Question about Logon ticket with user mapping at BI-JAVA environment

Similar Messages

• Problem about SSO using logon ticket  with user mapping

  Hi everyone ,
  I had done SSO with Portal , BW and R/3 system.
  I use logon ticket with user mapping .
  When user name is same in Portal as in R/3 system, or user name is same in Portal as in BW , user can access R/3 transactions and BW report without logon.
  There are some Portal users name which are different with R/3 user and  BW user. And I done the user mapping for these  user.
  But some user mapping works fine,but most of them can't work,means that most of them need to enter mapped user ID and password.
  What's the reason?
  When SSO using logon ticket with user mapping, the Portal user which is different with R/3 user and BW user,  can they access R/3 transaction iview and BW report iview without logon?

  Hi Chen,
  What you have done is correct. But the problem lies here.
  Since you are using the same system object for accessing the iview, where the ticket method is set to SAPLOGONTICKET in the user Management property of the system object.
  To avoid this create another system object like the previous one but set the logon method to UIDPW and select admin, user from the drop down box. Also create a system alias for this system.
  Now create another iview like the previous one but link this iview to the new system. Now do the user mapping for the users which are different in portal compared with R/3. Now you should be able to login without any problems.
  Another important point is login to portal with Fully qualified domain name. In the ITS property of the system object also give the FQDN.
  Hope this helps
  Regards
  Arun

• Questions about Logon Ticket

  hi.
  As we know, SAP Logon Ticket contains:
  Highest Authentication Scheme
  Validity
  Issuing System
  Digital Signature
  One Mapped ABAP User ID
  User ID
  When ABAP has the same user ID with Portal, then ABAP use "User ID" to logon, when different and admin defined user mapping for ABAP, then use "One Mapped ABAP User ID" to logon.
  My question is, how do SAP backend system decide which uerid to use for different situation?

  Hi,
  check the logon ticket possibilities
  1)When you use SAP logon tickets for Single Sign-On to SAP Systems, users must have the same user IDs in all SAP Systems that are configured to use SAP logon tickets.
  2) If the SAP user IDs are different to the portal user IDs, you must define an SAP reference system. Users then map their portal user ID to the user ID in the SAP reference system.
  http://help.sap.com/saphelp_nw04/helpdata/en/ed/845896b89711d5993900508b6b8b11/content.htm
  check the result section in the link for logon ticket with user mapping.
  When users start the user mapping function, one of the component systems that they can select is the SAP reference system. They can map their portal user ID to their user ID in this reference system. The user mapping function connects to the SAP reference system using the user ID and password to verify that the password entered by the user is correct.
  The next time the user logs on to the portal, the portal generates an SAP logon ticket for the user that contains both his or her portal user ID and mapped user ID.
  Regards,
  Koti Reddy

• Issue with user mapping and SAP reference system

  Hello Gurus,
  I have this strange system behaviour when preparing my system for single sign-on using user mapping.
  Case 1.
  In the user management property category, I have the following defined.
  Authentication Ticket Type - SAP Logon Ticket
  Logon Method - UIDPW
  User Mapping Fields  -
  User Mapping Type - admin, user
  In the alias editor, I defined the default alias as SAP_PRD
  Result= when I go to identity management to assign the reference system (the default alias - SAP_PRD)...I do not see the system alias there.
  Case 2:
  In the user management property category, I have the following defined
  Authentication Ticket Type - SAP Logon Ticket
  Logon Method - SAPLOGONTICKET
  User Mapping Fields  -
  User Mapping Type - admin, user 
  In the alias editor, I defined the default alias as SAP_DEV
  Result, when I go to the identity management to assign the refernce system (the default alias - SAP_DEV), I see it there.
  What might be my issue? Does it mean I can't assign SAP reference if I am using UIDPW as logon method?
  Please help me.

  Hi Mahesh,
  Thanks for the feedback. I am relatively new to EP...so please I won't mind if you can guide me on how to go about this.
  This is what I did...
  I chose System Administration > Permissions
  In the PCD, I located my system with the alias, SAP_PRD
  It opened up the permission assignment area.
  Now I have these permissions set
  Administrator - Full Control
  Administrators - Full control
  com.sap.caf.eu.gp.roles.superuser - Full control
  Everyone (built in group) - Full control
  Everyone (Everyone role)- Full control
  super_admin_role - Owner
  For all the above End User box is checked.
  I can't find anyone end user group .
  Once I pick UIDPW, the alias disapperars from the reference system list.
  Please help.

• Sample PeopleSoft url with user mapping

  Hi all,
  For a demo I want to use a PeopleSoft connection Via a url. Can someone give me a url sample with user mapping.
  Kind Regards,
  Richard

  Hi Sarabjeet,
  just a guess: Is it possible that
  - the target HTTP system is a SAP system?
  - both the portal and the target system are located in the same DNS domain?
  - the target system generally accepts SAP logon tickets issued by the portal?
  - the target system does not know a user with the portal user's (portal) logon ID?
  You could also check whether user mapping works fine by raising the severity level of (trace) location "com.sap.security.core.umap" to "Info" (in Visual Admin's "Log Configuration").
  Best regards
  Heiko

• Problem about  logon ticket cookie

  Hi all,
      We have just set up  trust between two portals.And we want to archive this:
      One user log on a portal(consumer) and he can logon another(producer) with logon ticket.
      But one problem is:
      One user log on consumer and access the producer.Then he log off consumer without closing the browser.another user log on consumer,and when he enter the producer.The cookie in producer is the former user's information.
      When somebody logoff the portal. The logon ticket doesn't expire.Then another user log on. The cookie never updates?
      OK..One can close the browser to kill the cookie.But this is such a potential security problem.
      Is there something to explain this?
      Is there any idea to solve this?
      best regards,
  delma
  Message was edited by:
          delma ma

  Producer portal always knows the consumer as trusted one. 
  Well the SLT is actually a HTTP Cookie issued by the portal system to client browser after a successful logon. It contains portal user name, expiry time and target system identification signed by portal secure certificate.
  The logon procedure looks like so:
  User (XXX) calls the portal1(Consumer)
  Portal1 responds with logon page
  User sends the creditentials to the portal1
  Portal sends back some cookies to the user in 3-4 HTTP roundtrips.
  One of this cookies is the SAP Logon Ticket.
  User (XXX) contacting portal2 (Producer) sends the SAP Logon Ticket along the HTTP to that system.
  This cookie is then send by the browser in all subsequent HTTP calls done by the browser in this session.
  Here it explains the SLT is on the client's browser.
  The recievier system (portal2) - called on the HTTP port, when properly configured  checks the portal certificate with the one stored and then authorizes the user.
  The SLT does not verify the user machine, only it's name anyone fetching the SLT can use it to access other systems in landscape.
  Means of protection
  1.Using HTTPS so the SLT is not available to third party
  2.Additional authorization - for example NTLM
  Cheers
  biroj...........

• Problem with user mapping

  Hello,
  We got a problem with user-mapping to a SAP system.
  We create a SAp system, and an alias to this system.
  We add a user mapping for the administrator (user, not group). Check for connector is OK.
  Now, we make the same user-mapping for a group.
  if the user also belongs to the group "administrator" this mapping works, otherwise this fail with a message <b>"com.sapportals.portal.ivs.cg.SystemNotFoundException: Got null system object for alias R3HR".
  </b>After checking, there is no user-mapping for the "administrator" group, nor for the roles that belong to that group, nor for the user.
  So, it seem that the alias is only visible for an admin.
  does any one got an idea ? we are on SP14, Linux.
  regards
  Guillaume PATRY

  HI Guillaume,
  The user mapping is available for both Admin as well as end users.
  Open your system from System Administration>System Configuration>System Landscape.
  In the property editor,in dropdown for property category,
  select the logon method as UID?password and User Mapping type to admin/user.
  Then you can create a Group,map the system alias for this group and add users to this group.
  Also,in the property editor for the system,from dropdown for display,select permissions , and add the group to asssigned permissions as READ ONLY and select the checkbox for ENDUSER.
  Hope,this resolves your problem.
  Regards,
  Siddhartha

• Export userdata along with user mapping

  Hi,
      Can any body explain how to export user data along with user mapping.
  Thanks in advance.
  Regards,
  Ashok.

  hi,
      Any input  or suggestion of the above request.
      My request is,i want to export user data along with  user mapping and i am using EP 6.0.
      can any body give the details of  exporting data with user mapping.
      Thanks in Advance.
  Regards,
  Ravi.M

• A question about logon users

  Dear all:
  we want to intergrate R/3 and ESS system on Portal.The ITS address is the same.
  Everything is ok but one problem:
  Our client wants us to use logon ticket to logon the R/3 and ESS system through Portal.The EP users are not the same as R/3 users,but not absolutely different.R/3 users have some prefix.(for example,EP user:delma   R/3 system:psdelma).ESS users are the same as EP.
  okay,we can change R/3 users. But this is the worst solution. besides this, we don't know how to figure out this problem.
  anyone has idea about this,thank you!
  Best regards
  delma

  Duplicate post - also in the forum post I referred to in the previous reply...
  According to <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/7d/49ae0771924cf4a1fc7e2af7b2e18c/frameset.htm">this help link</a> you can upload usermapping through the use of a specially formatted text file.
  From the help itself:
  The following example shows how you can change the user mapping data of an existing user, user2. When you import the data, choose the option Overwrite Existing Data in the import tool.
  The user user2 is mapped to the user ID ext_user2 in the system BCE, where BCE is the system alias of the system defined in the portal system landscape.
  [User]
  uid=user2
  $usermapping$:BCE:user=ext_user2
  $usermapping$:BCE:mappedpassword=password

• Logon methods in user mapping

  Hi friends,
     In user mapping we use any of the three logon methods which are nothing but authentication methods.can anybody please explain what are these methods?
  with regards
  sireesha

  Hi sireesha,
  SAPLOGONTICKET method - used if the portal user and R/3 user ( any system ) are the same. If they are different also using user mapping the connection can be estableshed. But no need to specify the password.
  UIDPWD method - Here we specify the userid and password. used if the portal user and R/3 user are different.
  Regards
  Arun

• EP + BW: Problems with user mapping in the portal

  Hi,
  I'm trying to connect the portal with the BW by using the report RSPOR_SETUP which is a step-by-step guide. The steps #1 - #11 seems to be ok but my problem is the 12th step, the user mapping/allocation maintenance in the portal.
  There is an error emerging (in BW): System failure during call of function module RSWR_RFC_SERVICE_TEST (System failure indicates normally an authentication problem between ABAP and Java)
  Another error is emerging by testing the connection in the portal. (System administration u2013 system configuration u2013 system landscape u2013 connection test: the first connection, the SAP Web-AS connection is ok but the second, connection test for connector, is not working.
  Especially the connection to the backend system with the defined connector is not working. The output is: u201CConnection failure. Check that single sign on is correct configured.
  On step 12 of the step-by-step guide I have to select a user in the portal, relate him to a system alias und maintain his technical username and password for the BW. I think here is the problem. Iu2019m able to select and save a system alias for the user, but Iu2019m not able to save his technical username and password. There is another error emerging (in the portal): u201CVerification of user mapping data for system SAP_BW failed, check credentials for errorsu201D, so Iu2019m not able to save the username and password.
  I think thats the my problem. the log file confirms that: "Did not find any existing logon data for principal...." & "No user mapping data available for principal...."
  I hope my problem description is understandable.
  Any ideas how I can solve the credentials problem to save the username and the password?
  Thanks in advance.
  Tan
  Edited by: Tan Yildiz on Jul 22, 2009 1:26 PM

  I could deploy some of the usage types, but there is an error regarding the BI-REPPLAN package. I think it's one of the very last errors that stands between me and a working EP - BI connection. There is a problem with the version. Could you check the log details, to find out more?
  Thank you.
  <!LOGHEADER[START]/>
  <!HELP[Manual modification of the header may cause parsing problem!]/>
  <!LOGGINGVERSION[1.5.3.7185 - 630]/>
  <!NAME[D:\usr\sap\BIP\JC02\SDM\program\log\sdmcl20090806164716.log]/>
  <!PATTERN[sdmcl20090806164716.log]/>
  <!FORMATTER[com.sap.tc.logging.TraceFormatter(%24d %s: %m)]/>
  <!ENCODING[UTF8]/>
  <!LOGHEADER[END]/>
  Aug 6, 2009 6:47:16 PM   Info: -
  Starting validation -
  Aug 6, 2009 6:47:16 PM   Info: Prerequisite error handling strategy: OnPrerequisiteErrorSkipDepending
  Aug 6, 2009 6:47:16 PM   Info: Update strategy: UpdateLowerOrChangedVersions
  Aug 6, 2009 6:47:16 PM   Info: Starting deployment prerequisites:
  Aug 6, 2009 6:47:18 PM   Info: Loading selected archives...
  Aug 6, 2009 6:47:18 PM   Info: Loading archive 'D:\usr\sap\BIP\JC02\SDM\program\temp\BIREPPLAN04_0-10005889.SCA'
  Aug 6, 2009 6:47:21 PM   Info: Selected archives successfully loaded.
  Aug 6, 2009 6:47:21 PM   Error: Unresolved dependencies found for the following SDAs:
  1.: development component 'bi/plan/helpers/table2'/'sap.com'/'MAIN_NW701P03_C'/'2846642'/'0'
  dependency:
         name:     'bi/alv/common'
       vendor:     'sap.com'
  There is no component either in SDM repository or in Deployment batch that resolves the dependency.
  dependency:
         name:     'bi/alv/ui'
       vendor:     'sap.com'
  There is no component either in SDM repository or in Deployment batch that resolves the dependency.
  Deployment will be aborted.
  Aug 6, 2009 6:47:21 PM   Error: No Software Component Archive (SCA) or Software Delivery Archive (SDA) selected. Select at least one.
  Deployment will be aborted.
  Aug 6, 2009 6:47:21 PM   Error: Prerequisites were aborted.
  Aug 6, 2009 6:47:22 PM   Error: Error while creating deployment actions. No Software Component Archive (SCA) or Software Delivery Archive (SDA) selected. Select at least one.
  Deployment will be aborted.
  Aug 6, 2009 6:47:23 PM   Info: -
  Ending validation -

• Problems with user mapping to download ESS Business Package for EP 6.0

  Hi,
  I am trying to download ESS Business Package for EP 6.0 but facing problems inspite of reading the SAP document on downloading Business Package. Here is my problem:
  I start to download the package and to map the user ids. I am mapping the SDN user id to a SAP Service Marketplace user id as mentioned in the SDN website. But the download option is not working and gave an error when I clicked on the 'Download' link after user mapping.
  It would help me a lot if anyone else who tried to download BPs after user mapping gave their feedback.
  Can someone please clarify about the user ids and describe how can I download the ESS Business Package?
  Thanks and Regards

  Hi,
  from the description you provide I can't tell what the problem might be, so to determine the cause we need more information on this. Screenshots of the error message would be ideal.
  In general, the following needs to be done:
  - you need to be signed in  at SDN with your Service Marektplace s user id
  - the user mapping for the data source 'Service Marketplace' needs to be maintained
  Please send the error information to: [email protected]
  and we will try to solve it.
  Thanks, Anke

• A question about creating READ ONLY users.

  Dear all,
  I have a question about read only user accounts and I would appreciate if you could kindly give me a hand. I have a schema named SCHEMA1. Whenever I want to connect by using sqlplus I run the following:
  sqlplus user1/[email protected] SCHEMA1.WORLD is the entry in the tnsnames.ora referring to the schema SCHEMA1.
  I need to create a read only user who is able to SELECT all tables and views created by user1 on SCHEMA1 (this user will not modifiy anything at all. The user is used only for a person using SQL queries to read data). for several tables I write the grants explicitly, for example:
  CREATE USER user2 IDENTIFIED BY user2;
  GRANT CREATE SESSION to user2;
  GRANT SELECT ON S001_COR_ECLASS TO user2;
  GRANT SELECT ON REF_ECLASS511 TO user2;Is there anyway to do the same thing but for all the tables (because there are a lot of tables and views)? Besides, even with these granted permissions when the user connects with SQL Developer to the database, he is not able to view the list of tables/views in SQL Developer GUI. What causes this problem?
  Thanks in advance,
  Dariyoosh

  Hello Dariyoosh,
  he is not able to view the list of tables/views in SQL Developer GUIyou can either go to "Other Users" - user1 - tables. There you see every table you have permission to select.
  Or you can create a synonym in schema2 for each table in schema1 and set a filter on the tables node of user2 "Include synonyms".
  Regards
  Marcus

• A question about a method with generic bounded type parameter

  Hello everybody,
  Sorry, if I ask a question which seems basic, but
  I'm new to generic types. My problem is about a method
  with a bounded type parameter. Consider the following
  situation:
  abstract class A{     }
  class B extends A{     }
  abstract class C
       public abstract <T extends A>  T  someMethod();
  public class Test extends C
       public <T extends A>  T  someMethod()
            return new B();
  }What I want to do inside the method someMethod in the class Test, is to
  return an instance of the class B.
  Normally, I'm supposed to be able to do that, because an instance of
  B is also an instance of A (because B extends A).
  However I cannot compile this program, and here is the error message:
  Test.java:16: incompatible types
  found   : B
  required: T
                  return new B();
                         ^
  1 errorany idea?
  many thanks,

  Hello again,
  First of all, thank you very much for all the answers. After I posted the comment, I worked on the program
  and I understood that in fact, as spoon_ says the only returned value can be null.
  I'm agree that I asked you a very strange (and a bit stupid) question. Actually, during recent months,
  I have been working with cryptography API Core in Java. I understood that there are classes and
  interfaces for defining keys and key factories specification, such as KeySpec (interface) and
  KeyFactorySpi (abstract class). I wanted to have some experience with these classes in order to
  understand them better. So I created a class implementing the interface KeySpec, following by a
  corresponding Key subclass (with some XOR algorithm that I defined myself) and everything was
  compiled (JDK 1.6) and worked perfectly. Except that, when I wanted to implement a factory spi
  for my classes, I saw for the first time this strange method header:
  protected abstract <T extends KeySpec> T engineGetKeySpec
  (Key key, Class<T> keySpec) throws InvalidKeySpecExceptionThat's why yesterday, I gave you a similar example with the classes A, B, ...
  in order to not to open a complicated security discussion but just to explain the ambiguous
  part for me, that is, the use of T generic parameter.
  The abstract class KeyFactorySpi was defined by Sun Microsystem, in order to give to security
  providers, the possibility to implement cryptography services and algorithms according to a given
  RFC (or whatever technical document). The methods in this class are invoked inside the
  KeyFactory class (If you have installed the JDK sources provided by Sun, You can
  verify this, by looking the source code of the KeyFactory class.) So here the T parameter is a
  key specification, that is, a class that implements the interface KeySpec and this class is often
  defined by the provider and not Sun.
  stefan.schulz wrote:
  >
  If you define the method to return some bound T that extends A, you cannot
  return a B, because T would be declared externally at invocation time.
  The definition of T as is does not make sense at all.>
  He is absolutely right about that, but the problem is, as I said, here we are
  talking about the implementation and not the invocation. The implementation is done
  by the provider whereas the invocation is done by Sun in the class KeyFactory.
  So there are completely separated.
  Therefore I wonder, how a provider can finally impelment this method??
  Besides, dannyyates wrote
  >
  Find whoever wrote the signature and shoot them. Then rewrite their code.
  Actually, before you shoot them, ask them what they were trying to achieve that
  is different from my first suggestion!
  >
  As I said, I didn't choose this method header and I'm completely agree
  with your suggestion, the following method header will do the job very well
  protected abstract KeySpec engineGetKeySpec (Key key, KeySpec key_spec)
  throws InvalidKeySpecException and personally I don't see any interest in using a generic bounded parameter T
  in this method header definition.
  Once agin, thanks a lot for the answers.

• Questions about PDF exporting with InDe CS5.5

  Hey all,
  A couple questions about exporting to PDF from the latest version of InDe.
  First, I have noticed that it seems to take a lot longer to get to a PDF. Any suggestions for how to speed up the process? It took 8 minutes or so to generate a low-res PDF (for print) of a 24pp document with a few placed images and vector graphics. Wow, that's a long time to wait, especially for a proof.
  Second, the background task... if I get it going on making that 8-minute PDF and then work some more on the document, what exactly is in the PDF? Usually I save before making a PDF or printing. So, is the last version saved what will be in the PDF?
  (As an aside, this ability to work on the doc while generating a PDF seems kind of weird. Generally one makes a PDF for proofing, or even for printing, when all the changes have been made and everything is "final". So, I see no benefit to being able to work on my document while it's making a PDF, as I'm probably finished making revisions for the time being. I have to say that I kind of like the progress bar you get when you make an interactive PDF, as you know you can't work on the document when that's on the screen... )
  Thanks as always.

  First, I have noticed that it seems to take a lot longer to get to a PDF. Any suggestions for how to speed up the process? It took 8 minutes or so to generate a low-res PDF (for print) of a 24pp document with a few placed images and vector graphics. Wow, that's a long time to wait, especially for a proof.
  Yes, this is abnormally long (and too long), something is wrong. What's the full version of InDesign you are running, as reported by holding down Cmd or Control and selecting About InDesign?
  Second, the background task... if I get it going on making that 8-minute PDF and then work some more on the document, what exactly is in the PDF? Usually I save before making a PDF or printing. So, is the last version saved what will be in the PDF?
  Saving is not related. InDesign makes a database snapshot of your document the moment you begin the PDF export, and makes the export relative to that snapshot, regardless of edits you continue to make during the export process, and regardless of saving. Of course saving first is a good idea, for several reasons, not the least of which it sounds like something's fairly seriously wrong with your document or your InDesign installation.
  We recommend you trash your preferences and export your document to IDML and see if either of those things changes this 8-minute behavior...err, assuming you're running 7.5.2.318.
  (As an aside, this ability to work on the doc while generating a PDF seems kind of weird. Generally one makes a PDF for proofing, or even for printing, when all the changes have been made and everything is "final". So, I see no benefit to being able to work on my document while it's making a PDF, as I'm probably finished making revisions for the time being. I have to say that I kind of like the progress bar you get when you make an interactive PDF, as you know you can't work on the document when that's on the screen... )
  Yeah, I think the primary benefit is if you are likely to work on 2 or more files in parallel, so you can finish A and export A and then switch to B. If you'd like a dialog box to pop up when export is done, check out my exportPop script from this post: ANN: automatic dialog after background export (exportPop.jsx.