PHP & SSO

Similar Messages

• SSO to PHP Web App

  Hi,
  I am trying to do SSO to a PHP web Application running on linux Apache Webserver. I have downloaded the SAPSSOEXT_0-10002920 and SECULIB54_0-10002909.SAR files from service marketplace. i went through the code samples in C and JAVA in the downloaded zip file. But i think i have to implement them in PHP and i am completely a newbie to PHP. Has anyone done SSO to PHP based webapps?  please advise.
  Thanks and regards,
  Hassan

  What you could do is to set up a webservice which uses the java api to validate the SAP logonticket.
  Then you call this webservice from php (perhaps you need to install php-soap http://phpsoaptoolkit.sourceforge.net/phpsoap/) in order to validate the ticket.
  Perhaps the UME allready has a webservice for validating tickets so that the first step is not needed

• UWC/CE 6.3 and Access Manager 7.1 SSO sometimes fails (seems like a bug)

  PREAMBULA: I started writing this post thinking that our AM SSO setup was at fault in some step. As I was gathering data, checking the doc-links and config files and finally sniffed the servers for HTTP dialogs, I grew pretty sure there's a bug in UWC/CE, AM SDK or Web Server Policy Agent, whatever implements the AM SSO session checking.
  In short, as written below, our "sunmail" server can POST a broken cookie to AM server, if the cookie originally contained a "plus" character. The "plus" is replaced by a "space", invalidating the session check. As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here. I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
  Is there some known bug or workaround that matches this description?
  Nevertheless, for completeness' sake I kept the description of our setup. Maybe it's at fault after all :)
  We have an installation of JCS5 with the latest patches as of early July 2008. And as the subject implies, we have problems with AM SSO in UWC/CE web-interface. I have reported them before, then they seemed fixed (not occuring for several tests in a row), but as time has shown, something wrong is still there.
  So I'll try to go into deeper detail now, as we've may have overlooked some nuance... Then again, as my sniffer research below shows, this may be an engine bug and these setup details are irrelevant.
  Our setup is split into several Solaris 10 full-root zones hosted on several servers, some of the components are enroute to HA (perhaps we made some mistakes on this part of the way?)
  So, we have the following software stack:
  1) two MMR Directory Servers (DSEE 6.3 = DSEE 6.2 from JCS5 + 125278-07__DSEE_6.3__x86x64 + 125277-07__DSEE_6.3__x86_sol9 patches) working in zones on two different servers. Except for one time when a manually forced ZFS rollback corrupted one of the server instances, no problems here.
  2) two zones with Directory Proxy Servers (6.3, exact versions as above) running at port 389 provide the clients with an illusion that they have a stable Directory Server, even if one of the actual servers is currently rebooting ;)
  These DPS zones are hosted on two different servers as well and are primarily used by LDAP clients (JCS components) running in other zones on the same respective servers.
  3) A zone with Sun Web Server 7.0U1 and Access Manager 7.1 (+ 126357-01__AM71_x86 patch) and Delegated Admin 6.4-4.01 (from JCS5 + 121582-18__COMMCLI64__x86 patch).
  At the moment there is one such zone (named "cos-psam-01.domain.ru" in the logs below), but we expect(-ed) it to become two similar zones as per AM HA setup.
  Zones listed in (1-3) use private IP numbers, they belong in our internal DMZ.
  Zones listed in (4-5) below use public (routed) IP numbers, they belong in our external DMZ.
  4) A zone with Sun Web Server 7.0U1 used primarily as a reverse-proxy server (optionally with a load-balancer libpassthrough.so plugin) successfully used for other hosted projects. One of its configurations now passes connections from an externally routed IP address published as "psam.domain.ru" to "cos-psam-01.domain.ru", per AM HA setup, so HTTP clients believe they work with an Access Manager instance. This zone has a backend interface with a private IP address to communicate with the actual AM instance.
  In AM configuration (both LDAP and file-based) we have configured a site ID with the publicly known name and mentioned both names (psam and cos-psam-01) in organization's realm/dns aliases.
  5) A zone with the rest of the Sun Java Communications Suite 5, as in Messaging Server 6.3 (6.3-6.03 64-bit: ci-5.0-1.03_solx86_x64__Messaging_Server_6.3-2 + patch 126480-09__MSG63__x86-64), UWC/CE 6.3 (from JCS5 + 122794-17__UWC63-4.01_core__x86), Instant Messaging 7.2 (from JCS5 + 118790-29__IM72__x86-1 + 118787-28__IM72__x86-2), Calendar Server 6.3 (from JCS5 + 121658-28__iCS63__x86). The web-components (UWC/CE, IM, /httpbind) are deployed in a Sun Web Server 7.0U1 as well.
  This zone is named "sunmail.domain.ru" and has a routed IP address for direct external access to its servicess.
  The AM SDK part is also patched (126357-01__AM71_x86); it points to the load-balancer name ("psam.domain.ru") as an actual AM server.
  # imsimta version
  Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 64bit)
  libimta.so 6.3-6.03 (built 17:15:08, Mar 14 2008; 64bit)
  SunOS sunmail 5.10 Generic_127112-07 i86pc i386 i86pc
  While setting up this server set we tried to use AM SSO as the user login method, but it works unreliably.
  "Unreliably" means that while most of the time entering a correct uid and password in Access Manager login page ("http://psam.domain.ru/amserver/UI/Login") does redirect a user back to "http://sunmail.domain.ru/uwc/auth" along with a new cookie, and the user is redirected again to his or her mailbox, sometimes the user receives the UWC/CE login page. Entering the same uid and password here does log him in, but it breaks the whole point of SSO and only increases the end-user routine required to log in :\
  We have also seen the "missing mail tab" problem - if the users point the browser to any hostname different from "sunmail.domain.ru" (i.e. www.mail.domain.ru which is equivalent in DNS), they have only the Address book, Calendar and Options tabs; no webmail. So far this is resolved by Policy Agent forcing The One name of the server.
  Here's the configuration we did specifically for AM SSO:
  1) in AMConfig.properties of "sunmail" and "cos-psam-01" we set up
  com.iplanet.am.cookie.encode=false
  am.encryption.pwd=<the same value>
  all hostname-related parameters point to "psam.domain.ru"
  2) in AMConfig.properties of "cos-psam-01" a number of FQDN equivalence entries are added (so it does not redirect to a server hostname unknown to visitors):
  com.sun.identity.server.fqdnMap[publicname-or-ip]=psam.domain.ru
  com.sun.identity.server.fqdnMap[cos-psam-01.domain.ru]=cos-psam-01.domain.ru
  3) in "msg.conf" on "sunmail" (entries added via configutil):
  local.webmail.sso.amcookiename = iPlanetDirectoryPro
  local.webmail.sso.amnamingurl = http://psam.domain.ru:80/amserver/namingservice
  local.webmail.sso.singlesignoff = yes
  local.webmail.sso.uwcenabled = 1
  service.http.ipsecurity = no
  (perhaps some more options are required? Looking for confirmation about: local.webmail.sso.uwclogouturl local.webmail.sso.uwccontexturi local.webmail.sso.uwchome service.http.allowadminproxy )
  4) Configured Web Policy Agent for Sun Web Server, so that users without an AM session are required to get one. Set up per [http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_Agent], except that com.sun.am.policy.agents.config.notenforced_list points to the many names our server can go known by.
  5) Updated the logout URL in /opt/SUNWuwc/webmail/main.js:
  --- main.js.orig        Sat Jan 26 07:52:09 2008
  +++ main.js     Mon Jul 21 01:06:29 2008
  @@ -667,7 +667,8 @@
  function cleanup() {
     if(laurel)
  -      top.window.location =  getUWCHost() + "/base/UWCMain?op=logout"
  +//      top.window.location =  getUWCHost() + "/base/UWCMain?op=logout"
  +      top.window.location =  "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
     else
         exec('logout', '', 'exit()')
  @@ -1707,7 +1708,8 @@
     if(lg) {
           url = document.location.href
           url = url.substr(0,url.indexOf('webmail'))
  -        uwcurl = url + 'base/UWCMain?op=logout'        
  +//      uwcurl = url + 'base/UWCMain?op=logout'        
  +        uwcurl = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
     exit()
  }6) Calendar SSO - per docs...
  According to ngrep sniffing,
  1) the browser goes to "http://sunmail.domain.ru/uwc/auth" without any cookies
  2) receives a redirect and goes to "http://psam.domain.ru/amserver/UI/Login?gotoOnFail=http://sunmail.domain.ru:80/uwc&goto=http%3A%2F%2Fsunmail.domain.ru%3A80%2Fuwc%2Fauth"; sends no cookies either.
  3) The first response from the "psam" server (as redirected from "cos-psam-01") sets a few cookies while rendering the login page:
  Set-cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; Path=/
  Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
  Set-cookie: amlbcookie=02; Domain=.domain.ru; Path=/
  4) The browser requests the login page resources (javascripts, images, etc) using these cookies, as in this header line:
  Cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; amlbcookie=02
  5) The browser POSTs the login request to "/amserver/UI/Login" and receives a redirection to http://sunmail.domain.ru:80/uwc/auth
  Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
  Set-cookie: AMAuthCookie=LOGOUT; Domain=.domain.ru; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
  6) The browser requests "http://sunmail.domain.ru/uwc/auth" using the newly set cookie (looks like the old one to me though):
  Cookie: amlbcookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#
  7) The "sunmail" web-server checks the AM session validity with the same "psam.domain.ru". It sends a series of POSTs to /amserver/namingservice:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="685">
  <Request><![CDATA[
  <NamingRequest vers="1.0" reqid="324" sessid="AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#">
  <GetNamingProfile>
  </GetNamingProfile>
  </NamingRequest>]]>
  </Request>
  </RequestSet>(receives a large XML list of different Access Manager configuration parameters and URLs)
  ...then a double-request to /amserver/sessionservice:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="Session" reqid="686">
  <Request><![CDATA[
  <SessionRequest vers="1.0" reqid="678">
  <GetSession reset="true">
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </GetSession>
  </SessionRequest>]]>
  </Request>
  <Request><![CDATA[
  <SessionRequest vers="1.0" reqid="679">
  <AddSessionListener>
  <URL>http://sunmail.domain.ru:80/UpdateAgentCacheServlet?shortcircuit=false</URL>
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </AddSessionListener>
  </SessionRequest>]]>
  </Request>
  </RequestSet>As a result it receives an XML with a lot of user-specific information (the username, LDAP DN, preferred locale, auth module used, etc.)
  !!!*** Now, the problem part ***!!!
  8) And then "sunmail" POSTs a broken cookie to "psam" (note the space in mid-text, where the "plus" sign was previously). As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here.
  I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. I looked over the large XML responses to the two previous requests, whenever they mention the session cookie value, the "plus" is there.
  For the most detail I can provide, I'll even paste the whole HTTP packet:
  POST /amserver/sessionservice HTTP/1.1
  Proxy-agent: Sun-Java-System-Web-Server/7.0
  Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#;amlbcookie=null
  Content-type: text/xml;charset=UTF-8
  Content-length: 336
  Cache-control: no-cache
  Pragma: no-cache
  User-agent: Java/1.5.0_09
  Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Host: cos-psam-01.domain.ru
  Client-ip: 194.xxx.xxx.xxx
  Via: 1.1 https-weblb.domain.ru
  Connection: keep-alive
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="session" reqid="258">
  <Request><![CDATA[<SessionRequest vers="1.0" reqid="254">
  <GetSession reset="true">
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </GetSession>
  </SessionRequest>]]></Request>
  </RequestSet> The server's error response is apparent:
  HTTP/1.1 200 OK
  Server: Sun-Java-System-Web-Server/7.0
  Date: Thu, 31 Jul 2008 05:49:50 GMT
  Content-type: text/html
  Transfer-encoding: chunked
  19b
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ResponseSet vers="1.0" svcid="session" reqid="258">
  <Response><![CDATA[<SessionResponse vers="1.0" reqid="254">
  <GetSession>
  <Exception>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=# Invalid session ID
  AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</Exception>
  </GetSession>
  </SessionResponse>]]></Response>
  </ResponseSet>On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
  For reference, here's a working final request-response (one with a good cookie, as received by the load-balancer web-server). Request looks a bit different:
  POST /amserver/sessionservice HTTP/1.1
  Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#;amlbcookie=null
  Content-Type: text/xml;charset=UTF-8
  Content-Length: 379
  Cache-Control: no-cache
  Pragma: no-cache
  User-Agent: Java/1.5.0_09
  Host: psam.domain.ru
  Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Connection: keep-alive
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="session" reqid="281">
  <Request><![CDATA[<SessionRequest vers="1.0" reqid="277">
  <SetProperty>
  <SessionID>AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#</SessionID>
  <Property name="uwcstatus" value="active"></Property>
  </SetProperty>
  </SessionRequest>]]></Request>
  </RequestSet> ...and the response is OK:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ResponseSet vers="1.0" svcid="session" reqid="281">
  <Response><![CDATA[<SessionResponse vers="1.0" reqid="277">
  <SetProperty>
  <OK></OK>
  </SetProperty>
  </SessionResponse>]]></Response>
  </ResponseSet>

  There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
  The solution for these customers was the following:
  => AM server/client side:
  Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
  => AM client (UWC) side:
  - Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
  <sun-web-app>
     <property name="encodeCookies" value="false"/>
     <session-config>
        <session-manager/>
     </session-config>
     <jsp-config/>
  <property name="allowLinking" value="true" />
  </sun-web-app>Regards,
  Shane.

• Configure sso to non sap

  dear all,
  i would like implement sso from ep to other web application ( non SAP )
  the legacy system is using " PHP and Web Server APACHE "
  there any want can help me how to configure the sso and how to create iview for my legacy system ( using URL iView  or application integrator )
  thanks for your help
  echo

  Hi Echo,
  Single Sign On to non-SAP applications normally can't be done by configuration.
  How SSO can be done depends on your application.
  Maybe these few hints may help you:
  You need the same usernames in portal and in your external application
  You may integrate your app using an application integration iView
  If your external application can be run in some kind of 'trusted' mode (this means, no password, just the username is required to log on as long as the request comes from certain IP adresses / your portal server) you can just pass the userid using the app integrator iView mechanism
  SAP provides a library (currently written in C, but there is at least a java wrapper available) to decode the SAP SSO Ticket
  You may extend your external applications logon mechanism to use the mentioned SSO ticket and do the login without password. Application Integrator is able to send the SSO ticket to your external app.
  In less words: you need to do some coding on your external application
  Hope this helps (or come back for more),
  Carsten

• SSO from non-SAP to SAP apps

  Hi All,
  Currently We have SAP applications, non-SAP applications(java, .NET, PHP etc) in our landscape.
  If the client tries to access any non-SAP application it should ask for authentication and thereby for any subsequent access to any URL's(SAP or NON-SAP apps) it should not ask for any authentication.
  FYI:
  The client logins into SAP Portal(SAP to NON-SAP) first and thereby able to achieve SSO for non-SAP applications as well.
  Currently we are stuck for the scanerio of  Non-SAP to SAP apps ?
  Please suggest.......
  Thanks,
  Mano.

  Hi samuli,
  Using SPNEGO, we can incorporate windows authentication for SAP Portal ( after desktop authentication user can logon without userid/password). But for non-sap apps this would be challenge.
  I have another option, using webdispatcher if we enable server redirect for all applications(SAP & NON-SAP) and get authenticated centrally by which SSO can be achieved across all the apps.
  Would above solution work ?
  Thanks,
  Mano.

• SSO for 'external' partner apps

  Is it possible to use oracle's SSO product with applications written in various languages (php/perl/coldfusion/.net,etc) on non-oracle servers.
  ie, if i have a php application that sits on a server entirely separate from the oracle app server or SSO server, is there documentation that allows me to write code that hands-off authentication responsabilities to the SSO. so, the php application would verify that a user is presenting a login cookie, and speak to the sso server in the backend to verify that the login cookie is valid, etc.
  Thanks very much for any help you can provide!

  I have similar kind of requirements for Single sign-on to external web applications.
  But in my applications I have to auto-generate random userid & password for different external web applications.
  These uids & password are exported to external applications, which upon recieving creates user in their applications.
  So, actual user will never have access to these credentials(uid &pwd).
  So, how can I cutomize the Portlets to do the first time SSO when user is created & their credentials to external apps are stored to OID.
  Any idea Barry..
  Bye

• Using APEX as SSO redirect for existing web application

  Hi,
  I have an existing PHP based Web Application hosted on an Apache server. I want to protect these web pages by authenticating users via Oracle SSO.
  I tested this by creating a simple APEX web page with redirect <Meta> tag to route traffic to my application upon successful SSO login. This works fine if request comes directly to APEX page....
  So my question is how do I protect php pages from being directly accessed and still be able to get sso user login information (like username) coming from APEX page?
  Do I still need to set up mod_sso.so in osso.conf for my Apache Server or should I just register my php web application as partner application with SSO server without going through APEX?
  Any advice on this is greatly appreciate.
  Thanks,
  james

  Tony,
  Sorry for taking so long to respond as I got side tracked with other tasks.
  Thank you so much for the link. The provided link is very helpful.
  One difference in my situation is that I am using a generic Apache installation (version 2.2.11) and not Oracle Apache Server from OAS.
  So I copied mod_osso.so from OAS 10.1.3.1.0 installation to my generic Apache location. As I tried to startup Apache instance I got following error while loading mod_osso.so.
  ... Cannot load /apache-2.2.11/modules/mod_osso.so into server: /apache-2.2.11/modules/mod_osso.so: undefined symbol: ap_configtestonly
  I did some search and found that other folks are reporting success of using mod_osso.so on generic Apache (without saying which version of Apache). I wonder if mod_osso.so can only work with older version of Apache?
  Do you have insights on this by any chance?
  Thanks again,
  James

• How to make WinTPC a direct VDI w/2012 Server from login(SSO) Pooled VM Collection SOLVED !

  Pre-Reqs:
  WinTPC machines must be domain joined
  All VDI infrastructure is 2012(RD Web, CB, VH, GW) you might be able to use 2008R2 I did not use any so dunno..
  All certificates must be in place for SSO
  1. Setup 2012 VDI infrastructure to use SSO
  2.Set group policy applied to WinTPC machines OU to allow Credential Delegation see:
  http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx
  3. Steal the RDP file from RDWeb (do a view source to get the path to the RDP file then download it) place in a network location, we use a folder in netlogon. Alternatively you could create your own RDP file and include the loadbalanceinfo:s:tsv://VMResource.1.MYPOOLEDCOLLECTION_Name
  4. Use a GPO to set a Custom Interface on the WinTPC machines it should execute a powershell or vbscript that runs the .rdp file,  in our case we  use a logon script to copy a powershell script to the local machine, then use that
  as the custom interface, it loops watching for the mstsc process to end..when it does it logs the user off. (sample)
  #VDI-RDP.ps1
  & 'c:\windows\system32\mstsc.exe' c:\start\myrdpfile.rdp
  sleep -s 10
  while(get-process mstsc){sleep -s 10}
  logoff.exe
  Custom Interface GPO is here:
  User\Administrative Templates\System\Custom User Interface\
  "powershell.exe" -windowstyle hidden c:\start\vdirdp.ps1
  Voila !
  When domain users login to the WinTPC they get a VDI session only... once they close the session either by logging off or closing the RDP session.. they are logged off of the WinTPC machine
  MS really should document this somewhere.. not everyone wants to access VDI from  RDweb.... :(   nor do they wish to have to authenticate multiple times...
  Good luck with it !

  Thank you dear Steve for the detailed steps,
  I have an issue to set the RD Web Access for SSO.
  I followed below article without success and I saw your comment.
  http://www.anilerduran.com/index.php/2012/sso-single-sign-on-thoughts-on-rds-remote-desktop-services-2012/
  I am using RDS 2012 R2 environment.
  Could you please provide more steps on how to run SSO for the RD Web?:
  Point Number 2 is not clear.
   To turn on Windows Authentication:
                - uncomment <authentication mode="Windows"/> section
                - and comment out:
                1) <authentication mode="Forms"> section.
                2) <modules> and <security> sections in <system.webServer> section at the end of the file.
                3) Optional: Windows Authentication will work in https.  However, to turn off https, disable 'Require SSL' for both RDWeb and RDWeb/Pages VDIR.
                   Launch IIS Manager UI, click on RDWeb VDIR, double click on SSL Settings in the middle pane, uncheck 'Require SSL' and
                   click Apply in the top right in the right pane.  Repeat the steps for RDWeb/Pages VDIR.
  Kind regards,

• Error in SSO between Portal and IDM

  Hi All,
  In my scenario i need to configure the IDM workflow in portal and do SSO between them. I followed the steps given in IDM-Workflow installation document and did following things.
  1. Uploaded the par file available in IDM installation kit in to portal.
  2. Imported the Portal Content package (epa file) in to portal.I got the role Identity Center in my masthead.
  3. Created System as said in the document.
  4. Completed the necessary steps for transporting certificate between them.
  But when click on the role 'Identy Center' or do preview of any iViews of IDM i am getting the following error.
  Portal runtime error.
  An exception occurred while processing your request. Send the exception ID to your portal administrator.
  Exception ID: 05:58_06/12/08_0860_1657450
  Refer to the log file for details about this exception.
  Here is my default trace log for that exception id.
  #1.5 #0019BBDC2B650079000000440000161C00045D5E6D4D111F#1228560048914#com.sap.portal.portal#sap.com/irj#com.sap.portal.portal#tventhan#24261##n/a##e764b200c37c11ddca800019bbdc2b65#SAPEngine_Application_Thread[impl:3]_16##0#0#Error#1#/System/Server#Java###Exception ID: 05:58_06/12/08_0860_1657450
  [EXCEPTION]
  #1#com.sapportals.portal.prt.component.PortalComponentException: Error in service call of Portal Component
  Component : pcd:portal_content/com.sap.idm/iviews/workflow/com.sap.idm.workflow.home_overview
  Component class : com.sapportals.portal.sapapplication.SAPApplicationIntegratorComponent
  User : xxxxx
       at com.sapportals.portal.prt.core.PortalRequestManager.handlePortalComponentException(PortalRequestManager.java:973)
       at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:343)
       at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
       at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
       at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215)
       at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:645)
       at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
       at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
       at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
       at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753)
       at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
       at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
  Caused by: com.sapportals.portal.prt.runtime.PortalRuntimeException: Exception in SAP Application Integrator occured: Unable to parse template &\#39;&lt;System.protocol&gt;://&lt;System.hostname&gt;/&lt;System.appcontext&gt;/welcome.php?SAPIDStore=&lt;System.idstore&gt;&amp;wf_portal=1&\#39;; the problem occured at position 38. Cannot process expression &lt;System.appcontext&gt; because Invalid System Attribute:
  System:    &amp;\#39;SAP_LocalSystem&amp;\#39;,
  Attribute: &amp;\#39;appcontext&amp;\#39;.
       at com.sapportals.portal.appintegrator.AbstractIntegratorComponent.doContentPass(AbstractIntegratorComponent.java:123)
       at com.sapportals.portal.appintegrator.AbstractIntegratorComponent.doContent(AbstractIntegratorComponent.java:98)
       at com.sapportals.portal.prt.component.AbstractPortalComponent.doPreview(AbstractPortalComponent.java:240)
       at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:168)
       at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114)
       at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
       ... 29 more
  Please help me to get rid of this issue.
  Thanks & Regards,
  Tamil K

  Hi Tamil,
  Please have a look in your log
  Exception in SAP Application Integrator occured: Unable to parse template &\#39;<System.protocol>://<System.hostname>/<System.appcontext>/welcome.php?SAPIDStore=<System.idstore>&wf_portal=1&\#39;; the problem occured at position 38. Cannot process expression <System.appcontext> because Invalid System
  Please check the above values in system properties which are in bold
  regards
  Anand.M

• How to Set UserId in Http Header for SSO?

  Hello All,
  I have a requirement to set the userid into the HTTP Header so that i can use the "Header Variables for User Authentication" module provided by SAP to achieve the SSO .
  Could some 1 let me know how can I achieve this? I know abt the HTTPServlet.setheader() method, But i need to set it using my JAVA application. Is there any way to set the HTTP Header using Java. I have already done a lot of googling, but havent got any results.
  I am sure that, there must definitely be a way in which we can add the user id into the HTTP header, in all the results, they tell abt adding it using the HTTP Servlet or PHP and so on, but i need to add it from JAVA.(setting REMOTE_USER as "mysapuserid")
  I have already added the "HeaderVariableLoginModule" in my login stack in the 2nd position, as per
  http://help.sap.com/saphelp_nw04/helpdata/en/8f/ae29411ab3db2be10000000a1550b0/frameset.htm
  Any pointers will be helpful,
  Meghana
  Edited by: Meghana Phadke on Apr 14, 2008 2:49 PM

  Hi
  As I understand, your java application is an EP client, check framework HttpClient :
  http://hc.apache.org/httpclient-3.x/
  http://hc.apache.org/httpclient-3.x/tutorial.html
  Hope this help
  Jakub Krecicki

• Problem in configuring SSO using SAML for applications hosted on diff m/c

  Hi Techies,
  I am stuck in a weird problem for past month or so without any resolution. Not much help by googling. So I hope i get the answer from the mouth of the horses -
  I am trying to use SSO using the sample application appA and appB as stated in the tutorial of SSO by BEA.
  I am summarizing the problem below -
  Steps followed for Configuring SSO using SAML
  1. Created 2 domains on 2 seperate machines namely domainA and domainB
  2. Source appliction is deployed on domainA and the target application is deployed on domaninB
  The steps mentioned in the following tutorial has been followed-
  http://dev2dev.bea.com/pub/a/2006/12/sso-with-saml.html
  3. As mentioned in the tutorial the certificate is generated using keytool utility. The same certificate is copied
  to WEBLOGIC_HOME/server/lib of destination machine.
  4. The certificate was successfully registered on desitnation or host 2 but while activating the configuration
  changes(SSL client Ientity Alias and SSL Client Identity Pass Phrase) for Federation services the following error
  is thrown -
  " SAMLBeanUpdateListener: SAMLKeyManager.prepareUpdate() failed with exception:
  weblogic.descriptor.BeanUpdateRejectedException: SAML key Manage failed to validate key (SSL Client) configuration
  in the FederationServicesMBean, key alias: testalias "
  The interesting bit of the problem is that the same configuration works on 2 domains created on same machine. The
  problem only occurs when domains are created on seperate machines.
  Alterative to the problem: when the certificate is generated seperately for domainB and copied to
  WEBLOGIC_HOME/server/lib, it works. However, the certificate generated in domainA should have been copied.
  Note: I am using Weblogic portal 9.2.1
  Any quick replies will be much appreciated. Thanks.
  Edited by saurabh.agrawal at 02/06/2008 2:01 PM

  Hi François,
  You are right about the use of the NameID format. But the issue here is/was that OIF at SP is integrated with OAM, and the authenticated user at OIF-SP and OAM will be the Anonymous user rather than the user who was identified at the IdP even though the remaining attributes sent are for the IdP user. I think these attributes can be used by with OAM for authorization using custom authorization plug-ins but haven't tried that one out.
  As for the attribute sharing profile, it's this one - http://www.oasis-open.org/committees/download.php/18058/sstc-saml-x509-authn-attrib-profile-cd-02.pdf, although for the life of me, I cannot remember why I suggested this in the first place!
  -Vinod

• Communications Express doesn't create access Manager SSO session

  Hi all,
  I'm running Communications Express, Sun Access Manager and Sun messaging server, each on seperate hosts.
  Single Sign On works i.e. when users have a valid session and point their browser at the Communications Express URL they can access their mail, calendar and addressbooks without further ado.
  When they don't have a valid session though and the users go to the Communications Express URL they get a username and password prompt. If they enter valid credentials they will be logged in, but the session created is only a local session, not an Access Manager SSO session. This behaviour has changed from the previous versions of Comm Exp which wouldn't work at all without SSO.
  Is it possible to configure communications express to either redirect users to the Access Manager's authentication page or have Comm Exp create the SSO session on the users behalf?
  TIA
  Herman
  Versions:
  - Communications Express 6.3 update 1
  - Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)
  libimta.so 6.3-4.01 (built 17:13:29, Aug 3 2007; 32bit)

  Hi Shane,
  as always your anwer is better then I could have expected. A more or less complete manual
  just hours after asking my question. Thanks!
  shane_hjorth wrote:
  The cleanest solution I could develop to address the behavioural change was to
  leverage a web-server policy agent to perform the redirections.
  I wrote up a guide but never received any feedback unfortunately so results-may-vary.
  I have republished this guide externally - feedback is welcome:
  http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_AgentTook me some time to implement, test and write feedback:
  The setup we have is a little more complex then the a single box scenario you
  have tested on:
  From the internet working inwards we have load balanced
  SSL accelerators (apache+SSL doing reverse proxy) in front of
  dedicated application servers running communications express.
  Mail is retrieved from separate mail-store clusters.
  Access manager is configured similarly: load balanced SSL accelerators
  in front of application servers running the login page (disributed
  authentication UI). Those then talk to the access manager cluster.
  Firewalls and access lists between each of those layers. None of the
  applications can be accessed directly from the internet and they are
  limited in what they can access in the DMZ as well.
  I followed your recipe to the letter. After a bit of tweaking everything
  worked like a charm. Policy agent installed and configured on the
  SUN webserver where communications express is deployed.
  Instructions were very good on detail and easy to follow.
  We deploy uwc in the root of the server not in /uwc. Something I didn't notice right away.
  It would seem that the policy agent expects the values com.sun.am.naming.url
  (The URL for the Access Manager Naming service) and
  com.sun.am.policy.am.login.url (The URL of the login page on the Access Manager
  where users should enter their credentials) to be the same host.
  In our setup the URL/host users have to use to log in can't be accessed by the policy agent.
  The policy agent should verify sessions directly against the access manager cluster.
  I played with some of the override settings in the policy agent configuration file but
  without much success. Eventually I used the hostname our users have to use to log
  in and abused the /etc/hosts file to map the external hostname to the internal address
  of the access manager cluster. Users end up on the correct login page, and the policy
  agent can verify the sessions. Ugly, but it works.
  The other issue is that the policy agent redirects to:
  com.sun.am.policy.am.login.url?goto=URL_Protected_by_Policy_Agent
  When a users enters incorrect credentials they get the default login url, without the
  goto parameter. (May be bug in access manager or by design...) After entering their
  credentials correctly on their second or third try users won't be redirected back to UWC,
  but will end up on the default page defined by their iplanet-am-user-success-url LDAP attribute.
  I solved that in the policy agents configuration file by adding the gotoOnFail=URL in the
  definition of com.sun.am.policy.am.login.url:
  com.sun.am.policy.am.login.url = https://login.domain.com:443/amserver/UI/Login?gotoOnFail=https://uwc.domain.com:443When you enter incorrect credentials you'll be redirected back to uwc (where the policy agent
  will again intercept you and send you on to the login page for your next try). May be more of
  an issue in the policy agent then your manual.
  Regards,
  Herman

• PHP and Forms

  I'm just getting started using PHP and I was wondering if anyone is using PHP to control access to Forms?
  I found a good article at http://www.oracle.com/technology/pub/notes/technote_as_signoff.html that discusses using PHP to create a custom SSO login & sign off page but I'd like to extend this to a menmu of forms & reports that a user has access to once they login using SSO.

  Douglas,
  in this case all you need to do is to generate the page based on a user ACL list, which can be vaues stored in the database.
  Frank

• How can I get sso login info ''urlc'' in a portlet?

  For partner-app, when the user tries to access the app through a direct url, the user will be directed to the portal's sso login page. After the portal's sso authenticates the user, it will redirect the user back to the app with the authentication information (urlc to be more specific) appended to the url. The app then can use this urlc information to call the sso-sdk api to get user info and to set cookie etc.
  Instead of having the user to access the app directly by typing the url in the browser, I create a "gateway" portlet to display a link to the app and inport the portlet in a portal page. When the user gets to this portal page, the user has already logged in, therefore when the user clicks on the link, the user should not be redirected to portal's sso login page. In order to do that, I have to insert the urlc information in the link. My question is, how can it get the urlc information, therefore when I create the link dymanically in the gateway portlet, I can insert it into it? FYI - I am writing the gateway portlet in java. Is there any java api in the jpdk that I can use to get the urlc information?
  Thanks
  Vince

  The easiest way would be to set a SESSION of the username, and then insert the contents of that SESSION into the classified table's username field. You need to register a SESSION on every page of your site by placing <?php session_start(); ?> at the top of every page (in code view). This must be the very first line of code. Using SESSIONS is very handy because it stores any information that you want in a cookie - except that this is stored on the server (not the user's hard drive) and is destroyed when the user quits the browser.
  <br />
  <br />Here's a couple of different ways to get you started
  <br />
  <br />
  <code>
  <br /><?php session_start(); ?>
  <br /><?php require_once('Connections/conn.php'); ?>
  <br /><?php<br /> // check to see if the username session is set<br><br /> if(!isset($_SESSION['username'])) {<br />  // it's not, register the username session<br />  $_SESSION['username'] = $username;<br /> }<br /> <br /> // or grab the username from the $_POST of the login form<br /> $username = trim($_POST['username']);<br /> $_SESSION['username'] = $username;<br /> <br /> // insert into classifieds table<br /> $sql = mysql_query("INSERT INTO classifieds (username) VALUES('".$_SESSION['username']."')") or die(mysql_error());<br />?>
  <br />
  </code>

• Cherokee problem with php after upgrade

  Hello!
  Some weeks ago I upgraded cherokee to version 1.0.2.....!
  Now php files in  user directories http://localhost/~user/foo.php are processed correctly, but php files in the main server directory /srv/http give the
  following error message:     No input file specified.
  I have no idea, is anyone able to give advice?
  Thanks Johannes

  Hi,
  "Caused by: SOAP Fault Error (n.a) : The User Authentification is not correct to access to the Portal Service com.sap.portal.prt.soap.Bridge or the service was not found.
  " Usually means one of two things.
  1. You do not have SSO set up correctly between the portals.
  2. The user (LogonID) you are using does not exist on both portals.
  3. You have not used a fully qualified domain name to access the servers
  Easiest way to check would be to logon to your consumer portal with a fresh browser. Then replace the URL with the producer's URL (Be sure to use the domain name that will enable the mySAPSSO2 cookie to be transfered by the browser to the producer. If you got a logon screen then you have probably one of the three problems mentioned above.
  Be sure to check SAP note#1083421 which describes a new tool (As of SP14!)  to be used to setup SSO/trust between servers. Perhaps you need to set up the SSO again with this tool.
  Hope this helps,
  Oren