Questions about Logon Ticket

Similar Messages

• Question about Logon ticket with user mapping at BI-JAVA environment

  We're implementing BI 7.0 including BI Java and SAP EP for end user
  access.
  I have two question about SSO method when we're using BI Java.
  I know we can simply configure SSO logon ticket with BI-Java(EP
  included) and BI-ABAP through BI template installer and we already
  succeeded in that case.
  But the problem is we want to change it to user mapping SSO method for
  some our internal reason.
  After we configure user mapping SSO, we've got SSO failed error when we
  call BI-Java stuff like BEx Web Application iView.
  After many testing implemented, we found SSO Logon ticket with user
  mapping (using SAP reference system). It seems working now.
  But our question is "Is it no problem when we use SSO logon ticket with
  user mapping?" Is there any restriction or issue?
  One more question is we can ONLY use user base mapping when reference
  system used. How can we assign BI-ABAP users to EP Group?

  Using an SAP Reference system is allright. But if the reason u r going for this is because of different usernames in EP and BI, why dont you go for user mapping.
  Anyways, on restriction of reference syetms is that you can have ONLY ONE reference system defined in portal. In you case you can only have the BI system defined.
  Hope this helps!!

• A question about logon users

  Dear all:
  we want to intergrate R/3 and ESS system on Portal.The ITS address is the same.
  Everything is ok but one problem:
  Our client wants us to use logon ticket to logon the R/3 and ESS system through Portal.The EP users are not the same as R/3 users,but not absolutely different.R/3 users have some prefix.(for example,EP user:delma   R/3 system:psdelma).ESS users are the same as EP.
  okay,we can change R/3 users. But this is the worst solution. besides this, we don't know how to figure out this problem.
  anyone has idea about this,thank you!
  Best regards
  delma

  Duplicate post - also in the forum post I referred to in the previous reply...
  According to <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/7d/49ae0771924cf4a1fc7e2af7b2e18c/frameset.htm">this help link</a> you can upload usermapping through the use of a specially formatted text file.
  From the help itself:
  The following example shows how you can change the user mapping data of an existing user, user2. When you import the data, choose the option Overwrite Existing Data in the import tool.
  The user user2 is mapped to the user ID ext_user2 in the system BCE, where BCE is the system alias of the system defined in the portal system landscape.
  [User]
  uid=user2
  $usermapping$:BCE:user=ext_user2
  $usermapping$:BCE:mappedpassword=password

• Problem about  logon ticket cookie

  Hi all,
      We have just set up  trust between two portals.And we want to archive this:
      One user log on a portal(consumer) and he can logon another(producer) with logon ticket.
      But one problem is:
      One user log on consumer and access the producer.Then he log off consumer without closing the browser.another user log on consumer,and when he enter the producer.The cookie in producer is the former user's information.
      When somebody logoff the portal. The logon ticket doesn't expire.Then another user log on. The cookie never updates?
      OK..One can close the browser to kill the cookie.But this is such a potential security problem.
      Is there something to explain this?
      Is there any idea to solve this?
      best regards,
  delma
  Message was edited by:
          delma ma

  Producer portal always knows the consumer as trusted one. 
  Well the SLT is actually a HTTP Cookie issued by the portal system to client browser after a successful logon. It contains portal user name, expiry time and target system identification signed by portal secure certificate.
  The logon procedure looks like so:
  User (XXX) calls the portal1(Consumer)
  Portal1 responds with logon page
  User sends the creditentials to the portal1
  Portal sends back some cookies to the user in 3-4 HTTP roundtrips.
  One of this cookies is the SAP Logon Ticket.
  User (XXX) contacting portal2 (Producer) sends the SAP Logon Ticket along the HTTP to that system.
  This cookie is then send by the browser in all subsequent HTTP calls done by the browser in this session.
  Here it explains the SLT is on the client's browser.
  The recievier system (portal2) - called on the HTTP port, when properly configured  checks the portal certificate with the one stored and then authorizes the user.
  The SLT does not verify the user machine, only it's name anyone fetching the SLT can use it to access other systems in landscape.
  Means of protection
  1.Using HTTPS so the SLT is not available to third party
  2.Additional authorization - for example NTLM
  Cheers
  biroj...........

• Two questions about Logon Group

  About logon group, it describes as below in the help.sap.com.
  1. Each SAP application has different resource requirements. Certain applications may therefore require more servers and logon groups. For example, you should assign separate servers for the application component PP.
  Q1: How a certain application use more than one servers via logon group, and how it use sap memory which resides in different servers?
  2. If it is not practical for you to assign separate servers to integrated applications, such as the application components SD-MM and FI-CO, you should assign common logon groups to these applications.
  Q2: I don't understand this sentence exactly.
  Thanks so much.
  James

  Not sure if I exactly understood what your problem is, but let me give it a try:
  A1: One logon group may have several servers attached to it. If users user1, user2, user3, ... are going to connect to the logon group, they will be sent to different servers. None of those users will be able to use memory from more than one server. But, let's say user1 and user2 will use resources from server1, whereas user3 will use resources from server2. The goal is that all servers will have the same (or similar) load, just by distributing users.
  A2: If it is not possible to have four logon groups for the four applications SD, MM, FI, CO, but you still want different logon groups, then, at least, you should create two logon groups, one for SD and MM, the other one for FI and CO. That's because resource requirements are similar for SD and MM, and for FI and CO.
  hope this helps

• Question about logon screen customization

  Hi,
  I have to customize the web logon screen of the BEx.
  In SICF, on the BEx service, on the Error Pages tab, System logon is checked. If i click on the Setting button I have :
  Define Service-Specific Settings
  System ID
  Language
  System Messages
  Logon and SI
  etc ... and in "Logon Layout and Procedure", Sap Impl, Netweaver and SAP Tradeshow.
  I have defined a header image in "Adjust Links and Images" and it works !
  But ... on my logon screen I have 4 fields, which 3 of them a inactive (system, users and password) and the log on button. Only the drop down menu language is active. Users and Password fields content is "Via popup".
  In order to logon myself, I have to select my language and enter in a system popup (not a web form) my login and my password. How can I change this boring sequence ? Isn't it possible to enter directly its logon and password in the first screen ?
  Thanks for your help,
  GC.

  Hello CG,
  I think you can pre-define your language, using the parameter 'BspLanguage', in the the url defined at 'Error Pages' of BEX service.
  An example:
  /sap/public/bsp/sap/system/login.htm?sap-url=<%=PATHTRANS%>&BspLanguage=EN
  You can also do other things, such pre-define the client, or show the option to change the password.
  An example:
  Run default.htm of BSP system_public, to know the parameters available.
  /sap/public/bsp/sap/system/login.htm?sap-url=<%=PATHTRANS%>&BspClient=010&BspChangePasswordVisible=X
  Kind regards.

• Question about logon screen

  i have this weird problem - i searched the forums but couldnt find any answer - im on 10.7 Lion - sometimes my mac goes into a state where it goes back to the logon screen and i have to enter my password to unlock the mac - this interferes with some remote access software i have which doesnt work if the mac is locked
  i dont have Require Password for sleep and screen saver checked in the Security and Privacy preferences - and ive looked at other preferences for s setting that controls this - but couldnt find any
  does anyone know what causes this and how to turn it off?

  Hello CG,
  I think you can pre-define your language, using the parameter 'BspLanguage', in the the url defined at 'Error Pages' of BEX service.
  An example:
  /sap/public/bsp/sap/system/login.htm?sap-url=<%=PATHTRANS%>&BspLanguage=EN
  You can also do other things, such pre-define the client, or show the option to change the password.
  An example:
  Run default.htm of BSP system_public, to know the parameters available.
  /sap/public/bsp/sap/system/login.htm?sap-url=<%=PATHTRANS%>&BspClient=010&BspChangePasswordVisible=X
  Kind regards.

• Question about logon.do & opendocument

  Hi All,
  We are currently using BO XIR2 FP5.6.
  We are trying to do a opendocument.jsp call directly from the Infoview login such that the URL both authenticates the user and does the opendocument.jsp call simultaneously.
  Is this possible with logon.do? Or, can this be done with OpenDocument.jsp directly by specifying the username/password or token as a parameter of the OpenDocument.jsp call?
  Also, can you provide a list of parameters that logon.do supports?
  Thanks

  Better is using opendoc.
  try {
                    initBOSession();
              } catch (Exception e) {
                    this.addError("", "09002");
                    logger.error(e.getMessage(), e);
                    form.setEnableGenerateReportButton(false);
                    Forward forward = new Forward("error");
                    return forward;
              ILogonTokenMgr logonTokenMgr = enterpriseSession.getLogonTokenMgr();   
              String sBOEToken = logonTokenMgr.createLogonToken("", 1, 1);
              StringBuffer sb = new StringBuffer();
              sb.append(appConfig.getReportsProtocol());
              sb.append("://");
              sb.append(appConfig.getReportsHostName());
              sb.append(":");
              sb.append(appConfig.getReportsPort());
              sb
                          .append("/businessobjects/enterprise115/desktoplaunch/opendoc/openDocument.jsp?");
              sb.append("token=");
              sb.append(sBOEToken);
              sb.append("&sPath=");
              sb.append(URLEncoder.encode(appConfig.getReportsPath()));
              sb.append(",");
              sb.append(URLEncoder.encode("["));
              sb.append(context.getEntityName());
              sb.append(URLEncoder.encode("]"))
              sb.append("&sDocName=");
              sb.append(form.getReportId());
              sb.append(buildParametersForReport(form));
              getRequest().setAttribute("reportURL", sb.toString());
              Forward forward = new Forward("success");
              if (logger.isDebugEnabled()) {
                    logger.debug("Exiting generate Report::" + sb.toString());
              return forward;

• Problem about SSO using logon ticket  with user mapping

  Hi everyone ,
  I had done SSO with Portal , BW and R/3 system.
  I use logon ticket with user mapping .
  When user name is same in Portal as in R/3 system, or user name is same in Portal as in BW , user can access R/3 transactions and BW report without logon.
  There are some Portal users name which are different with R/3 user and  BW user. And I done the user mapping for these  user.
  But some user mapping works fine,but most of them can't work,means that most of them need to enter mapped user ID and password.
  What's the reason?
  When SSO using logon ticket with user mapping, the Portal user which is different with R/3 user and BW user,  can they access R/3 transaction iview and BW report iview without logon?

  Hi Chen,
  What you have done is correct. But the problem lies here.
  Since you are using the same system object for accessing the iview, where the ticket method is set to SAPLOGONTICKET in the user Management property of the system object.
  To avoid this create another system object like the previous one but set the logon method to UIDPW and select admin, user from the drop down box. Also create a system alias for this system.
  Now create another iview like the previous one but link this iview to the new system. Now do the user mapping for the users which are different in portal compared with R/3. Now you should be able to login without any problems.
  Another important point is login to portal with Fully qualified domain name. In the ITS property of the system object also give the FQDN.
  Hope this helps
  Regards
  Arun

• Java client application + SAP Logon Tickets (SSO)

  Java client application + SAP Logon Tickets (SSO)
  Hello
  I have the following question, it is about connection between SAP Enterprise Portal and Java Application.
  After registration in Enterprise Portal (with Internet Explorer Browser) request is passed on to SAP backend system - cFolders (SSO methode)
  With internet browser functioned everything.
  How can one get, however, this Logon tickets with Java application and then be of use later for SOAP connection
  (everything with client java application)
  Thanks for quick help
  Edo

  Hi Edo,
  look at this https://media.sdn.sap.com/javadocs/NW04/SPS15/um/com/sap/security/api/ticket/TicketVerifier.html
  Best Regards
  Oliver

• Question about Single Sign On

  Hi Gurus!
  I have a question about the following scenario:
  The login in EP6 is with the NT User (adriano.oliveira), but to access the SAP applications I need to use another User (aoliveira - the size of the NT User is bigger than SAP User length).
  I know this works with user mapping, but the problem is that each user will need to configure his mapping (5000 users). Then I think the option is to use the SAP Logon tickets.
  My doubt is: Is it possible to validate a user id at login (in the EP6 SP10) and generate the client certificate with another user id???
  Important: In the AD (Active Directory), for each NT User id, there is a field with the SAP User id. I could use this field...
  Thanks for any help.
  Regards,
  Adriano

  Adrianao,
  You can maintain reference SAP Server.
  http://help.sap.com/saphelp_nw04/helpdata/en/ed/845896b89711d5993900508b6b8b11/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/0b/d82c4142aef623e10000000a155106/content.htm
  Hope this helps,
  thanks,
  Praveen

• SSO using Kerberos with SAP Logon Tickets

  Hi,
  I am creating a Repository Manager for the Portal Knowledge Management System and I want to use SSO to a backend IIS application and I have a few questions here. 
  I have a three tiered architecture. 
  A.  The presentation tier (SAP Portal which has my Repository Manager implementation)
  B.  ASP.NET web service data layer.
  C.  Backend document management system which runs on IIS. 
  I have installed the ISAPI filter on my ASP.NET application server and have enabled this HOST account for delegation in MSAD 2003.   Server B will use Kerberos constrained delegation to access Server C, which is an IIS backend server. 
  My question is how do I pass an SAP Logon Ticket to an ASP.NET web service request from my Repository Manager implementation?  Basically how do I just make an HTTP request to an ASP.NET application from some portal iView or WebDynPro code and pass along the SAP Logon Ticket in the request so it can be interpreted by the ISAPI filter on the IIS server.  Does anyone have any sample code or an application here that does this?
  Thanks,
  Scott

  Hi Scott
  Did you managed to find out anything regarding how to pass SAP Logon ticket to ASP.NET Webservice. Can you share it with me?
  regards
  ram

• SSO with Logon Ticket to non-SAP Unix based application

  Hi all,
  Anyone has implemented SSO with Logon Ticket to a Unix box ?
  We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
  We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
  From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
  -> Are there any Java libraries that are available to both:
  . verify the logon ticket with the deployed Portal public key
  . decrypt/extract the authenticated username from this ticket ??
  I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
  Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
  I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
  Any hint is very much appreciated.
  Thanks a lot
  Olivier

  Check these links for reference regarding AIX and Apache using X.509 certificates:
  http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
  And just using cookies -
  http://forums.devshed.com/archive/t-105611 (perl based)
  You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
  The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
  Nick
  Nick

• How to implement SSO to non-SAP systems using SAP logon ticket?

  Hello,
  We would like to implement Single Sign On between our SAP Netweaver system and a Siebel which is a non-SAP system using SAP logon tickets.
  Can anyone please give me some leads on this, in particular:
  1. Is there a JAVA API or an SAP plug-in that can be implemented on the Siebel machine to extract the SAP logon ticket?
  2. As the other machine might seat on a complete different domain, is it possible to implement SAP logon ticket without using cookies (perhaps through the HTTP header?
  3. In case you think using SAP logon tickets is not the best solution here I would be happy to hear any other suggestions you might have.
  Roy

  Hi,
  I'm currently using SAML as well. Unfortunately the SAP J2EE cannot work as authority (identity provider) but what you can do is using an open implementation of SAML such as opensso which is an open version of SUNs Java System access manager.
  There are a couple of other projects such as opensaml, apache's wss4j or shibboleth that might be interesting in this context.
  I just installed opensso and got it working with SAP J2EE 7.0 using SAPs JAAS SAMLLoginModule to authenticate users within SAP J2EE.
  In this scenario opensso serves as identity provider just as you need! There are a couple of Policy agents available on SUNs Download site you can use with Apache, Tomcat, JBOSS, WebSphere, Bea Web Logic etc. in order to authenticate! Otherwise you just directly authenticate against opensso. When installing opensso you can configure the type of user store you want  to use! By default it uses LDAP but you can also use different types of user store using JDBC or other mechanisms. Since you have a Directory Service you could easily connect it to your existing directory.
  There is also a way to map user ids directly in opensso by adding a uid mapping class. I created some documentation with lots of screenshots about using opensso with SAP J2EE. You can easily use opensso with any other system that supports SAML. In the case of SAP the usage is currently limited to SAML versions 1.0 and 1.1. Version 2.0 is not yet supported but should be in one of the following versions.
  Here are some links you might want to check:
  OpenSAML: https://spaces.internet2.edu/display/OpenSAML/Home
  wss4j: http://ws.apache.org/wss4j/
  shibboleth: http://shibboleth.internet2.edu/
  opensso: https://opensso.dev.java.net/
  On SDN you will find a documentation on how to connect SUN Java System Access Manager to SAP J2EE (see https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/906d9fc6-31b9-2910-1385-90edad7d7570). As I said opensso is based on the SUN Access Manager code and looks quite the same. So you can adapt this documentation in order to configure opensso or you can just ask me for the documentation.
  Hope this is helpful...
  Let me know if you need further assistance on this topic
  Cheers

• SSO to Web Service using SAP Logon Ticket

  Hi,
  I have to do SSO using SAP Logon Ticket between my portal and a Java Web Service that is accessible over internet. I do have the WSDL file of this Web Service.
  I want to know:
  1. What changes are required in Web Service to configure it to read and accept Logon Ticket?
  2. What am I supposed to do at portal end to enable this process?
  Thanks,
  Vivek

  Hi Vivek & Raja,
  > is it that if the WS is a third party WS and running on a Non-SAP J2EE Server,
  > we can't implement SSO from Portal to it using SAP Logon Ticket?
  Right, if you cannot extend it's functionality, how should it do the ticket verification...
  @Raja:
  > SAP Logon Ticket is for authenticating to a SAP system, since yours in a
  > thirdparty ws, there is not need of SAP logonticket.
  On the other hand, that's not true. It is possible as well as often done to verify the SSO ticket on some third party system. This is also supported, for Java as well as for other systems, different articles about such scenarios have been published, also here on SDN.
  Hope it helps
  Detlev
  PS: Vivek, please consider rewarding points for helpful answers on SDN. Thanks in advance!