Lotus Inotes SSO with Portal

Similar Messages

• CUA, SSO and Portal

  Hi Guys,
  I'm a security guy, with CUA, Portal and SSO - but when it comes to installation of CUA and SSO with Portal, I have some gaps in my knowledge, so I could use a little help.  Thanks in advance.
  My client is implementing a non SAP SSO solution.  As I've seen it before, it would be best to have that solution authenticate to the EP, and have EP issue tickets to the various SAP systems, and set up the SSO in that fashion.  Would I be correct in my line of thought and do you have any more information on this?
  Second, in my experience, CUA and SSO are quite separate, and so you don't need to implement one prior to the other.  Would I be correct on this line of thought as well?
  Third, on the Portal, is there a note number or a document from SAP that illustrates how to go about integrating Portal into CUA?  I know that the portal roles are Java based and assigned via the UME, whereas CUA would have regular SAP roles. 
  Thanks,
  Santosh Krishnan

  Damn. You were faster than me, but I still want to add a comment.
  Santosh et. al. are not migrating a CUA to an IdM - this migration is easily done by adding the IdM as the "front-end" to the CUA and then switching the managed systems over to direct provisioning one at a time, without stress. That is standard procedure and works.
  What is being done here is to implement a CUA for the business logic of the ABAP systems and use "catching screens" as the front-end to be able to distribute the password to non-ABAP systems as well simulate a "real" IdM with a crow's nest of overhead in the background for the basis folks to take care of and maintain.
  Not a good idea, and I can already see all the "catching IDocs" involved, or even the dependency on being able to do so.
  Clear design error (in the year 2010) and bad investment in available technology (in the year 2010 as well).
  I would go for an IdM (regardless of the vendor) with all the agents supported for current and planned systems' APIs being used (regardless of the vendor) and a standards based SSO technology compatible with the various worlds on site (as regardless as possible of the legacy vendor support).
  Whether that is PSE's, Kerberos or SAML does not really matter much when decentral password synchronization is still considered as an option for human owners of system identities.
  Hopefully Santosh will keep us updated, but I would also understand if this for what-ever reasons was not allowed.
  My customers also dont permit me to post everything while they are still using the odd FM or two...
  Cheers,
  Julius

• Oracle9iAS R2 - Virtual Hosts with Portal and SSO with OIDDAS application

  Hi!
  I have installed a the machine with name minsk.discover.local. The machine have installed Infrastructure and Portal. The instalation is sucessfull and i work fine. But i have publish Portal to WEB with name intranet.discover.com.br. The Oracle describe:
  1 - Create the virtual hosts in SSO and PORTAL - OK
  2 - run ptlasst to create SSO Partners Applications - OK
  After this steps iwork fine with Portal and SSO, but when i click in portlet to create user to access the application OIDDAS, the Portal redirect to login page of SSO in address mct.com.br, the internal name, when then name not responde in the internet.
  I need a help!!!!
  Marcio Mesti

  I just spoke to the Oracle App server admins, the two servers in question are clustered.
  So my question changes slightly to:
  What is the best way to install and configure a webgate for clustered Oracle App servers with mulitple virtual hosts, that are residing behind a load balancer (Traffic Manager)?
  Thanks,
  Andy

• SSO with KRB/ADS on Enterprise Portal 7

  Dear All
  while i am trying to configure SSO with KRB/ADS on Enterprise Portal 7 i am getting this on the trace file..completed the configuration through SpNego and when i try to log in its promting for user name password..
  i have attched the trace file extract for  your advice..
  Regards
  Buddhike
  #1.5 #001CC45E6DA0008000000004000054FC00044F76844D9013#1213270351029#com.sap.engine.services.security.authentication.logincontext#
  sap.com/com.sap.security.core.admin
  #com.sap.engine.services.security.authentication.logincontext#Guest#0####3e642d50387311ddc2a0001cc45e6da0#Thread[Thread-110,5,SAPEngine_Application_Thread[impl:3]_Group]#
  #0#0#Error#1#/System/Security/Authentication#Plain###
  LOGIN.FAILED User:N/A Authentication Stack:com.sun.security.jgss.accept
  *Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details*1. com.sun.security.auth.module.Krb5LoginModule                            OPTIONAL    ok          exception             false      null#
  #1.5 #001CC45E6DA0006E00000029000054FC00044F76844D95C5#1213270351029#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0####3e669e50387311dda053001cc45e6da0#SAPEngine_Application_Thread[impl:3]_2##0#0#Error##Java###Acquiring credentials for realm KEELLS.INT failed
  [EXCEPTION]
  #1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
       at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
       at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
       at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:236)
       at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
       at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:337)
  Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied.     at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:297)
       at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
       at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
       ... 9 more
  Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [001CC45E6DA0008000000001000054FC00044F76844D8A3F] is created. For more information contact your system administrator.
       at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
       ... 23 more

  Hi,
  please check if the options defined in the KRB5LoginModule are correct.
  First of all check for the option prinicpal. Did you provide this option and also provided the correct value?
  This error often occurs if you provided a wrong value for option prinicpal
  Cheers

• BOBJ SAP Integration with Active Directory SSO via Portal

  Hi all,
  We are only interating BOBJ with BW/BI and the user experience is as follows:
  Users login to the SAP Portal using their Windows Active Directory user id and password to gain access to the portal.
  From my understanding at the moment, the way the interation kit works is that the BOBJ system is configured as per the manual importing the SAP roles and SAP users who will access the Crystal reports via either GUI or Portal.
  My question is: When creating a Crystal report is created, the connection details use SAP login credentials and in the CMC the SSO option can be set so that the SAP user who has logged onto GUI or Portal can launch the report... this is fine and works as intended taken that the user logged on with his/her SAP login. As per the user experience above, users log in using their AD Login into Portal, and never use GUI, where this in theory is SSO into Portal. So how does one get past the login screens (BOBJ and database) while preserving AD SSO to SAP and BOBJ?
  Any guidance, documents or comments will be much appreciated.
  Thanks
  Jacques

  HI,
  yes it is possible:
  take a look at the blogs I did on the install and configuration (specially the SAP Authentication):
  BusinessObjects and SAP - Installation and Configuration Part 1 of 4
  Install Part #1
  BusinessObjects and SAP - Installation and Configuration Part 2 of 4
  Install Part #2
  BusinessObjects and SAP - Installation and Configuration Part 3 of 4
  Install Part #3
  BusinessObjects and SAP - Installation and Configuration Part 4 of 4
  Install Part #4
  BusinessObjects and SAP - Configure SAP Authentication
  SAP Authentication
  Important here is that:
  - the BI System is configured to accept tickets
  - the portal and BI system are configured as trusted system
  - the SAP authentication is configured
  Ingo

• SSO between Portal and Nakia.....problem with SSO... library not found..

  Hi Sdn's  and Nakisa tehnical experts,
  We have a Portal environment 7.02 , a Nakisa environment 3.0  (CE) and and HR backend environment 701 (604).
  We are busy setting up SSO between Portal and Nakisa via the, URL iview for the Org chart (http://<host>:<port>OrgChart/default.jsp).
  We have done as indicated in wiki:
  http://wiki.sdn.sap.com/wiki/display/ERPHCM/SAPSSOAuthenticationwithverify.pseusingSAPSSOEXT
  We are however stil having issues with the SSO and in the cds.log the following is being displayed:
  ++01 Aug 2011 13:11:42 ERROR com.nakisa.Logger  - com.mysap.sso.SSO2Ticket : Could not load library: sapsecu.dll - java.lang.Exception: MySapInitialize failed: rc= 14null++
  ++01 Aug 2011 13:11:42 ERROR com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : java.lang.Exception: MySapEvalLogonTicketEx failed: standard error= 9, ssf error= 0++
  ++01 Aug 2011 13:11:42 ERROR com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : Internal error (9) - No SSF error (0)++
  Can someone indicate what I am doing wrong?
  Regards Dries

  Hi Luke,
  thanks a lot for your help so far.
  I have created a root/XML folder under the diretory, and the path is now as follows:
  K:\usr\sap\NKP\J14\j2ee\cluster\apps\Nakisa\OrgChart\servlet_jsp\OrgChart\root\.system\Admin_Config\__000__Sasol_DEV_LIVE\.delta\root\XML
  It seems like it finds the verify.pse, but not the library, sapsecu.dll.
  My credentials.xml file is as follows:
  <credentials>
  <assembly name="SapSso"/>
    <info>
      <item name="PseFilePath">XML\verify.pse</item>
      <item name="SsfLibFilePath">XML\sapsecu.dll</item>
      <item name="PsePassword"></item>
      <item name="WindowsPlatform">64</item>
      <item name="TicketFile"></item>
      <item name="Base64decode">true</item>
     </info>
  </credentials>
  I however stilll get the following in the cds.log
  15 Aug 2011 13:59:53 INFO  com.nakisa.Logger  - Tenant ID: 000
  15 Aug 2011 13:59:55 INFO  com.nakisa.Logger  - LoginSettingsObject Load: 1719
  15 Aug 2011 13:59:55 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : Credential provider SapSso
  15 Aug 2011 13:59:55 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : Using cert: K:\usr\sap\NKP\J14\j2ee\cluster\apps\Nakisa\OrgChart\servlet_jsp\OrgChart\root\XML\verify.pse
  15 Aug 2011 13:59:55 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : Ticket is: AjExMDAgAA9wb3J0YWw6eXNzZWxhZ2OIABNiYXNpY2F1dGhlbnRpY2F0aW9uAQAIWVNTRUxBR0MCAAMwMDADAANEUDkEAAwyMDExMDgxNTExNDcFAAQAAAAICgAIWVNTRUxBR0P%2FAQQwggEABgkqhkiG9w0BBwKggfIwge8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGBzzCBzAIBATAiMB0xDDAKBgNVBAMTA0RQOTENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEwODE1MTE0NzIwWjAjBgkqhkiG9w0BCQQxFgQUK13ubzFiQrY4H%2FLRk2ysyvPSvccwCQYHKoZIzjgEAwQuMCwCFF1W9d!tAjLvP8dnb1bs4XghaHSBAhQ9kd9N!bJubUWITtkzU!za96lxNg%3D%3D
  15 Aug 2011 13:59:55 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : Version of SAPSSOEXT: SAPSSOEXT 4
  15 Aug 2011 13:59:55 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : SCUE LIB base path is:
  15 Aug 2011 13:59:55 ERROR com.nakisa.Logger  - com.mysap.sso.SSO2Ticket : Could not load library: sapsecu.dll - java.lang.Exception: MySapInitialize failed: rc= 14null
  15 Aug 2011 13:59:55 ERROR com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : java.lang.Exception: MySapEvalLogonTicketEx failed: standard error= 9, ssf error= 0
  15 Aug 2011 13:59:55 ERROR com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : Internal error (9) - No SSF error (0)
  15 Aug 2011 13:59:55 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : User to authenticate null
  15 Aug 2011 13:59:55 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : Authentication provider SapSso
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : User authenticated null
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : Authentication row is {SapSsoTicket=AjExMDAgAA9wb3J0YWw6eXNzZWxhZ2OIABNiYXNpY2F1dGhlbnRpY2F0aW9uAQAIWVNTRUxBR0MCAAMwMDADAANEUDkEAAwyMDExMDgxNTExNDcFAAQAAAAICgAIWVNTRUxBR0P%2FAQQwggEABgkqhkiG9w0BBwKggfIwge8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGBzzCBzAIBATAiMB0xDDAKBgNVBAMTA0RQOTENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEwODE1MTE0NzIwWjAjBgkqhkiG9w0BCQQxFgQUK13ubzFiQrY4H%2FLRk2ysyvPSvccwCQYHKoZIzjgEAwQuMCwCFF1W9d!tAjLvP8dnb1bs4XghaHSBAhQ9kd9N!bJubUWITtkzU!za96lxNg%3D%3D}
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : User population provider is Database
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - FunctionRunner : ensurePool : Current pool size:0
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - FunctionRunner : ensurePool : Current pool size:0
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - FunctionRunner.executeFunctionDirect: /NAKISA/RFC_REPORT took: 266ms
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - BAPI_SAP_OTFProcessor_Report :  WhereClause : ( (Userid is null) or (Userid='') ); Table : (SAP_UserPopulation); Dataelement : (UserPopulationInfo)
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : User populated
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : Role mapping provider is: SAP
  15 Aug 2011 14:00:00 ERROR com.nakisa.Logger  - SAPRoleMapping_SAP.MapRoles() : while trying to invoke the method java.lang.String.toUpperCase() of an object loaded from local variable 'value'
  15 Aug 2011 14:00:00 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : Login process finished with errors
  Any ideas? Should I maybe hardcode the location in the credentials.xml?
  Kind regards
  Dries Yssel

• Urgent: Portal access using SSO with Windows NT

  Dear all,
  I'm planning to implement SSO for Portal with Window NT authentication.
  Can anybody explain me the steps to do...
  If the internal users logs in NT domain say..("ABC"). he/she should be authenticated to Portal without giving logon credentials.. automatically they needs to enter into portal.
  I'm using NW'04 SR1(EP6.0 SP9) with AIX 5.2/oracle
  Microsoft ADS(LDAP)
  Pl explain me...
  Appreciated with reward points...
  regards
  PRadeep

  Hi,
  in order to apply windows SSO you will need to install the IIS proxy module in front of your portal, this module knows how to handle users authentication using the NTLM/kerberos features MS ADS supports.
  the specific procedure for implementing it can be found in the documentation/help. i have managed to find it in the EP6 sp2 security guide but i think it is the same for the EP6 SP9 as well. so just go to this link:
  <u><b>https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/ep/d-f/ep 6.0 sp2 security guide.pdf</b></u>
  keep in mind that you will need to be logged on to SDN.

• Submitform as pdf mailto with cc and IBM Lotus inotes blank address

  I have a form with a standard button to send the entire pdf by mail. My mail client is IBM Lotus iNotes. When I include a cc variable or two address in the address field, both address and cc field is left blank in inotes when it opens. I have adobe professional 9.0 and IBM Lotus iNotes 8.5.2. This is my button javascript code on its click event:
       var address1 = "[email protected];[email protected]" ;
       var subject1 = "My Subject";
       var body1 = "My Body";
       var cc1 = "[email protected]" ;
      event.target.submitForm({cURL:"mailto:" + address1 +"?subject=" + subject1 +"&body=" + body1 + "&cc=" + cc1 + "",cSubmitAs:"PDF",cCharset:"utf-8"});
  If I try with outlook as mail client, it works perfectly. It seems a inotes bug. Doesn't it?
  Thank you in advance.

  I think it's an iNotes problem. I've compared both urls created while is launching iNotes and when cTo: has one single address, the url presents the SendTo field filled, but when cTo has two address, there is no SendTo field in the url.
  Url single address:
  http://mailserver/mail/box0592.nsf/($Drafts)/$new/?EditDocument&Form=h_PageUI&PresetFields =h_EditAction;h_New,s_NotesForm;Memo,s_FromCtrl;1,Subject;Asunto%20de%20prueba%20,SendTo;d ir1%40cajarural.com,Body;Cuerpo%20de%20prueba,h_AttachmentNamesAlt;%22formulario%2520prueb a%2520ver%2520si%2520funcionan%2520direcciones%2520correo%2520notes%2520grabable.pdf%22%3B %22C%3A%5CDOCUME~1%5CU970592%5CCONFIG~1%5CTemp%5CDomino%20Web%20Access%5Cupload%5C35%5Cfor mulario%2520prueba%2520ver%2520si%2520funcionan%2520direcciones%2520correo%2520notes%2520g rabable.pdf%22,h_AttachmentLengthsAlt;45930,s_AttachmentTimesAlt;20120906T071041Z
  Url with two address
  http://mailserver/mail/box0592.nsf/($Drafts)/$new/?EditDocument&Form=h_PageUI&PresetFields =h_EditAction;h_New,s_NotesForm;Memo,s_FromCtrl;1,Subject;Asunto%20de%20prueba%20,Body;Cue rpo%20de%20prueba,h_AttachmentNamesAlt;%22formulario%2520prueba%2520ver%2520si%2520funcion an%2520direcciones%2520correo%2520notes%2520grabable.pdf%22%3B%22C%3A%5CDOCUME~1%5CU970592 %5CCONFIG~1%5CTemp%5CDomino%20Web%20Access%5Cupload%5C12%5Cformulario%2520prueba%2520ver%2 520si%2520funcionan%2520direcciones%2520correo%2520notes%2520grabable.pdf%22,h_AttachmentL engthsAlt;45972,s_AttachmentTimesAlt;20120906T071217Z
  These urls are built by iNotes I suppose and iNotes doesn`t work properly in this matter.

• Can't send email with lotus inotes through forefox server but can through yahoo - what do I need to do to correct this?

  when accessing my teacher email through firefox I can receive and open email but can't send any (the teacher email uses IBM Lotus Inotes

  I am running Lotus iNotes version 8.5.2 on Firefox version 6.02. I am not seeing any errors in a red bar. I click "send" and nothing happens.

• I am having issues with attachments using IBM Lotus iNotes 8.5.1. Sometime they re there, others not. Any know issues?

  I recently downloaded and installed Firefox 4.0 on my MacBookPro. My employer uses IBM Lotus iNotes 8.5.1 for email. Since I have installed 4.0, some of the attachments come through, others do not. I am also having issues forwarding emails as certain buttons do not appear such as "Send". The previous version of Firefox had no issues of this kind.

  Did you read this? <br />
  https://www-304.ibm.com/support/docview.wss?rs=0&uid=swg21473999
  That articles says to install this extension for remote XUL support. <br />
  https://addons.mozilla.org/en-US/firefox/addon/remote-xul-manager/

• SSO with Logon Ticket to non-SAP Unix based application

  Hi all,
  Anyone has implemented SSO with Logon Ticket to a Unix box ?
  We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
  We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
  From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
  -> Are there any Java libraries that are available to both:
  . verify the logon ticket with the deployed Portal public key
  . decrypt/extract the authenticated username from this ticket ??
  I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
  Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
  I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
  Any hint is very much appreciated.
  Thanks a lot
  Olivier

  Check these links for reference regarding AIX and Apache using X.509 certificates:
  http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
  And just using cookies -
  http://forums.devshed.com/archive/t-105611 (perl based)
  You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
  The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
  Nick
  Nick

• SSO with ITS & Webenabling WEBGui

  Hello,
  We have configured SSO with R/3 system. It works fine.
  The requirement is, we have to webenable R/3 system thru SAP GUI For Windows and SAP GUI For HTML.
  We are able to do both on developement environment where both R/3 and portal has got the same host names.
  But in the qa environment, we are able to webenable R/3 with SAP GUI For Windows and the SSO also works fine. But when we try to using SAP GUI For Html, it asks for the username and pwd again. Here the portal and R/3 has different host names.
  Otherwise the settings in dev and test are exactly the same. Has anybody got a clue why is it not working?
  Regards,
  Rukmani

  Hi all,
  it is always good to start with a good checklist. Here is probably the best one: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sso checklist.html
  My suggestion is: do not skip even simple steps, sometimes problem appears there
  Regards,
  Pavol

• SSO with SAP logon tickets to non-SAP web app

  I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work.  I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal.  Anyone tried similar?
  Cindy

  Hi Cindy,
  If it is EP6 SP2 probably you can checkout the following document.
  http://service.sap.com/ep60
  Go to Documentation Help>How-To-Guides>Current How To Guides section.
  checkout the following how to guide.
  Perform Cross Domain SSO with SAP Logon tickets zip file.
  If you want the zip file please send an e-mail to
  [email protected]
  Regards
  -Venkat Malempati

• SSO from Portal to a ITS (standalone) to the R/3 backend

  Dear all,
  I have the following situation:
  1. I have successfully installed SSO between Portal and the Backend system. That works fine.
  PORTAL -> D98 (R/3 System with 4.7)
  2. The backend system has no ITS because it's SAP R/3 4.7 without ITS.
  PORTAL -> ITS (Standalone) -> D98 (R/3 4.7)
  Question:
  I have to create now a connection from the SAP Portal to the ITS and so on in the backend system with SSO.
  Which settings are necessary to create SSO over a ITS system like this:
  PORTAL -> ITS (Standalone) -> D98 (R/3 4.7)
  Who could help me?
  Thanks for your effort.
  Kind regards,
  Thomas

  Dear Ansar,
  Sorry, but I don't find this note.
  Note 56691
  Could you please give me the right note?
  Thanks a lot for your help and your effort.
  Kind regards,
  Thomas

• SSO and portal timeout  -- other bug?

  ...this is very probably related to the other post talking about SSO and portal timeout...
  I am having another weird issue with dotnet portlets that uses inline refresh (done automatically by dotnet accelerator) and SSO.
  When you let the portal session expire, and then click on a button/link within a portlet (hence generate an inline refresh gatewayed request), the full portal window (header/footer etc...) appears within the portlet, instead of the portlet content alone.
  I did some http traces (see below) and it seems the problem is due to the windows SSOLogin.aspx (we are using windows auth SSO) not taking the requested portlet gatewayed request url as a post login redirect info... but taking instead the current page url (which is wrong)
  Thus, after the gatewayed portlet request is successfully authenticated by the SSOLogin.aspx component, it is automatically redirected to the wrong urll...making the full portal page refresh into the portlet.
  So my question is: have anyone already seen such behavior? And has anything been done to fix this?
  It really seems like a bug with the SSO servlet...but maybe i am doing something wrong...Just want to have your thoughts on this.
  Thanks,
  Fabien
  ============================================================================================
  HTTP Trace:
  POST     302     Redirect to /portal/sso/SSOLogin.aspx?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login     http://your.portal.com/portal/server.pt/gateway/PTARGS_0_15046_362_205_0_43/http%3B/your.portletserver.com/yourapp/youraspx.aspx
  GET     401     text/html     http://your.portal.com/portal/sso/SSOLogin.aspx?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login
  GET     401     text/html     http://your.portal.com/portal/sso/SSOLogin.aspx?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login
  GET     302     Redirect to http://your.portal.com/portal/server.pt?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login     http://your.portal.com/portal/sso/SSOLogin.aspx?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login
  GET     200     text/html; charset=utf-8     http://your.portal.com/portal/server.pt?in_hi_userid=15046&space=CommunityPage&parentid=1&cached=false&control=SetCommunity&PageID=0&CommunityID=205&parentname=Login

  I have this happen in v6.0 sp1. We have worked around the problem with a bit of work and synchronization of settings. Below, I've outlined how we've worked around the problem (which is indeed a problem that should be fixed). Also, if you have a load balancer, you'll need to set your session timeout on the load balancer to a bit more than the refresh rate that you set for your communities and My Pages.
  Resolving the Portlet Timeout / Refresh Problem in ALUI Portal_
  Problem: Users occasionally receive the portal page within a portlet error
  Cause: The root cause has not been determined; however it appears that the primary event that exhibits the behavior is when a teammember’s session has expired on the portal server and they then utilize a .NET form-based portlet which refreshes in place. Because we are using WIA SSO to enable automatic logins to the portal, it makes the error seem to occur randomly.
  Resolution:
  The workaround solution is to – 1) increase the portal session timeout on the portal web servers from the default 20min to 4 hours, and 2) set the MyPage refresh interval setting for all portal users to 3 hours. The setting name is a bit of a misnomer, as it will actually refresh the entire portal page automatically if the user is idle on either a My Page or a Community Page, as these are the only two places that portlets reside.
  Increasing the portal session timeout:
  The portal session timeout is controlled in two places, and both settings should match. On the portal virtual directory in IIS, edit the configuration and increase the timeout setting to 240 (minutes). Then, edit the portal application’s web.config file (d:\portal\ptportal\6.0\webapp\portal\web\) and increase the sessionState Timeout variable to 240. Editting the config file will require you to restart the services before you see the change.
  Initial setting of the MyPage refresh interval:
  The initial setting will need to be done by a SQL script in order to apply it to all existing users. The Default Profile should also be updated so that all new user synched from AD will have this setting applied automatically.
  /* Delete refresh interval settings for all users first so that there are no conflicts on the inserts */
  DELETE FROM portaldbuser.ptprefs WHERE prefname = 'intMyPageRefreshRate'
  /* Insert desired page refresh setting for all users */
  INSERT INTO portaldbuser.ptprefs (userid,gadgetid,prefclassid,prefobjectid,prefname,prefvaluetype,prefvalue,pagenumber) SELECT objectid,0,0,0,'intMyPageRefreshRate',3,180,0 FROM portaldbuser.ptusers
  From Administration, access the Default Profiles utility. Check the Default Profile entry and click on the Edit Profile Layout link. Click on the My Account link in the Portal Settings portlet and then on the Display Options link on the next page. In the Page and Portlet Settings, update the Your My Page will be updated: setting to 4 hours. Click Finish twice to return to Administration.
  Updating the MyPage refresh interval:
  To update the setting just modify the insert portion of the SQL script. Change the prefvalue number (180) to the desired timeout in minutes and rerun both statements of the script.
  The Default Profile should be also be modified per the instructions above.
  I hope this helps...
  -tom