Lotus Inotes SSO with Portal
Hi all,
We have implemented SSO for one lotus notes server with Portal. In our landscape, there are several servers physically locating in different locations( Lotus notes server). Instead of doing web mail redirect,,,our client is redirecting to respective server databases through smtp server. i mean...if the lotus user types http://inotes which is redirecting to different servers using smtp server. and we have configured SSO( ticket verifyer) for LotusA1 server, and there are several servers which not configured LotusB1 and Lotus C1 etc..
My question here is : Inorder to do SSO for all servers, can we do it directly to SMTP redirect server through Portal.
Pl note: Our portal is sitting on Apache reverse proxy
How do we rewrite rules for these servers.? which Port needs to open?
If we do SSO for SMTP, will it redirect to all servers automatically?
Please suggest
Thanks a lot
PRadeep
Hi,
you need to integrate Lotus notes repository manager. Below are the help links
http://help.sap.com/saphelp_nw04s/helpdata/en/bd/726174591f994fbf52df157c5f3600/frameset.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/28/b7341c0f3e7a4494227dfaa130e520/frameset.htm
Also check the below docs.
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f389db90-0201-0010-d1aa-df95592ebdec
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/9727ea90-0201-0010-be8e-b649280fe6ff
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d5d4a6e3-0601-0010-6aa9-ac3a1f747ea5
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-tech-forum-04/sap%20enterprise%20portal%20-%20lotus%20notes%20domino%20integration.pdf
/thread/78824 [original link is broken]
Raghu
Similar Messages
-
Hi Guys,
I'm a security guy, with CUA, Portal and SSO - but when it comes to installation of CUA and SSO with Portal, I have some gaps in my knowledge, so I could use a little help. Thanks in advance.
My client is implementing a non SAP SSO solution. As I've seen it before, it would be best to have that solution authenticate to the EP, and have EP issue tickets to the various SAP systems, and set up the SSO in that fashion. Would I be correct in my line of thought and do you have any more information on this?
Second, in my experience, CUA and SSO are quite separate, and so you don't need to implement one prior to the other. Would I be correct on this line of thought as well?
Third, on the Portal, is there a note number or a document from SAP that illustrates how to go about integrating Portal into CUA? I know that the portal roles are Java based and assigned via the UME, whereas CUA would have regular SAP roles.
Thanks,
Santosh KrishnanDamn. You were faster than me, but I still want to add a comment.
Santosh et. al. are not migrating a CUA to an IdM - this migration is easily done by adding the IdM as the "front-end" to the CUA and then switching the managed systems over to direct provisioning one at a time, without stress. That is standard procedure and works.
What is being done here is to implement a CUA for the business logic of the ABAP systems and use "catching screens" as the front-end to be able to distribute the password to non-ABAP systems as well simulate a "real" IdM with a crow's nest of overhead in the background for the basis folks to take care of and maintain.
Not a good idea, and I can already see all the "catching IDocs" involved, or even the dependency on being able to do so.
Clear design error (in the year 2010) and bad investment in available technology (in the year 2010 as well).
I would go for an IdM (regardless of the vendor) with all the agents supported for current and planned systems' APIs being used (regardless of the vendor) and a standards based SSO technology compatible with the various worlds on site (as regardless as possible of the legacy vendor support).
Whether that is PSE's, Kerberos or SAML does not really matter much when decentral password synchronization is still considered as an option for human owners of system identities.
Hopefully Santosh will keep us updated, but I would also understand if this for what-ever reasons was not allowed.
My customers also dont permit me to post everything while they are still using the odd FM or two...
Cheers,
Julius -
Oracle9iAS R2 - Virtual Hosts with Portal and SSO with OIDDAS application
Hi!
I have installed a the machine with name minsk.discover.local. The machine have installed Infrastructure and Portal. The instalation is sucessfull and i work fine. But i have publish Portal to WEB with name intranet.discover.com.br. The Oracle describe:
1 - Create the virtual hosts in SSO and PORTAL - OK
2 - run ptlasst to create SSO Partners Applications - OK
After this steps iwork fine with Portal and SSO, but when i click in portlet to create user to access the application OIDDAS, the Portal redirect to login page of SSO in address mct.com.br, the internal name, when then name not responde in the internet.
I need a help!!!!
Marcio MestiI just spoke to the Oracle App server admins, the two servers in question are clustered.
So my question changes slightly to:
What is the best way to install and configure a webgate for clustered Oracle App servers with mulitple virtual hosts, that are residing behind a load balancer (Traffic Manager)?
Thanks,
Andy -
SSO with KRB/ADS on Enterprise Portal 7
Dear All
while i am trying to configure SSO with KRB/ADS on Enterprise Portal 7 i am getting this on the trace file..completed the configuration through SpNego and when i try to log in its promting for user name password..
i have attched the trace file extract for your advice..
Regards
Buddhike
#1.5 #001CC45E6DA0008000000004000054FC00044F76844D9013#1213270351029#com.sap.engine.services.security.authentication.logincontext#
sap.com/com.sap.security.core.admin
#com.sap.engine.services.security.authentication.logincontext#Guest#0####3e642d50387311ddc2a0001cc45e6da0#Thread[Thread-110,5,SAPEngine_Application_Thread[impl:3]_Group]#
#0#0#Error#1#/System/Security/Authentication#Plain###
LOGIN.FAILED User:N/A Authentication Stack:com.sun.security.jgss.accept
*Login Module Flag Initialize Login Commit Abort Details*1. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok exception false null#
#1.5 #001CC45E6DA0006E00000029000054FC00044F76844D95C5#1213270351029#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0####3e669e50387311dda053001cc45e6da0#SAPEngine_Application_Thread[impl:3]_2##0#0#Error##Java###Acquiring credentials for realm KEELLS.INT failed
[EXCEPTION]
#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!) at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:236)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:337)
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied. at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:297)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
... 9 more
Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [001CC45E6DA0008000000001000054FC00044F76844D8A3F] is created. For more information contact your system administrator.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
... 23 moreHi,
please check if the options defined in the KRB5LoginModule are correct.
First of all check for the option prinicpal. Did you provide this option and also provided the correct value?
This error often occurs if you provided a wrong value for option prinicpal
Cheers -
BOBJ SAP Integration with Active Directory SSO via Portal
Hi all,
We are only interating BOBJ with BW/BI and the user experience is as follows:
Users login to the SAP Portal using their Windows Active Directory user id and password to gain access to the portal.
From my understanding at the moment, the way the interation kit works is that the BOBJ system is configured as per the manual importing the SAP roles and SAP users who will access the Crystal reports via either GUI or Portal.
My question is: When creating a Crystal report is created, the connection details use SAP login credentials and in the CMC the SSO option can be set so that the SAP user who has logged onto GUI or Portal can launch the report... this is fine and works as intended taken that the user logged on with his/her SAP login. As per the user experience above, users log in using their AD Login into Portal, and never use GUI, where this in theory is SSO into Portal. So how does one get past the login screens (BOBJ and database) while preserving AD SSO to SAP and BOBJ?
Any guidance, documents or comments will be much appreciated.
Thanks
JacquesHI,
yes it is possible:
take a look at the blogs I did on the install and configuration (specially the SAP Authentication):
BusinessObjects and SAP - Installation and Configuration Part 1 of 4
Install Part #1
BusinessObjects and SAP - Installation and Configuration Part 2 of 4
Install Part #2
BusinessObjects and SAP - Installation and Configuration Part 3 of 4
Install Part #3
BusinessObjects and SAP - Installation and Configuration Part 4 of 4
Install Part #4
BusinessObjects and SAP - Configure SAP Authentication
SAP Authentication
Important here is that:
- the BI System is configured to accept tickets
- the portal and BI system are configured as trusted system
- the SAP authentication is configured
Ingo -
Hi Sdn's and Nakisa tehnical experts,
We have a Portal environment 7.02 , a Nakisa environment 3.0 (CE) and and HR backend environment 701 (604).
We are busy setting up SSO between Portal and Nakisa via the, URL iview for the Org chart (http://<host>:<port>OrgChart/default.jsp).
We have done as indicated in wiki:
http://wiki.sdn.sap.com/wiki/display/ERPHCM/SAPSSOAuthenticationwithverify.pseusingSAPSSOEXT
We are however stil having issues with the SSO and in the cds.log the following is being displayed:
++01 Aug 2011 13:11:42 ERROR com.nakisa.Logger - com.mysap.sso.SSO2Ticket : Could not load library: sapsecu.dll - java.lang.Exception: MySapInitialize failed: rc= 14null++
++01 Aug 2011 13:11:42 ERROR com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : java.lang.Exception: MySapEvalLogonTicketEx failed: standard error= 9, ssf error= 0++
++01 Aug 2011 13:11:42 ERROR com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : Internal error (9) - No SSF error (0)++
Can someone indicate what I am doing wrong?
Regards DriesHi Luke,
thanks a lot for your help so far.
I have created a root/XML folder under the diretory, and the path is now as follows:
K:\usr\sap\NKP\J14\j2ee\cluster\apps\Nakisa\OrgChart\servlet_jsp\OrgChart\root\.system\Admin_Config\__000__Sasol_DEV_LIVE\.delta\root\XML
It seems like it finds the verify.pse, but not the library, sapsecu.dll.
My credentials.xml file is as follows:
<credentials>
<assembly name="SapSso"/>
<info>
<item name="PseFilePath">XML\verify.pse</item>
<item name="SsfLibFilePath">XML\sapsecu.dll</item>
<item name="PsePassword"></item>
<item name="WindowsPlatform">64</item>
<item name="TicketFile"></item>
<item name="Base64decode">true</item>
</info>
</credentials>
I however stilll get the following in the cds.log
15 Aug 2011 13:59:53 INFO com.nakisa.Logger - Tenant ID: 000
15 Aug 2011 13:59:55 INFO com.nakisa.Logger - LoginSettingsObject Load: 1719
15 Aug 2011 13:59:55 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : Credential provider SapSso
15 Aug 2011 13:59:55 INFO com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : Using cert: K:\usr\sap\NKP\J14\j2ee\cluster\apps\Nakisa\OrgChart\servlet_jsp\OrgChart\root\XML\verify.pse
15 Aug 2011 13:59:55 INFO com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : Ticket is: AjExMDAgAA9wb3J0YWw6eXNzZWxhZ2OIABNiYXNpY2F1dGhlbnRpY2F0aW9uAQAIWVNTRUxBR0MCAAMwMDADAANEUDkEAAwyMDExMDgxNTExNDcFAAQAAAAICgAIWVNTRUxBR0P%2FAQQwggEABgkqhkiG9w0BBwKggfIwge8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGBzzCBzAIBATAiMB0xDDAKBgNVBAMTA0RQOTENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEwODE1MTE0NzIwWjAjBgkqhkiG9w0BCQQxFgQUK13ubzFiQrY4H%2FLRk2ysyvPSvccwCQYHKoZIzjgEAwQuMCwCFF1W9d!tAjLvP8dnb1bs4XghaHSBAhQ9kd9N!bJubUWITtkzU!za96lxNg%3D%3D
15 Aug 2011 13:59:55 INFO com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : Version of SAPSSOEXT: SAPSSOEXT 4
15 Aug 2011 13:59:55 INFO com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : SCUE LIB base path is:
15 Aug 2011 13:59:55 ERROR com.nakisa.Logger - com.mysap.sso.SSO2Ticket : Could not load library: sapsecu.dll - java.lang.Exception: MySapInitialize failed: rc= 14null
15 Aug 2011 13:59:55 ERROR com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : java.lang.Exception: MySapEvalLogonTicketEx failed: standard error= 9, ssf error= 0
15 Aug 2011 13:59:55 ERROR com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : Internal error (9) - No SSF error (0)
15 Aug 2011 13:59:55 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : User to authenticate null
15 Aug 2011 13:59:55 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : Authentication provider SapSso
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : User authenticated null
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : Authentication row is {SapSsoTicket=AjExMDAgAA9wb3J0YWw6eXNzZWxhZ2OIABNiYXNpY2F1dGhlbnRpY2F0aW9uAQAIWVNTRUxBR0MCAAMwMDADAANEUDkEAAwyMDExMDgxNTExNDcFAAQAAAAICgAIWVNTRUxBR0P%2FAQQwggEABgkqhkiG9w0BBwKggfIwge8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGBzzCBzAIBATAiMB0xDDAKBgNVBAMTA0RQOTENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEwODE1MTE0NzIwWjAjBgkqhkiG9w0BCQQxFgQUK13ubzFiQrY4H%2FLRk2ysyvPSvccwCQYHKoZIzjgEAwQuMCwCFF1W9d!tAjLvP8dnb1bs4XghaHSBAhQ9kd9N!bJubUWITtkzU!za96lxNg%3D%3D}
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : User population provider is Database
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - FunctionRunner : ensurePool : Current pool size:0
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - FunctionRunner : ensurePool : Current pool size:0
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - FunctionRunner.executeFunctionDirect: /NAKISA/RFC_REPORT took: 266ms
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - BAPI_SAP_OTFProcessor_Report : WhereClause : ( (Userid is null) or (Userid='') ); Table : (SAP_UserPopulation); Dataelement : (UserPopulationInfo)
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : User populated
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : Role mapping provider is: SAP
15 Aug 2011 14:00:00 ERROR com.nakisa.Logger - SAPRoleMapping_SAP.MapRoles() : while trying to invoke the method java.lang.String.toUpperCase() of an object loaded from local variable 'value'
15 Aug 2011 14:00:00 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : Login process finished with errors
Any ideas? Should I maybe hardcode the location in the credentials.xml?
Kind regards
Dries Yssel -
Urgent: Portal access using SSO with Windows NT
Dear all,
I'm planning to implement SSO for Portal with Window NT authentication.
Can anybody explain me the steps to do...
If the internal users logs in NT domain say..("ABC"). he/she should be authenticated to Portal without giving logon credentials.. automatically they needs to enter into portal.
I'm using NW'04 SR1(EP6.0 SP9) with AIX 5.2/oracle
Microsoft ADS(LDAP)
Pl explain me...
Appreciated with reward points...
regards
PRadeepHi,
in order to apply windows SSO you will need to install the IIS proxy module in front of your portal, this module knows how to handle users authentication using the NTLM/kerberos features MS ADS supports.
the specific procedure for implementing it can be found in the documentation/help. i have managed to find it in the EP6 sp2 security guide but i think it is the same for the EP6 SP9 as well. so just go to this link:
<u><b>https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/ep/d-f/ep 6.0 sp2 security guide.pdf</b></u>
keep in mind that you will need to be logged on to SDN. -
Submitform as pdf mailto with cc and IBM Lotus inotes blank address
I have a form with a standard button to send the entire pdf by mail. My mail client is IBM Lotus iNotes. When I include a cc variable or two address in the address field, both address and cc field is left blank in inotes when it opens. I have adobe professional 9.0 and IBM Lotus iNotes 8.5.2. This is my button javascript code on its click event:
var address1 = "[email protected];[email protected]" ;
var subject1 = "My Subject";
var body1 = "My Body";
var cc1 = "[email protected]" ;
event.target.submitForm({cURL:"mailto:" + address1 +"?subject=" + subject1 +"&body=" + body1 + "&cc=" + cc1 + "",cSubmitAs:"PDF",cCharset:"utf-8"});
If I try with outlook as mail client, it works perfectly. It seems a inotes bug. Doesn't it?
Thank you in advance.I think it's an iNotes problem. I've compared both urls created while is launching iNotes and when cTo: has one single address, the url presents the SendTo field filled, but when cTo has two address, there is no SendTo field in the url.
Url single address:
http://mailserver/mail/box0592.nsf/($Drafts)/$new/?EditDocument&Form=h_PageUI&PresetFields =h_EditAction;h_New,s_NotesForm;Memo,s_FromCtrl;1,Subject;Asunto%20de%20prueba%20,SendTo;d ir1%40cajarural.com,Body;Cuerpo%20de%20prueba,h_AttachmentNamesAlt;%22formulario%2520prueb a%2520ver%2520si%2520funcionan%2520direcciones%2520correo%2520notes%2520grabable.pdf%22%3B %22C%3A%5CDOCUME~1%5CU970592%5CCONFIG~1%5CTemp%5CDomino%20Web%20Access%5Cupload%5C35%5Cfor mulario%2520prueba%2520ver%2520si%2520funcionan%2520direcciones%2520correo%2520notes%2520g rabable.pdf%22,h_AttachmentLengthsAlt;45930,s_AttachmentTimesAlt;20120906T071041Z
Url with two address
http://mailserver/mail/box0592.nsf/($Drafts)/$new/?EditDocument&Form=h_PageUI&PresetFields =h_EditAction;h_New,s_NotesForm;Memo,s_FromCtrl;1,Subject;Asunto%20de%20prueba%20,Body;Cue rpo%20de%20prueba,h_AttachmentNamesAlt;%22formulario%2520prueba%2520ver%2520si%2520funcion an%2520direcciones%2520correo%2520notes%2520grabable.pdf%22%3B%22C%3A%5CDOCUME~1%5CU970592 %5CCONFIG~1%5CTemp%5CDomino%20Web%20Access%5Cupload%5C12%5Cformulario%2520prueba%2520ver%2 520si%2520funcionan%2520direcciones%2520correo%2520notes%2520grabable.pdf%22,h_AttachmentL engthsAlt;45972,s_AttachmentTimesAlt;20120906T071217Z
These urls are built by iNotes I suppose and iNotes doesn`t work properly in this matter. -
when accessing my teacher email through firefox I can receive and open email but can't send any (the teacher email uses IBM Lotus Inotes
I am running Lotus iNotes version 8.5.2 on Firefox version 6.02. I am not seeing any errors in a red bar. I click "send" and nothing happens.
-
I recently downloaded and installed Firefox 4.0 on my MacBookPro. My employer uses IBM Lotus iNotes 8.5.1 for email. Since I have installed 4.0, some of the attachments come through, others do not. I am also having issues forwarding emails as certain buttons do not appear such as "Send". The previous version of Firefox had no issues of this kind.
Did you read this? <br />
https://www-304.ibm.com/support/docview.wss?rs=0&uid=swg21473999
That articles says to install this extension for remote XUL support. <br />
https://addons.mozilla.org/en-US/firefox/addon/remote-xul-manager/ -
SSO with Logon Ticket to non-SAP Unix based application
Hi all,
Anyone has implemented SSO with Logon Ticket to a Unix box ?
We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
-> Are there any Java libraries that are available to both:
. verify the logon ticket with the deployed Portal public key
. decrypt/extract the authenticated username from this ticket ??
I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
Any hint is very much appreciated.
Thanks a lot
OlivierCheck these links for reference regarding AIX and Apache using X.509 certificates:
http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
And just using cookies -
http://forums.devshed.com/archive/t-105611 (perl based)
You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
Nick
Nick -
SSO with ITS & Webenabling WEBGui
Hello,
We have configured SSO with R/3 system. It works fine.
The requirement is, we have to webenable R/3 system thru SAP GUI For Windows and SAP GUI For HTML.
We are able to do both on developement environment where both R/3 and portal has got the same host names.
But in the qa environment, we are able to webenable R/3 with SAP GUI For Windows and the SSO also works fine. But when we try to using SAP GUI For Html, it asks for the username and pwd again. Here the portal and R/3 has different host names.
Otherwise the settings in dev and test are exactly the same. Has anybody got a clue why is it not working?
Regards,
RukmaniHi all,
it is always good to start with a good checklist. Here is probably the best one: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sso checklist.html
My suggestion is: do not skip even simple steps, sometimes problem appears there
Regards,
Pavol -
SSO with SAP logon tickets to non-SAP web app
I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work. I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal. Anyone tried similar?
CindyHi Cindy,
If it is EP6 SP2 probably you can checkout the following document.
http://service.sap.com/ep60
Go to Documentation Help>How-To-Guides>Current How To Guides section.
checkout the following how to guide.
Perform Cross Domain SSO with SAP Logon tickets zip file.
If you want the zip file please send an e-mail to
[email protected]
Regards
-Venkat Malempati -
SSO from Portal to a ITS (standalone) to the R/3 backend
Dear all,
I have the following situation:
1. I have successfully installed SSO between Portal and the Backend system. That works fine.
PORTAL -> D98 (R/3 System with 4.7)
2. The backend system has no ITS because it's SAP R/3 4.7 without ITS.
PORTAL -> ITS (Standalone) -> D98 (R/3 4.7)
Question:
I have to create now a connection from the SAP Portal to the ITS and so on in the backend system with SSO.
Which settings are necessary to create SSO over a ITS system like this:
PORTAL -> ITS (Standalone) -> D98 (R/3 4.7)
Who could help me?
Thanks for your effort.
Kind regards,
ThomasDear Ansar,
Sorry, but I don't find this note.
Note 56691
Could you please give me the right note?
Thanks a lot for your help and your effort.
Kind regards,
Thomas -
SSO and portal timeout -- other bug?
...this is very probably related to the other post talking about SSO and portal timeout...
I am having another weird issue with dotnet portlets that uses inline refresh (done automatically by dotnet accelerator) and SSO.
When you let the portal session expire, and then click on a button/link within a portlet (hence generate an inline refresh gatewayed request), the full portal window (header/footer etc...) appears within the portlet, instead of the portlet content alone.
I did some http traces (see below) and it seems the problem is due to the windows SSOLogin.aspx (we are using windows auth SSO) not taking the requested portlet gatewayed request url as a post login redirect info... but taking instead the current page url (which is wrong)
Thus, after the gatewayed portlet request is successfully authenticated by the SSOLogin.aspx component, it is automatically redirected to the wrong urll...making the full portal page refresh into the portlet.
So my question is: have anyone already seen such behavior? And has anything been done to fix this?
It really seems like a bug with the SSO servlet...but maybe i am doing something wrong...Just want to have your thoughts on this.
Thanks,
Fabien
============================================================================================
HTTP Trace:
POST 302 Redirect to /portal/sso/SSOLogin.aspx?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login http://your.portal.com/portal/server.pt/gateway/PTARGS_0_15046_362_205_0_43/http%3B/your.portletserver.com/yourapp/youraspx.aspx
GET 401 text/html http://your.portal.com/portal/sso/SSOLogin.aspx?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login
GET 401 text/html http://your.portal.com/portal/sso/SSOLogin.aspx?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login
GET 302 Redirect to http://your.portal.com/portal/server.pt?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login http://your.portal.com/portal/sso/SSOLogin.aspx?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login
GET 200 text/html; charset=utf-8 http://your.portal.com/portal/server.pt?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=LoginI have this happen in v6.0 sp1. We have worked around the problem with a bit of work and synchronization of settings. Below, I've outlined how we've worked around the problem (which is indeed a problem that should be fixed). Also, if you have a load balancer, you'll need to set your session timeout on the load balancer to a bit more than the refresh rate that you set for your communities and My Pages.
Resolving the Portlet Timeout / Refresh Problem in ALUI Portal_
Problem: Users occasionally receive the portal page within a portlet error
Cause: The root cause has not been determined; however it appears that the primary event that exhibits the behavior is when a teammember’s session has expired on the portal server and they then utilize a .NET form-based portlet which refreshes in place. Because we are using WIA SSO to enable automatic logins to the portal, it makes the error seem to occur randomly.
Resolution:
The workaround solution is to – 1) increase the portal session timeout on the portal web servers from the default 20min to 4 hours, and 2) set the MyPage refresh interval setting for all portal users to 3 hours. The setting name is a bit of a misnomer, as it will actually refresh the entire portal page automatically if the user is idle on either a My Page or a Community Page, as these are the only two places that portlets reside.
Increasing the portal session timeout:
The portal session timeout is controlled in two places, and both settings should match. On the portal virtual directory in IIS, edit the configuration and increase the timeout setting to 240 (minutes). Then, edit the portal application’s web.config file (d:\portal\ptportal\6.0\webapp\portal\web\) and increase the sessionState Timeout variable to 240. Editting the config file will require you to restart the services before you see the change.
Initial setting of the MyPage refresh interval:
The initial setting will need to be done by a SQL script in order to apply it to all existing users. The Default Profile should also be updated so that all new user synched from AD will have this setting applied automatically.
/* Delete refresh interval settings for all users first so that there are no conflicts on the inserts */
DELETE FROM portaldbuser.ptprefs WHERE prefname = 'intMyPageRefreshRate'
/* Insert desired page refresh setting for all users */
INSERT INTO portaldbuser.ptprefs (userid,gadgetid,prefclassid,prefobjectid,prefname,prefvaluetype,prefvalue,pagenumber) SELECT objectid,0,0,0,'intMyPageRefreshRate',3,180,0 FROM portaldbuser.ptusers
From Administration, access the Default Profiles utility. Check the Default Profile entry and click on the Edit Profile Layout link. Click on the My Account link in the Portal Settings portlet and then on the Display Options link on the next page. In the Page and Portlet Settings, update the Your My Page will be updated: setting to 4 hours. Click Finish twice to return to Administration.
Updating the MyPage refresh interval:
To update the setting just modify the insert portion of the SQL script. Change the prefvalue number (180) to the desired timeout in minutes and rerun both statements of the script.
The Default Profile should be also be modified per the instructions above.
I hope this helps...
-tom
Maybe you are looking for
-
HI FI Gurus, Can anyone reply for the below queries.We have ECC 6.0 . Separate Balance Sheets - Can we get separate balance sheets for four divisions without quadrupling our vendor and customer databases? In other words, can a single vendor (custome
-
Alv Report downloading problem
Dear Experts, I'm using one pushbutton for downloading the alv report, into desktop 1). but in that file i need header information details also, 2). then my report contains 26 field but it is downloading upto some fields only,
-
Normal delay to display past files via Finder interface in Time Machine?
I have a Time Capsule as router running my gigabit network and as a Time Machine backup device. When I want to retrieve a file from the past via the Finder interface to Time Machine, I hear a lot of noise from my Time Capsule (about 6 feet away), and
-
Open new tabs not working (cmd+T)
after the most recent leopard security update (not really sure if that has anything to do with it though) safari has lost it's command+"T" ability to make new blank tabs. in fact not even firefox can do it. i'm very puzzled and no one on this forum o
-
When I installed Leopard I immediately lost my recently installed Lightroom 1 - it simply shows up as catalog and shows the very few images I had there. I can't find the actual application anywhere and I swear I have searched every nook and cranny I