Re: SSO Configuration in ep 7.3

Similar Messages

• Unable to view BI Publisher report with SSO configuration enabled

  Hi All,
  Can anybody let us know the configuration of the BI publisher with SSO enabled. We are unable to see any of the BI Publisher reports. without SSO configuration we have integration working perfectly fine with the OBIEE and Publisher.
  We followed the configuration steps to integrate BI Publisher with Oracle SSO. The following are the steps:
  1. deploy analytics.ear as a new application 'analyticsSOAP' in OAS
  2. protect analyticsSOAP in mod_osso.conf file under OAS
  3. change OBIEE Presentation services configuration to use analyticsSOAP/saw.dll
  4. run credstore utility to encrypt password
  5.restart xmlp server
  6.restart http server
  7.restart obiee server
  8. restart obiee presentation service
  Still we have issues when we try to accesses BI Publisher reports by clicking more Products -> BI Publisher or view reports directly on the OBIEE Dashboard
  Thanks in advance.

  configure one more virtual path which is unprotected from site minder. we had similar issue for Marketing and resolved by this virtual path.
  ref:
  http://vaandun-analytics.blogspot.com/2009/11/obi-publisher-with-empty-obi-catalog.html
  Thanks
  Sarathi

• SSO Configuration in UNIX Environment

  Hi,
  We are planning to impliment SSO between 2004s Portal with R/3, BW, and host of other non SAP application which supports SSO. All the applications are hosted in UNIX environment.
  Could anyone help us in understanding the pros and cons of having SSO in unix envrionment. Also you could give us any document (other than help.sap.com) which guides us in configuring will be of great help.
  Thanks
  Vivek Raj.

  Hi,
  There are no pros and cons for <b>SSO on Unix</b>. Needless to mention, the pros and cons of different operating systems supported by SAP.
  The steps involved to configure SSO remains the same for any of the SAP backend systems:
  1) Create a system on Portal and give a system alias to it.
  2) Download the verify.der file from Portal (System Administration -> System Configuration -> Keystore Administration)
  3) Log on to the backend SAP system.
  4) Use transaction STRUSTSSO2 and import the Portal certifcate (verify.der) to the SAP R3 or SAP BW or SAP CRM or for that matter any SAP system with ABAP stack.
  5) Give the values for EP system ID, client and language. Refer to this link : http://help.sap.com/saphelp_nw2004s/helpdata/en/78/f1a8490e7011d6999500508b6b8a93/content.htm
  6) Configure the backend SAP systems to accept and verify the logon ticket. Use RZ10 and set the parameters : login/accept_sso2_ticket=1 and login/create_sso2_ticket=1
  7) Restart your R3 or BW system.
  For non-SAP systems, can you just let me know which systems are you referring to ?
  Incase you need a document for SSO configuration, do send me your email address. You can also find documents in SDN Library.
  Regards,
  Sunil

• SAP CRM to ECC - SSO Configuration - Logon Language Setup

  Hi All,
  I am a BASIS consultant currently handling one CRM project. I need a help in configuring SSO between CRM and ECC. Now SSO is not configured, so When I click on the External Link created in CRM calling an ECC transaction, it requests for Client/UserID/Password/LogonLang for the ECC system. Here it takes Logon Language as same as what I have logged in CRM. Hope once SSO configured it will check only for the userID and log into ECC without requesting any further details. But the issue here is we are planning to have additional languages in CRM but not in ECC. So whenenver user logs in CRM with language other than EN - english (eg. FR), and when tried to login to ECC with the external link from CRM, by default ECC login needs to be logged in with language EN, as FR will not be available in ECC. I do not find any logon language configuration in SSO, how can we achieve this, logging into language FR in CRM, logging in EN when clicking External ECC link? Configuring Logon Data defaults (in SU01) in ECC, restricting to logon language EN, will not help I hope. Please advise.
  Thanks in advance.
  Regards,
  Shahul

  Hi Srikishan,
  Thanks for the response. When user from CRM logged in another language than EN for eg. FR, clicks on external link in CRM, takes to EN, only if that language FR is not installed in ECC, else it will take to the same language in which CRM user logged in. This cannot be controlled in SSO configuration. Is this correct?
  In case if FR is installed in both the systems, ie CRM and ECC, but user wants to log only to EN when clicked the external link(to ECC) from CRM, how we can configure this, Is any parameter can control or SSO setup configuration available? Please advice.
  Regards,
  Shahul Hameed

• SSO Configuration in biztalk

  Hi
  I referred the below url to store config info to SSO DB , from biztalk i am reading those values.
  http://www.codeproject.com/Tips/559597/How-to-store-BizTalk-configuration-in-the-SSO-data
  its working fine. i have used the MMC snap in tool to create configurable values.
  but now i have a situation to store one more key/value in the same application via programatically.
  i tried to use the below code snippet for storing values 
  SSOConfigStore ssoStore = new SSOConfigStore();
                  ConfigurationPropertyBag appMgmtBag = new ConfigurationPropertyBag();
                  object value = "Sample";
                  appMgmtBag.Write(propName, ref value);
                  ((ISSOConfigStore)ssoStore).SetConfigInfo(appName, idenifierGUID, appMgmtBag);
  but when i try to update , it is not updating the new key/value pair in the same application store. also, when i open the MMC snap in tool, i am not able to see the existing key/value pairs.
  can any one please help me how to store the sso configurable values dynamically?
  Thanks
  Vinoth

  Hi Vinoth,
  Please have a look at this thread
  http://social.msdn.microsoft.com/Forums/en-US/5b914e0c-50ea-4226-8f0e-7e15e2f482ae/biztalk-2013-sso-mmc-snapin-does-not-show-key-pairs?forum=biztalkgeneral
  Probably, this will solve the issue of existing key/value pairs missing in MMC
  Thanks,
  Deepthi
  DeepthiAdith

• SAP Best Practices for SSO Configuration

  Hello There,
  Are there any SAP Best Practices available for SSO Configuration. If so, Kindly help me with those..
  And also any Third party tools available in the market for SSO Configuration..
  Appriciate your Help on this.. Thanks in advance.
  Regards,
  Pranay S
  Edited by: Pranay Subedari on Apr 29, 2011 9:12 AM

  Hello,
  Types on the SSO are classified with the systems involved in configuration (i.e.) SSO between ABAP Stack and Java stack or LDAP, OS
  Refer the link for more details [Document Deleted]
  Regards,
  Anand
  Message was edited by: Jason Lax

• SSO Configuration Assistant failed during installation of OCS 10G on linux

  I am trying to install OCS 10g infrastructure on CentOS 4.2
  the linux version which the installer displays is redhat-4
  The installation works fine but the SSO CA fails and gives this message
  NLS_LANG param = AMERICAN_AMERICA.AL32UTF8ERROR : Exception while configing SSO DAD :oracle.ons.SubscriptionException: Subscription request timed out after 120000 millseconds. Possible causes: OPMN may not be running, you may have an OPMN running in an alternate ORACLE_HOME using duplicate port values, or OPMN may be misconfigured.
       at oracle.ons.SubscriptionNotification.waitForReply(SubscriptionNotification.java:82)
       at oracle.ons.ONS.addSubscriber(ONS.java:336)
       at oracle.ons.Subscriber.realStartup(Subscriber.java:92)
       at oracle.ons.Subscriber.<init>(Subscriber.java:80)
       at oracle.ons.ONS.createNewSubscriber(ONS.java:690)
       at oracle.ias.sysmgmt.task.TaskMaster.sysInit(Unknown Source)
       at oracle.ias.sysmgmt.task.TaskMaster.sysInit(Unknown Source)
       at oracle.ias.sysmgmt.task.InstanceManager.sysInit(Unknown Source)
       at oracle.ias.sysmgmt.task.InstanceManager.init(Unknown Source)
       at oracle.ias.sysmgmt.EntryPoint.init(Unknown Source)
       at oracle.webdb.config.smi.GeneralConfig.<init>(Unknown Source)
       at oracle.webdb.config.smi.GeneralDADConfig.<init>(Unknown Source)
       at oracle.webdb.config.smi.DADConfig904Imp.<init>(Unknown Source)
       at oracle.webdb.config.smi.ConfigFactory.getGeneralDADConfig(Unknown Source)
       at oracle.webdb.config.smi.ConfigFactory.getDADConfig904(Unknown Source)
       at oracle.webdb.config.smi.ConfigFactory.getDADConfigLatest(Unknown Source)
       at oracle.webdb.config.smi.ConfigFactory.getDADConfigLatest(Unknown Source)
       at oracle.security.sso.SSOConfigAssistant.configDAD(SSOConfigAssistant.java:1493)
       at oracle.security.sso.SSOConfigAssistant.ssoConfig(SSOConfigAssistant.java:1270)
       at oracle.security.sso.SSOConfigAssistant.main(SSOConfigAssistant.java:217)
  Please fix the error reported in the stack trace above and re-run SSO Config Tool.
  /home/oracle/product/10.1.2/ocs_1/jdk/bin/java
  -cp
  /home/oracle/product/10.1.2/ocs_1/lib/xmlparserv2.jar:/home/oracle/product/10.1.2/ocs_1/sysman/webapps/emd/WEB-INF/lib/emd.jar:/home/oracle/product/10.1.2/ocs_1/sysman/webapps/emd/WEB-INF/lib/log4j-core.jar:/home/oracle/product/10.1.2/ocs_1/lib/emSDK.jar
  -DORACLE_HOME=/home/oracle/product/10.1.2/ocs_1
  oracle.sysman.emSDK.conf.TargetInstaller
  deletetarget
  oracle_sso_server
  infra_inst.nufastserver.local.nu_Single Sign-On:orassogetASTargetInfo: oracleHome = "/home/oracle/product/10.1.2/ocs_1".
  getASTargetInfo: iasName = "infra_inst.nufastserver.local.nu".
  getASTargetInfo: iAS Target Type = "oracle_ias".
  Setting the AS product version value in targets.xml to be "10.1.2.0.2".
  Calling method getASTargetInfo.getASTargetInfo: StatusURL value = "http://nufastserver.local.nu:7777".
  Retrieved SSO protocol, host, and port info from targets.xml.
  The values are: "http://nufastserver.local.nu:7777".The following values will be used to configure the sso_server target entry in targets.xml.
  Protocol: "http".
  Hostname: "nufastserver.local.nu".
  Port: "7777"./home/oracle/product/10.1.2/ocs_1/jdk/bin/java
  -cp
  /home/oracle/product/10.1.2/ocs_1/lib/xmlparserv2.jar:/home/oracle/product/10.1.2/ocs_1/sysman/webapps/emd/WEB-INF/lib/emd.jar:/home/oracle/product/10.1.2/ocs_1/sysman/webapps/emd/WEB-INF/lib/log4j-core.jar:/home/oracle/product/10.1.2/ocs_1/lib/emSDK.jar
  -DORACLE_HOME=/home/oracle/product/10.1.2/ocs_1
  oracle.sysman.emSDK.conf.TargetInstaller
  addtarget
  /home/oracle/product/10.1.2/ocs_1/sso/sso_server_target2add.xmlConfiguring SSO languages with the following language code:
  us Language us is already installed.
  About to execute java call using emConfigInstall.jar.
  Here are the arguments:
  /home/oracle/product/10.1.2/ocs_1/jdk/bin/java
  -DORACLE_HOME=/home/oracle/product/10.1.2/ocs_1
  -jar
  /home/oracle/product/10.1.2/ocs_1/jlib/emConfigInstall.jar
  consolesn
  /home/oracle/product/10.1.2/ocs_1/sso/conf/consoleConfigSNSegment.xml
  Finished executing the call.Child Process has exited.
  SSO Configuration Assistant failed.
  I have checked thelog files but there is nothing in that.
  in the hosts file I have given fully qualiifed name as "nufastserver.local.nu"
  Can any bosy help me in this problem. I have tried reinstalling the OS also but the problem is still there at the same place

  I had exactly the same poblem on a red hat 64bit OS on the infrastructure install.
  But while trying to start opmn manually (that is definitely not to do to solve the problem). I had the error telling me that the shared library libdb.so.2 was not accessible.
  I did add the compat-db-4xxxxx.i386.rpm and then retry the check. Then all passed threw.
  To note that the .log file from the install says definitely nothing about this and that just trying to start the opmn did create another .log that gave me the file problem.
  Hope it can help for 64bit linux OS installation.

• ESH 7.2 SSO Configuration failes

  Hi,
  I tried SSO Configuration for ESH 7.2 as described in document
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/00007511-5c0e-2d10-26bd-f30b7f433b9a?quicklink=index&overridelayout=true.
  It was not able to me to call the custom service created
  under /default_host/zes/... Therefore I had to copy this node
  to /default_host/sap/zes/...
  After calling
  http://nwbs1db.intra.net.blanco:50100/sap/zes/opensearch/search the
  redirect application will be called. SSO Ticket is issued but internal
  service of ESH abap stack calls redirect application again. Due to this
  fact I get an infinite loop.
  Has anybody an idea where I should check my configuration again to solve this problem?
  Thanks and best regards,
  Matthias

  Hi Matthias,
  I will notify the responsible colleagues about your post.
  But can you log this as a support message to SAP as well, please?
  After all, that is still the only way to get guaranteed atention by SAP (as opposed to community here) and also it is the way to get this into our official list of things to check and, if necessary, fix.
  Best,
  Karsten

• Windows AD SSO Configuration using Vintela

  Hi All
  We are doing a BOE XIR3.1 deployment with 4 machines, Weblogic 9.2 as the Application server, and oracle DB as the CMS and Audit Database, we plan to do the CMS clustering too.
  BO1 used as CMS1 machine
  BO2 used as CMS2 machine
  BO3 used as BO clustering
  WL used as the Weblogic machine for the Web-tier part.
  We also plan to have the Windows AD SSO configuration done, as discussed we will be having 3 SIA node, SIA1 on the BO1 machine SIA2 on the BO2 (CMS cluster machine) and SIA3 on the BO3 machine (here all server components will be installed except the CMS and the u2018Web Appl container serveru2019).
  During the SSO configuration, should the SIA1, SIA2 and the SIA3 be run under the server account?
  Ie. In the properties of SIA, under the u2018Log on asu2019 section, will be using the DOMAIN\<service account>. Does this need to be done for all 3 SIAu2019s u2026. SIA1, SIA2 and SIA3 ?
  - Thanks
  Ranjit

  It only needs to be done where there is a CMS (per your scenario SIA1 & 2).
  [Section 1|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0f6ac3c-b3ac-2b10-1b95-c9bd46194977] of my doc details planning your service account(s)
  Regards,
  Tim

• Sso configuration assistant failed

  my envirament is redhat AS4 + oracle 10.1.0.4.2
  MR and OID are installed in different PC. There is no problem when I install the MR,but the "sso configuration assistant failed " alway appear when I install OID.
  the installation log is as fllow:
  Configuration assistant "Single Sign-On Configuration Assistant" failed
  ================================================================================================================
  Output generated from configuration assistant "Single Sign-On Configuration Assistant" (attempt 4):
  CLASSPATH=/home/oracle/OraHome_1/jlib/repository.jar:/home/oracle/OraHome_1/sso/lib/ossoca.jar:/home/oracle/OraHome_1/lib/xmlparserv2.jar:/home/oracle/OraHome_1/jdbc/lib/classes12.jar:/home/oracle/OraHome_1/jdbc/lib/nls_charset12.jar:/home/oracle/OraHome_1/jlib/jndi.jar:/home/oracle/OraHome_1/jlib/ojmisc.jar:/home/oracle/OraHome_1/j2ee/home/jazn.jar:/home/oracle/OraHome_1/j2ee/home/jaas.jar:/home/oracle/OraHome_1/jdk/lib/rt.jar:/home/oracle/OraHome_1/jdk/lib/i18n.jar:.:/home/oracle/OraHome_1/sysman/webapps/emd/WEB-INF/lib/emd.jar:/home/oracle/OraHome_1/dcm/lib/dcm.jar:/home/oracle/OraHome_1/sysman/webapps/emd/WEB-INF/lib/portalSMI.jar:/home/oracle/OraHome_1/jlib/emConfigInstall.jar:/home/oracle/OraHome_1/lib/dms.jar:/home/oracle/OraHome_1/opmn/lib/ons.jar:/home/oracle/OraHome_1/j2ee/home/oc4j.jar:/home/oracle/OraHome_1/jlib/ojmisc.jar:/home/oracle/OraHome_1/j2ee/home/jaznplugin.jar:/home/oracle/OraHome_1/sysman/webapps/emd/WEB-INF/lib/click-agent.jar:/home/oracle/OraHome_1/sso/conf:/home/oracle/OraHome_1/sysman/webapps/emd/WEB-INF/lib/disco_dsc_smi.jar:/home/oracle/OraHome_1/sysman/webapps/emd/WEB-INF/lib/f90em.jarParameters passed to ssoca : param0:config param1:/home/oracle/OraHome_1 param2:cn=orcladmin param3:***** param4:"AMERICAN_AMERICA.WE8ISO8859P1" param5:http param6:localhost.localdomain param7:7777 param8:en
  Wed Aug 11 19:50:56 PDT 2010
  Parameters received by ssoca : param0:config param1:/home/oracle/OraHome_1 param2:cn=orcladmin param3:***** param4:"AMERICAN_AMERICA.WE8ISO8859P1" param5:http param6:localhost.localdomain param7:7777 param8:en Content of ssoca config file is :
  -- listing properties --
  config_sso_oid=true
  config_lang=true
  config_sso_seed=true
  config_targets_xml=true
  config_ssoupg=true
  config_dad=true
  config_em_integ=trueSSO seed is already configured in the database.ACTION by SSOConfigAssistant :
  /home/oracle/OraHome_1/bin/sqlplus [email=orasso/*****@]orasso/*****@"cn=wmz,cn=oraclecontext[email]"
  @/home/oracle/OraHome_1/sso/admin/plsql/sso/ssooidd.sql localhost.localdomain 636 "cn=orcladmin" ***** Y
  SQL*Plus: Release 10.1.0.4.2 - Production on Wed Aug 11 19:50:58 2010
  Copyright (c) 1982, 2005, Oracle. All rights reserved.
  SQL> Connected.
  SQL> Creating OID entries for SSO
  Error code : 1
  Error message: User-Defined Exception
  LDAP error : ORA-31203: DBMS_LDAP: PL/SQL - Init Failed.
  ERROR: deleting application entry
  Error code: 1
  Error message: User-Defined Exception
  ERROR: creating SSO users and groups in OID
  PL/SQL procedure successfully completed.
  *** Refreshing WWC OID cache....***
  declare
  ERROR at line 1:
  ORA-06510: PL/SQL: unhandled user-defined exception
  ORA-06512: at "ORASSO.WWSEC_OID", line 1199
  ORA-06512: at "ORASSO.WWSEC_OID", line 1328
  ORA-06512: at "ORASSO.WWSEC_OID", line 2498
  ORA-06512: at "ORASSO.WWSEC_OID", line 2528
  ORA-06512: at "ORASSO.WWSEC_OID", line 1606
  ORA-06512: at "ORASSO.WWSEC_OID", line 1755
  ORA-06512: at "ORASSO.WWSEC_OID", line 2133
  ORA-06512: at line 8
  No errors.
  Disconnected from Oracle Database 10g Enterprise Edition Release 10.1.0.4.2 - Production
  With the Partitioning, OLAP and Data Mining options
  NLS_LANG character set = AL32UTF8
  NLS_LANG param = AMERICAN_AMERICA.AL32UTF8/home/oracle/OraHome_1/jdk/bin/java
  -cp
  /home/oracle/OraHome_1/lib/xmlparserv2.jar:/home/oracle/OraHome_1/sysman/webapps/emd/WEB-INF/lib/emd.jar:/home/oracle/OraHome_1/sysman/webapps/emd/WEB-INF/lib/log4j-core.jar:/home/oracle/OraHome_1/lib/emSDK.jar
  -DORACLE_HOME=/home/oracle/OraHome_1
  oracle.sysman.emSDK.conf.TargetInstaller
  deletetarget
  oracle_sso_server
  wmz_oid.localhost.localdomain_Single Sign-OnrassoSetting the AS product version value in targets.xml to be "10.1.2.0.2".
  Calling method getASTargetInfo.
  getASTargetInfo: oracleHome = "/home/oracle/OraHome_1".
  getASTargetInfo: iasName = "wmz_oid.localhost.localdomain".
  getASTargetInfo: iAS Target Type = "oracle_ias".getASTargetInfo: StatusURL value = "http://localhost.localdomain:7777".
  Retrieved SSO protocol, host, and port info from targets.xml.
  The values are: "http://localhost.localdomain:7777".
  The following values will be used to configure the sso_server target entry in targets.xml.
  Protocol: "http".
  Hostname: "localhost.localdomain".
  Port: "7777".
  /home/oracle/OraHome_1/jdk/bin/java
  -cp
  /home/oracle/OraHome_1/lib/xmlparserv2.jar:/home/oracle/OraHome_1/sysman/webapps/emd/WEB-INF/lib/emd.jar:/home/oracle/OraHome_1/sysman/webapps/emd/WEB-INF/lib/log4j-core.jar:/home/oracle/OraHome_1/lib/emSDK.jar
  -DORACLE_HOME=/home/oracle/OraHome_1
  oracle.sysman.emSDK.conf.TargetInstaller
  addtarget
  /home/oracle/OraHome_1/sso/sso_server_target2add.xmlConfiguring SSO languages with the following language code:
  us Language us is already installed.About to execute java call using emConfigInstall.jar.
  Here are the arguments:
  /home/oracle/OraHome_1/jdk/bin/java
  -DORACLE_HOME=/home/oracle/OraHome_1
  -jar
  /home/oracle/OraHome_1/jlib/emConfigInstall.jar
  consolesn
  /home/oracle/OraHome_1/sso/conf/consoleConfigSNSegment.xml
  Finished executing the call.Child Process has exited.
  SSO Configuration Assistant failed.
  Configuration assistant "Single Sign-On Configuration Assistant" failed
  =============================
  Can someone help me?

  I had the similar issue and same error mesaage.
  One of the possible reason is the DNS and/or host file configuration.
  If the OID/SSO and metadata repository are on two different servers, make sure for both servers, the entries IP <fully qualified hostname> <Alias> reflects in host file of each of them.
  Simply click retry and the install should run to completion.
  Good Luck!

• Error occuring during import of certificate for SSO configuring in BI

  Hi,
  I am configuring the SSO with logon ticket for BI system.
  I downloaded the certificate from portal server.
  But while importing this certificate on R/3 server it shows error
  "Error occurred during import"
  Message no. TRUST008
  Please suggest me any solution on it.
  Thanks & Regards,
  Vishal.

  Hi Vishal,
  Probably the certificate already exists - see https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/0077873d-0b01-0010-1abb-cfbf21d1aa43 page 4.
  Hope it helps
  Detlev

• SSO Configuration from Windows to ITS

  Hi SAP Gurus,
  WE have our BI 7.0 system in our landscape, where SSO from windows has been configured for the
  BI portal and BI queries to be run and which is running fine.
  Now, we have a requirement where in we need to configure SSO from windows to the web services which are running on ITS.
  Like , we have certain web services , which have the URL as:
  http://lv-cphsapbi1.cph.dk:8016/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fcom.sap.pct!2fplatform_add_ons!2fcom.sap.ip.bi!2fiViews!2fcom.sap.ip.bi.bex?INITIAL_STATE=VIEW&INITIAL_STATE-VIEW=XV_PCA_FIN_RVW_MTH_YTD_V2
  Where 8016 is the ITS port.
  Has anybody worked on such a configuration before. IF yes, then sharing of some documentation and some guidance would be really helpful.
  Thanks in advance,
  Santosh Bhat

  Dear Santosh Bhat
  Regarding the application on ITS, i.e
  http://lv-cphsapbi1.cph.dk:8016/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fcom.sap.pct!2fplatform_add_ons!2fcom.sap.ip.bi!2fiViews!2fcom.sap.ip.bi.bex?INITIAL_STATE=VIEW&INITIAL_STATE-VIEW=XV_PCA_FIN_RVW_MTH_YTD_V2
  Normally, how do you launch it?
  - open a browser and type the URL directly?
  or
    - login the backend ABAP, and then jump to a browser from a certain transaction?
  or
    - login the portal firstly and open the ITS application as a kind of iView? if yes, what kind of iView it is?
  I hope to be able to provide you some hints after you clarify the scenario.
  Thanks
  Thunder

• Single-Sign-On (SSO) configuration on JAVA Stack through HTTP Header method

  Hello SDN community,
  in the context of a Proof of Concept, we are testing the integration of Microsoft Sharepoint Portal with SAP Backend (addin) systems.
  As the architecture impose use an external scenario (access from the internet), we couldn't use the Kerberos (SPNego) solution and thus we chosed the http header solution which in short uses an intermediary web server (in this case the IIS of the MOSS solution) which will act as authority.
  I miss information on how the workflow works for this http header authentication method. Through the visual administrator of the addin JAVA stack, it is possible to configure each application with a customized authentication (a choice of security modules). But this all that I know.
  My task is to configure SSO. From a sharepoint portal, the user should be able to access Web Dynpros and BSPs. I imagine that the very first call to a webdynpro or bsp (or maybe when we log on the sharepoint portal), the request to the WDP or BSP will first be forwareded by the intermediary server to the JAVA stack (or is it the SAP dispatcher that has to be configured).
  Is there an application to be built on the java stack to deal with the authentication, modify http header?
  What will the Java stack return? a sap long ticket? a token?
  How will the redirect work (to by example a BSP which is in the ABAP stack)?
  SAP preconise to secure with SSL the link between the intermediary web server and the JAVA stack, is IP restriction also a solution?
  A lot of questions about how this SSO http header should work,
  I would be very greatful for any help, or info,
  Kind regards,
  Tanguy Mezzano

  Hi Tanguy,
  to tell you the truth I'm really unsure about what you are trying to achieve. When I started posting to your thread I thought all you wanted was trying to access your J2EE engine via Browser and authenticate against the engine using HTTP Header Variables. Nevermind:
  Here are some answers to your question:
  in fact I did succeed, the problem was that even after domain-relaxation done by the J2EE, I had to change the domain of th SAP cookie to the bbbb.domain.com to be understood (I would have thought that all hosts in/under domain .domain would have accepted such a cookie but it seems that no...).
  The server does not care about the domain because Cookies in an HTTP Request do not contain any domain information. The domain is just important when the Cookie is set by the server so your Client (Browser) will know in which cases the Cookie may be sent or not. So if your domain is xxx.yyy.domain.com and your cookie is issued to .domain.com then your Browser will definitely sent it to all hosts under .domain.com (This includes xxx.yyy.domain.com etc.)
  My current scenario is: in a first request get a SAP Logon Ticket from the Java Stack, then change its domain and then directly call the backend with it.
  You can do that but there is no Client involved in this scenario. So this is useful if you just want to test the functionality (e.g. authentication to J2EE using Header Variables (This works finally!!!) and then use the fetched Logon Ticket to test SSO against any trusted Backend!!)
  So everything's is in a Java Client application without using any redirection.
  If I understand you, you're solution is from the Browser call a servlet (which is deployed on the Java Stack and has no authentication schema) by passing to it our http header.
  No, you should initially authenticate somewhere! I thought that maybe you had some resource you access before accessing the Java Stack. This could be any application (e.g. deployed on a Tomcat or JBOSS or other server or if you like even SAP J2EE). After authenticating there you are aware of the username and could use it to  procceed (e.g. Authenticate against the J2EE using the same user and HTTP Header authentication for that particular user!)
  That servlet will transfer the http header (with the HttpClient app) in order to get from the Java Stack a SAP Logon ticket, and then to redirect to the resource and by sending back the cookie in client browser. Am I correct?
  This was just a suggestion because I realized that there was no Client ever involved in any of your testing (looked strange to me!). I was just thinking that it would be easier for you to just get the Cookie into your Browser so your Browser would do the rest for you (in your case finally send the Logon Ticket Cookie to your Backend to test SSO using Logon Tickets!).
  The AuthenticatorServlet somehow serves as a Proxy to your client because your client is not able to set the Header Variable. That's why I initially suggested to use a Proxy (e.g. Apache) for that purpose. The problem is just that if you use a Proxy you will have to tell it somehow which username it should set in the Header Variable (e.g. using a URL Parameter or using a personalized client certificate and fetch the username (e.g. cn=<username> from the certificate!)
  This way of doing would simplify the calls for sso for each new application needing authentication, instead of having all code each time in it...
  I'm stuck again! Do you want to authenticate an End User or do you want to authenticate an application that needs to call any resources in your Backend that requires authentication?
  So my problem now, is how to call the servlet from the client browser:
  I'm trying to call my servlet from the browser but I don't succeed. I am able to understand how to reach a jsp from the Java Stack, but not to reach a servlet. I don't find the path to my servlet:
  <FORM method="POST" action="SSORedirect2" >
  A JSP is a servlet too. There is just no JAVA Class involved!
  You do not need any POST Request to invoke a Servlet.
  I see that my servlet is deployed, but I don't how what path to give to my form to invoke the servlet, here follows my web.xml
    <?xml version="1.0" encoding="UTF-8" ?>
    <!DOCTYPE web-app (View Source for full doctype...)>
  - <web-app>
    <display-name>WEB APP</display-name>
    <description>WEB APP description</description>
  - <servlet>
    <servlet-name>SSOredirect2</servlet-name>
    <servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
    </servlet>
  - <servlet>
    <servlet-name>SSORedirect2.jsp</servlet-name>
    <jsp-file>/SSORedirect2.jsp</jsp-file>
    </servlet>
  - <security-constraint>
    <display-name>SecurityConstraint</display-name>
  - <web-resource-collection>
    <web-resource-name>WebResource</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
  - <auth-constraint>
    <role-name>DefaultSecurityRole</role-name>
    </auth-constraint>
    </security-constraint>
  - <security-role>
    <role-name>DefaultSecurityRole</role-name>
    </security-role>
    </web-app>
  If you have an AuthenticatorServlet Class all you need is to add the Servlet Mapping in your web.xml file
  e.g.
  <servlet>
    <description>
    </description>
    <display-name>AuthenticatorServlet</display-name>
    <servlet-name>AuthenticatorServlet</servlet-name>
    <servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>AuthenticatorServlet</servlet-name>
    <url-pattern>/AuthenticatorServlet</url-pattern>
  </servlet-mapping>
  You can directly call the Servlet in your Browser by calling the URL provided in the url-pattern of your Servlet mapping ( in this case /AuthenticatorServlet). The engine will invoke the Class "com.atosorigin.examples.AuthenticatorServlet" in the background and do whatever you defined there!
  I have also to pass my http header and the redirectUrl in the GET request.
  If you like! I just suggested this for testing purposes. As I stated before you need a way to tell your proxy (or in your case AuthenticatorServlet) which user should be set when calling the Engine in order to authenticate using HTTP Header. You could use the URL Paramater to define the user you actually want to use when you set the Header Variable.
  I just introduced the redirectURL because you were talking about redirects all the time. So if you finally want to call the Backend you could define the Backend URL in the redirectURL Parameter and the Servlet will make sure that you are redirected to this location after the whole process!
  Thx for your input very helpful,
  But again 0 points
  Cheers

• SSO Configuration for HWC applications

  How to Configure SSO for HWC applications? we are configuring HTTP Authentication in SCC for Single SignOn but not been successful. Debugging the issue we found that  MYSAPSSO2 cookie is not being returned.and SSO is not configured in SAP .
  How to enable SSO in HWC apps.
  What are the Other options to ask password in HWC apps( adding additional Security Layers)

  Kunal raman
  You/BASIS admin can check in that particular SAP system.
  Go to Transacation RZ10
  Select Instance Profile as shown in the below diagram
            3
  3 .Click on Display
  4. Then you can see parameter name and its value as below
  Rgrds,
  Jitendra

• SSO Configuration not working - Still asking for Userid and password

  Hi Guys,
  I have configured Portal to use with backend server. Configured WAS & ITS and created System Alias.
  For Testing SSO I did following steps on portal:
  System Administration > Support > SAP Appliction > SAP Transaction
  Selected system Alias and tcode se12. Selected SAPGUI for HTML. Pressed Go.
  Instead of SE12 screen, I get Logon Screen asking for USERID and password.
  I should be getting SE12 screen directly without entering USERID and PASSWORD.
  I tested with Transaction iView (SE12)  and getting the same logon screen. After entering userid/password  it displays SAP Easy Access menu instead of displaying SE12
  Please help.
  Thanks a lot.
  mini

  Hi Sandeep.
  Thanks for your reply. Here are the answers to your questions:
  1. Is the username same in the portal and the backend that you are trying to connect, ensure that there is the same username that exists in the system you want to connect to. YES
  2. The ticket is imported properly- check the ACL and Certificate list in Tcode STRUSTSSO2.
  Ticket is valid from 01 Jan 2009 to 14 Mar 2012.
  3. Check for the parameters in place login_accept_ticket = 1 and login_create_ticket = 2 and icm_hostname_full is set to FQDN. 
  In RZ10 it has 3 parameters:
  login/accept_sso2_ticket = 1
  login/create_sso2_ticket = 2
  icm/host_name_full = sapecc6.tri.com 
  4. What is the result when you test the system connection?
  WAS & ITS Connections are successful.
  Connection test for Connectors is giving following results:
  Results
  Retrieval of default alias successful
  Connection failed. Make sure user mapping is set correctly and all connection properties are correct.
  My Connectors Details:
  Application Host : sapecc6
  Gateway Host : sapecc6.tri.com
  Gateway Host : 3301
  SAP Client : 800
  SAP Client : EC7
  SAP System Number : 01
  Server Port: 3201
  System Type: SAP_R3
  I am using same userid for Portal and backend.
  5. Are the 2 systems that you want to configure SSO in the same domain?
  I am trying to connect R3 to Portal.
  Please give me directions to fix the problem.

• 11.1.2.1 SSO configuration

  We are trying to setup SSO integration between Hyperion and EBS 12.1.3 for seamless drill down.
  EBS SSO integration is working fine, but Hyperion integration fails. After OAM authentication the workspace screen is not shown but EPM login screen is shown.
  Steps performed:
  1. Registered Partner application on OAM.
  2. Added mod_osso.conf in http.conf(EPM_ORACLE_INSTANCE/httpConfig/ohs/config/OHS/
  ohs_component/httpd.conf)
  3. Configure the OID that the OSSO solution uses as an external user directory.
  4. Enable SSO in the EPM System - OSSO as the identity management solution (Proxy-
  Remote-User as the name of the custom HTTP header)
  5. Restart services.
  http://<Server>:<port>/interop/index.jsp redirects to OAM screen and after authentication, the EPM application login is shown.
  Please help if somebody has any detailed guide(other than EPM security Guide - standard documentation) for SSO setup.

  Hello,
  Actually the config of SSO, it is not for EAS, but rather for the addin 'in excel, but I have to create my cubes in eas of sudden I pass by adding essbase server, so when I add my I leave server essbase Use Single Sign On, but I checked the error message.
  So I thought it was due to provisioning, I added in my file css_config.xml lines above but
  <msad name="msad1">
  <trusted> false </ trusted>
  <url> ldap :/ / w2k8-6: 389/DC = local, DC = lan </ url>
  <userDN> cn = ssouser </ userDN>
  <password> password123% </ password>
  <authtype> simple </ authType>
  <authProtocol> </ authProtocol>
  <identityAttribute> dn </ identityAttribute>
  <user>
  <url> CN = Users </ url>
  <loginAttribute> sAMAccountName </ loginAttribute>
  <fnAttribute> givenName </ fnAttribute>
  <snAttribute> </ snAttribute>
  <emailAttribute> </ emailAttribute>
  <objectclass>
  <entry> person </ entry>
  <entry> organizationalPerson </ entry>
  <entry> user </ entry>
  </ objectclass>
  </ user>
  <group>
  <url> CN = Builtin </ url>
  <nameAttribute> cn </ nameAttribute>
  <objectclass>
  <entry> group? member </ entry>
  </ objectclass>
  </ group>
  <property>
  <key> com.hyperion.css.followReferral </ key>
  <value> true </ value>
  </ property>
  </ MSAD>
  But nothing.
  In summary I have a essbase standalone, and I want to configure SSO for add'in essbase and connected with my past without MSAD by shared services.
  Thank you in advance for your sharing!