Similar Messages

SSO-Logon from mobile device - create logon ticket from WebDynpro for Java

Hi Experts,
I'm developing WebDynpro-JAVA application for some warehouse stuff (runs on a portal system, clients are mobile barcode-scanners with Windows mobile 5.0). JCOs from the portal system to the R/3-backend are confirgured for SSO with Logon-tickets and portal uses LDAP for authentication against a Windows-ADS.
This works so far ... but my problem is the standard Logon-screen, which is nearly unusable on the mobile device (screen size, layout, etc.). Is there any solution to create logon-tickets directly from the WebDynpro application (using something from com.sap.engine.interfaces.security.auth or similar ?) or any chance to have a special logon screen for mobile devices (parameter sap-wd-client=Pie03Client is ignored for the logon screen).
Thanks in advance.
regards,
Hendrik

Hi Henrik,
Did you find the solution to your problem ?
I'm facing the same issue, so I'd be pleased to know the solution!
Regards
Stekam

Getting value from portal or bsp application to selection screen parameter

Daer SDNer's.
                       Is there any possibility of getting value from bsp application and that value to be passed to selection paramater of bw query varaiable.
concept as follows.
                                report is based on vendor related information. particular vendor having user id in bsp or portal for accessing reports. if he selects bw query in portal or bsp dash board. that same vendor name or id shoukd be pass to default vendor selection entry in bi... so only that particular vendor details should display.....
Harikrishna

Dear Arun,
                  thanks for the reply. can i dynamically get the values to selection parmaters from bsp or else i need to mantain those user ids(vendor name) in bw. could you explain on it. if possible provide some sample code on it.
Thanks
Harikrishna N

Can´t Logon to SAP Portal --- USER_AUTH_FAILED

Hi guys,
I got an issue, when i try to logon to portal with administrator user or any other user, the browser just acts like a refresh (f5) and do nothing, but i can access to visual administrator, config tool and http://server:50000/sap/monitoring/SystemInfo
Any clue?
This is part of the trace
#1.5 #001125C5C83E0016000000520000154C00045FC1442B82AD#1231183583871#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.authentication.loginmodule.ticket.CreateTicketLoginModule#Guest#0####bd330870db5e11dd8d68001125c5c83e#SAPEngine_Application_Thread[impl:3]_106##0#0#Error##Java###Authentication
stack: [].
[EXCEPTION]
#2#ticket#java.security.NoSuchAlgorithmException: ID21109: Remote
call errored
       at com.sap.engine.services.keystore.spi.EBSDKSKeyStoreSpiImpl.engineGetKey(EBSDKSKeyStoreSpiImpl.java:162)
       at java.security.KeyStore.getKey(KeyStore.java:320)
       at com.sap.security.core.server.jaas.CreateTicketLoginModule.commit(CreateTicketLoginModule.java:386)
       at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.commit(LoginModuleLoggingWrapperImpl.java:211)
       at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:96)
       at java.security.AccessController.doPrivileged(AccessController.java:246)
       at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:178)
       at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
       at java.lang.reflect.Method.invoke(Method.java:391)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
       at java.security.AccessController.doPrivileged(AccessController.java:246)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
       at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:864)
       at com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:208)
       at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)
       at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.uidPasswordLogon(SAPMLogonLogic.java:568)
       at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:148)
       at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
#1.5 #001125C5C83E0024000000010000154C00045FC144972956#1231183590926#com.sap.engine.services.security.authentication.logonapplication#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.authentication.logonapplication.doLogon#Guest#0####c168c2e0db5e11dda8fb001125c5c83e#SAPEngine_Application_Thread[impl:3]_107##0#0#Error##Java###doLogon
failed
[EXCEPTION]
#1#com.sap.security.core.logon.imp.UMELoginException: USER_AUTH_FAILED
       at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:948)
       at com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:208)
       at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)
       at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.uidPasswordLogon(SAPMLogonLogic.java:568)
       at com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:148)
       at com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)

Hi
Just a wild guess but.....
Is your backend set up to accept logon tickets. I assume the logon ticket is being created from the portal end so you will have to configure R/3 to accept logon tickets from the portal.
Check the parameter settings for single sign on in R/3
login/accept_sso2_ticket = 1
Regards
Charmaine

WDA app not launched with SSO when called from portal

Hi,
we have configured our systems so that our portal (NW Portal 7.0) is issuing logon tickets and ERP6.0 is receiving them in the backend for single sign-on.
When launching a SAP GUI for Windows transaction (System admin->Support->SAP Application) to test if the SSO is set up correctly, all goes well and I'm able to call e.g. SU01 with logon tickets from the portal.
My problem is that when calling a Web Dynpro for ABAP application in the same backend system from the same portal, I get an error "SSO logon not possible; logon tickets not activated on the server" and need to login manually when starting the application.
When looking at the WDA app URL, I see http://<backend server>.<domain1>.com/... and the portal is sitting on http://<portal server>.<domain2>.com. Could it be a problem if the backend system is in another domain? And if yes, how come the SAP GUI for Windows launch then works (related to an http connection and domain relaxing?)? How to go forward and make it work all right?
Best regards,
Mikko

Hi Navarro,
Merry Xmas:)
>>We did the same test with the demo app from you (MS)
http://msdn.microsoft.com/en-us/library/windows/apps/hh202967(v=vs.105).aspxand it still don't work. (remember to setup
fast app resume)
Yes, I can reproduce your issue using the official sample.
I think this issue is caused by the mechanism of Fast app resume, please refer to the following reference:
#Fast app resume for Windows Phone 8
http://msdn.microsoft.com/en-us/library/windows/apps/jj735579(v=vs.105).aspx
Quote:
With Fast Resume, when an app is resumed, the system creates a new page instance for the target of the launch point and this page is placed on top of the app’s existing backstack.
This official sample can also help us to understand how it works:
https://code.msdn.microsoft.com/windowsapps/Fast-app-resume-backstack-f16baaa6
We could find that the Application.Launching event will not be triggered if we used Fast app resume, this will affect responding Toast's parameter(Deep Link).
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

Deleting Logon Ticket

Hi all,
I am using EP6 here and ECC5. I am using SSO with logon tickets.
My logon ticket has expired. So i have to make a new one in visual administrator.
But it is not letting me delete that or not even rename that.
It gives an error message. I cant copy the error mesage that comes. And I cant find the same error in any file. may be i missed some file. Tell me where can i find that error so that i can paste the error message here.
Please tell me how too delete the logon ticket
Thanks
Tajinder

hi tajiinder,
Configuring the J2EE Engine to Accept Logon Tickets
Use
The J2EE Engine uses EvaluateTicketLoginModule to accept logon tickets for SSO. After receiving the logon ticket from the users Web browser, the J2EE Engine verifies the ticket signature based on the established trust relationship with the issuing system. Based on the ticket validity, the J2EE Engine authenticates the user.
For the case when you use authentication assertion tickets for SSO between the AS ABAP and the J2EE Engine, the corresponding module is EvaluateAssertionTicketLoginModule.
Prerequisites
To check the validity of a users logon ticket, the J2EE Engine must be able to verify the issuing servers digital signature.
●      If the J2EE Engine is both the ticket-issuing server as well as the accepting server, then it can automatically verify its own digital signature.
●      If the ticket-issuing server is a different one, then this servers public-key certificate must be available in the keystore view that the J2EE Engine uses for verifying logon tickets.
Procedure
The Trusted Systems ® SSO Wizard configuration functions of the SAP NetWeaver Administrator enable you to use wizard-based management of trust relationships for SSO with logon and assertion tickets. The configuration changes made with the wizard have a global effect for ticket-based SSO to the J2EE Engine.
       1.      Open the SSO Wizard.
Note the following:
○       If the ticket-accepting system is SAP NetWeaver 7.0 SP14 or higher, you can access the SSO Wizard by following the path System Management ® Configuration ® Trusted Systems.
○       If the ticket-accepting system is SAP NetWeaver 7.0 SP 13 or lower, first you must deploy the SSO Wizard. More information: SAP note 1083421.
The system which you configure is displayed in the Selected Accepting System section.
There are two ways to add a trusted system:
○       By connecting to the system and requesting its certificate.
If the ticket-issuing system is SAP NetWeaver 2004 SP20 or lower, or SAP NetWeaver 7.0 SP13 or lower, you must configure it so it can send a response to the certificate request. More information: SAP note 1083421.
○       By manually uploading the certificate of the system.
Adding a Trusted System by Connecting to It
                            a.      In the Trusted Systems section, choose Add Trusted System ® By Querying Trusted System.
                            b.      The System Landscape Directory (SLD) opens automatically and lets you select the system you want to add. Select the system and choose OK. The connection details for the selected system are displayed automatically.
If you cannot find the system you want to add, choose Cancel and provide the connection details:
                                                  i.       Select the type of the system from the System Type dropdown list.
                                                ii.       Enter the necessary connection details.
If you want to add an AS ABAP system, the field System Number appears. You can get the system number of an ABAP system by its license key which you received from SAP.
                            c.      Enter your user name and password in the provided fields and choose Next.
                            d.      The details about the selected systems certificate appear. To add the system, choose Finish. If you want to make changes, choose Back.
Adding a Trusted System by Manually Uploading its Certificate
Before you start the following procedure, you must export the trusted systems certificate. More information: Exporting the Ticket-Issuing Server's Public-key Certificate.
                            a.      In the Trusted Systems section choose Add Trusted System ® By Uploading Certificate Manually.
                            b.      Enter the System ID and Client in the provided fields.
                            c.      Browse to the location of the systems certificate. Select the certificate and choose Open.
                            d.      Choose Next. The information about the system and the certificate is displayed. To add the system as trusted, choose Finish. If you want to make changes, choose Back.
       2.      Add the login module EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) to the login module stacks for the J2EE Engine policy configurations of the application components that accept login tickets for SSO. To do this, use the Security Provider Service of the Visual Administrator.
                            a.      In the Security Provider Service choose Runtime ® Policy Configurations ® Authentication tab.
                            b.      Select the policy configuration for the application component to accept logon tickets from the Components list.
                            c.      Choose the Switch to edit mode button.
                            d.      Choose Add New. The list of available login modules for the component appears.
                            e.      Choose the EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) from the list and choose OK.
If you change the options of a login module in the user store, the changes will be inherited by all policy configurations that use this login module.
If you change the options of a login module in a single policy configuration, the change applies only to that policy configuration. In this case the login module will no longer inherit its options from the user store. To restore the inheritance change the options in the policy configuration or in the user store so that they are identical.
Result
After you complete the wizard, the ticket-issuing system is shown in the Trusted Systems list. The J2EE Engine accepts logon tickets that have been issued by the corresponding server.
if you have douts pls go thru the following urls
help.sap.com/saphelp_nw04/helpdata/en/71/c3d53a60ad204ce10000000a114084/content.htm - 30k
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/69d95112-0d01-0010-8297-fa31feea26e0
thanks karthikeya
dont forget to reawrd me if it helps you

Problems with SAP Logon ticket

Hi.
I am trying to send SAP Logon ticket from ECC 6.0 to the backend legacy using Soap adapter in receiver side. I get the following error in SXMB_MONI, so it looks like AF is not accepting the ticket. Can anybody tell me please, how I can identify that the ticket has been received in PI's side?
<Trace level="1" type="T">Principal Propagation connection attributes</Trace>
<Trace level="1" type="T">Host = hostname</Trace>
<Trace level="1" type="T">Port = 12345</Trace>
<Trace level="1" type="T">Transport protocol = HTTP</Trace>
<Trace level="1" type="T">Transport protocol vers = 1.0</Trace>
<Trace level="1" type="T">Message protocol = 003000</Trace>
<Trace level="1" type="T">Path = /MessagingSystem/receive/AFW/XI</Trace>
<Trace level="1" type="T">Security: Logon Ticket</Trace>
<Trace level="1" type="System_Error">Error while sending by HTTP (error code: 403, error text: Forbidden)</Trace>
</Trace>
Thanks, Jukka

Hi.
I have had some progress. Actually Principal Propagation works well now, thanks to instructions in http://help.sap.com/saphelp_nwpi711/helpdata/en/48/a9bbb97e28674be10000000a421937/frameset.htm
But I think I have now found out that the principal progation might not be a direct answer to my problem. In the end of the day I should be able to deliver UsernameToken in my soap message header. Something like this:
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
|          <wsu:Timestamp wsu:Id="Timestamp-12134742" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
|             <wsu:Created>2007-10-14T12:45:34.656Z</wsu:Created>
|             <wsu:Expires>2007-10-14T12:46:34.656Z</wsu:Expires>
|          </wsu:Timestamp>
|          <wsse:UsernameToken wsu:Id="UsernameToken-33259721" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
|             <wsse:Username>test</wsse:Username>
|             <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
|          </wsse:UsernameToken>
|       </wsse:Security>
I just have not found any documentation which I could utilize in Abap Proxy - PI 7.1 - Soap Receiver scenario. Just wondering should I create my own customized soap envelope and disable the Pi envelope in SOAP communication channel...
Do you know if there's any "standard way" to configure this kind of configuration?
Br. Jukka

Logon Failed when running BSP from Portal

Hello,
We are getting the following error for users when running BSP Application from Portal :
Logon Failed
What has happened ?
Call of URL http://<hostname>:<Portnumber>/sap/bc/bsp/sap/<BSP Application name> terminated
Note:
-Logon performed in system
What can I do ?
Check the validity of your SSO ticket for this system.
HTTP 401 : Unauthorized
Any help would be highly appreciated.
Thanks

Actually when I run the BSP Application in SICF Tcode I get the following error:
BSP Error :
Calling the BSP Page was terminated due to an error.
Which is different from the one I already posted.
And as mentioned in the earlier error , I checked the Validity of the SSO Ticket on the Portal which is till 2038.
Thanks
Edited by: PortalPerson on Aug 24, 2011 10:22 PM

SSO Help - Portal to ABAP via logon tickets

Hi All,
I've done this configuration in the past but it seems that the process has changed a bit and I'm in need of some advice.
I have a portal system which I've setup SSO. The SSO is done through Kerberos and the users are pulled from LDAP. Users login to their windows account, they hit the portal without having to login again, perfect. I used the new SPNego setup wizard to do this.
Now the issue I'm having. Portal user ID's are not the same as ABAP ID's. I have used a blank attribute in Active Directory (specifically "extensionAttribute7") to fill in the ABAP user ID's. I have modified the data source XML file in the portal to look like this:
<nameSpace name="$usermapping$">
<attributes>
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="extensionAttribute7" />
</attribute>
</attributes>
</nameSpace>
I have changed the UME property to look like this:
ume.usermapping.refsys.mapping.type = attribute
When I try to access an SAP report through the portal I get the error:
The initial exception that caused the request to fail was:
Ticket contains no / an empty ABAP user ID (see note 1159962)
My ABAP system is setup to create and accept logon tickets. Certificates have been exchanged on both systems (checked through NWA). It looks like the saplogonticket isn't picking up the ABAP user ID that I've stored in AD and mapped to in the XML file.
In the Java system, my logon ticket stack looks like this:
EvaluateTicketLoginModule SUFFICENT
SPNegoLoginModule OPTIONAL
CreateTicketLoginModule SUFFICENT
BasicPasswordLoginModule REQUIRED
CreateTicketLoginModule REQUIRED
Can anyone see an obvious step that I'm missing? Any tips would be appreciated.
Portal system is running 7.01 sp8
ABAP is running 7.01 sp8
Cheers,
Richard

Hi Arjun,
No I'm not using user mapping. I want to pass my ABAP user ID from an attribute I'm using in Active Directory. For some reason the sap logon ticket isn't picking up my username from the attribute when I try to go from portal to ABAP.
Hi Samarth,
Not sure I understand the request. The user is coming from the portal and is attempting to run a ABAP report from the portal. The user names are not the same. I am attempting to map the ABAP user ID to an Active Directory attribute that I can pass to the sap logon ticket.
Hi Siva Kumar,
Yes I checked the VA as well, the entries are there.
Thanks all for the suggestions. Keep them coming if you have more, they are greatly appreciated.
I basically followed this from SAP to set it up
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/0b/d82c4142aef623e10000000a155106/frameset.htm
You are using an LDAP directory as a data source for the User Management Engine (UME). The user IDs for ABAP systems are already available in the LDAP directory. You no longer need to define a user mapping for each user, as the data is already available in the LDAP directory.
Cheers,
Richard

User from Logon Ticket

Hi,
Can anyone please let me know the process of getting the issuer name and portal user from the logon ticket using java program
Thanks in advance
Rgds
Satya

Well, of course you are - SAP logon tickets are not encrypted but digitally signed. However, you cannot go sure that the syntax is stable - it could be changed at any time. But there's an API for "ticket verifiers" (keyword "sapssoext"). That's why Patrick was asking you whether you want to analyse SAP logon tickets outside an NetWeaver Application Server.
I'm not sure whether you are aware of all the checks which need to be performed to validate SAP logon tickets:
1. parse ticket to retrieve digital signature (attached) and information on issuer (systemID and client, required for step 3)
2. verify digital signature (using SSF, sapseculib / sapcryptolib); determine subject name and issuer of the certificate (used by the ticket issuer to digitally sign the SAP logon ticket)
3. lookup ACL (for issuer systemID, client, certificate subject name and issuer); that ACL (access control list) needs to be implemented by you (unless using a NetWeaver Application Server)
4. check ticket validity
5. retrieve username
6. potentially: perform user mapping
7. check validity of user account (account validity, account lock, ...)
Just to parse the username out of a SAP logon ticket is not sufficient.
Regards, Wolfgang

Link to SAP R/3 Logon from Portal IView

Hi,
How is the Link to SAP R/3 Logon from Portal IView?
Thanks
Raissa

Hi Raissa,
Check these links
Configuring EP for connecting to SAP R/3
Creating system object
http://help.sap.com/bp_epv260/EP_EN/documentation/EP/N03_BB_InstallGuide_EN_US.doc
Regards
Arun

Portal Session Timeout and Logon Ticket Timeout

Hi All,
Can anyone give me answers to the following:
- If my Portal session times out, but my logon ticket is still valid, will I lose my session data?
- Is there any way of determining the size of a users session information in memory (or the size of all user sessions in memory). I can see in the Monitoring service in Visual Admin the number of sessions but not their individual or total size.
I'm using EP7.
Cheers,
Steve

Hi,
the Logon Ticket is only used for SSO between the portal and the integrated system. Your session data is stored in the session. If the session times out or gets closed, the session data is lost.
br,
Tobias

Evaluate Authentication Scheme from Logon Ticket in WAS ABAP

Hello,
we've got the following problem: we have a corporate intranet portal. The portal is connected to several backend-systems. Between the portal and the backend-systems is a trust relationsship to enable single sign on. On Web-AS-Java-based systems we can configure the logon stacks that the authentication scheme in the logon ticket is evaluated (authschemes.xml).
We want to use this function of the sso2-Logon-Ticket in the business warehouse system as well. It is very important that only users authenticated with a specific authentication scheme on the portal (strong) are given access to the business warehouse.
Does anybody know if its possible to evaluate the authentication scheme in Web AS ABAP?
Thx,
Norbert

Hi Nobert
The easy solution is to only create the userid in the BW system that needs access to it , and only assign your BW portal Role to the users who need access to the BW system
Theo

How can I process an SSO Logon Ticket in ColdFusion 9?

Hi,
We want to integrate some CouldFusion templates on the SAP portal and I try to process the SSO Logon Ticket using the following code:
<cfif IsDefined("Cookie.MYSAPSSO2") AND Cookie.MYSAPSSO2 neq "">
<cfscript>
    ticket = Cookie.MYSAPSSO2;
    sso = createObject("java", "SSO2Ticket");
    version = sso.getVersion();
    Application.CertPath = "/opt/coldfusion9/lib/verify.pse";
</cfscript>
<h2>Ticket cookie:</h2>
<cfdump var="#ticket#">
<h2>Version:</h2>
<cfdump var="#version#">
<h2>Certification path:</h2>
<cfdump var="#Application.CertPath#">
<cfscript>
    result = sso.evalLogonTicket (ticket, Application.CertPath,"");
    sapUser   = result[1]; //First element is the SAP system user
    sysID = result[2]; //Second element is the id of the issuing system
    client = result[3]; //Third element is the client of the issuing system
    portalUser = result[5]; //Portal user
    validityInSeconds = result[7]; //Validity in seconds
</cfscript>
<h2>Ticket content:</h2>
<cfdump var="#result#">
<cfelse>
    SAP Logon Ticket not found - Extranet content can only be accessed through SAP Portal.
</cfif>
The certificate verify.pse and the current version of the libraries libsapcrypto.so, libsapssoext.so and libslcryptokernel.so are stored at the same location.
After logging in into a SAP portal I get following error when executing the script:
Ticket cookie:
AjExMDAgAAxwb3J0YWw6VG90aEyIABNiYXNpY2F1dGhlbnRpY2F0aW9uAQAFVE9USEwCAAMwMDADAANEUDIEAAwyMDE0MDYyNTEzNTMFAAQAAAAICgAFVE9USEz/AQUwggEBBgkqhkiG9w0BBwKggfMwgfACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGB0DCBzQIBATAiMB0xDDAKBgNVBAMTA0RQMjENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQwNjI1MTM1MzQ3WjAjBgkqhkiG9w0BCQQxFgQU2lImEL6oxLc/4ZdXYTDJudUNhOIwCQYHKoZIzjgEAwQvMC0CFQC4ftTFs8COV0ThRZH5lJxY9ITqfQIUMSugOMEkhmQHqBZD!ZHQ1Tb9e90=
Version:
SAPSSOEXT 4
Certification path:
/opt/coldfusion9/lib/verify.pse
The web site you are accessing has experienced an unexpected error.
Please contact the website administrator.
The following information is meant for the website developer for debugging purposes.
Error Occurred While Processing Request
MySapEvalLogonTicketEx failed: standard error= 9, ssf error= 0
The error occurred in /opt/coldfusion9/wwwroot/ExtranetMod/authTest.cfm: line 20
18 : 19 : <cfscript> 20 : result = sso.evalLogonTicket (ticket, Application.CertPath,""); 21 :     sapUser   = result[1]; //First element is the SAP system user 22 :     sysID = result[2]; //Second element is the id of the issuing system
Resources:
Check the ColdFusion documentation to verify that you are using the correct syntax.
Search the Knowledge Base to find a solution to your problem.
Browser
Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0
Remote Address
172.20.231.111
Referrer
Date/Time
25-Jun-14 04:23 PM
Stack Trace
at cfauthTest2ecfm1658987646.runPage(/opt/coldfusion9/wwwroot/ExtranetMod/authTest.cfm:20)
java.lang.Exception: MySapEvalLogonTicketEx failed: standard error= 9, ssf error= 0 at SSO2Ticket.evalLogonTicket(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:97) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2360) at cfauthTest2ecfm1658987646.runPage(/opt/coldfusion9/wwwroot/ExtranetMod/authTest.cfm:20) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:360) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:94) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:200) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.http.WebService.invokeRunnable(WebService.java:172) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
I would be most thankful for any hints that could bring me further...
Many thanks
Lajos

Thank you for your assistance in this matter.
This has been frustrating the crap out of me for the last week (not that the photo is important, it is just that I like to conquer and solve this types of issues)
I was shooting with an aperture of 7.1.
I changed the exposure on the photos as you had done previously but this only blew out the watch and I couldn't recover it afterwards and the alignment was no better any way. So then I started experimenting as you suggested, and I don't know if what I am about to write is acceptable in an Adobe forum, but here goes.
I tried Helicon Focus and it was terrible, but I must admit I didn't know how to really use it, it doesn't seem to have any alignment function and is very difficult to try to use and understand.
then I tried Hugin and I am not even sure if this is image stacking software or just an alignment software, anyway that didn't work either and kept saying the output was a very bad match.
THEN I downloaded and tried zerestacker (free 30 day trial) (after reading about it in a google search) and WOW, it worked amazing, see below photo, it was so easy to use and the interface is easy as well and it does the alignment and stacking in the same process and you can see the image output show up on the left of the screen. Sorry PS but I will be using ZS for photostacking from now on. Adobe need to buy this company and incorporate it in to PS CC6.
This is just so much better than anything I got out of PS, there is no ghosting or blurring and the alignment is perfect and it is so simple to use.

Can I add extra information into logon ticket

hi everyone:
When I logon sap portal, the CreateTicketLogon Module will generate logon tickets.there are serveral information in the logon ticket MYSAPSSO2 cookie including SID,UserId,Login timestamp.
My question is how can I add extra information into logon tickets. for example, I want to add more user's information like email address into logon ticket and pass to the SSO system.
Thanks
Elliott

Hi,
As far as I know there is no way of adding extra attributes to the SAP logon ticket. The logon ticket allows you to have two user names in it , so maybe if you setup a reference system and store the emailaddress as the username you can use this as a workaround.
If you need to get the logon ticket form EP you can either
1. Read the cookie MYSAPSSO2 from the IPortalComponentRequest
2. Get the user from IPortalComponentRequest and call getTransientAttribute("MYSAPSSO2_STRING") (not 100% certain of the last one , will have to look it up. Of course not a public api)
Dagfinn

Ignore MYSAPSSO2 Logon Ticket from Portal in BSP

Similar Messages

Maybe you are looking for