Single Sign-On (Portal to R/3 Backend)

Similar Messages

• SSO (single sign on) on NetWeaver 7.0 Enterprise Portal based on spnego with Microsoft Active Directory

  Hi,
  we are using SAP Netweaver Enterprise Portal 7.0 (SP25) based on Windows 2008 R2/Oracle 11g.
  When we setup the Portal, we used the UME of the ECC - ABAP.
  The portal is used internally only.
  Now we want to provide SSO.
  User authenticate against Windows Active Directory (Windows 2003).
  We thought SSO via spnego would be the best solution.
  Any better alternates, we should use?
  We are following the SAP documentation:
  SAP-Bibliothek - Benutzerauthentifizierung und Single Sign-On
  We still want to create users in ABAP and assign them the portal roles. LDAP access should only have read access, to verify the security token from Active Directory.
  When we setup the portal from scratch using ABAP as its UME, in the system configuration, LDAP can't be selected/add as data source.
  In case we understand the documentation correctly, we would now need to add LDAP via the configtool for read access.
  What is not clear to us, when we active now LDAP via config tool, if we would now lose the ABAP connection.
  Is there a tutorial for SSO Netweaver 7.0 EP, like for EP 7.3, available?
  In 7.3 SSO is pretty simple to get it running, thanks to the many tutorials here and on the internet.
  Thanks for your help.
  Best regards
  Carlos Behlau

  Hi,
  I was able to generate the key via ktab program.
  But when I am enable SSO, nothing is happening when I try to log-on via SSO to the portal.
  I installed WebDiag tool on the portal server and ran trace.
  The users are located in domain: company.com of activate directory.
  The Java AS are located in domain: sap.company.com of activate directory.
  The sap.company.com domain acts as child of company.com.
  When I check the WebDiag trace, I see for the SPNegoLoginModule - the entry "... no key (etype: 23) for realm sap.company.com available ..."
  I would except company.com as realm key, as the keytabs have been generated on the domain controller of company.com.
  Is it possible to get SSO with child domain running?
  Based on the statement of the network folks, child and father domain having a trust.
  Thanks for your help.
  Best regards
  Carlos

• Single Sign-On Netweaver Portal with Cornerstone On Demand

  Hi
  Does someone experiences with Single Sign-On between SAP Netweaver Portal and the Learning Management System of Cornerstone On Demand?
  The options are:
  - SAML: but at this moment we don't have SAML provider. Is it easy to use this with Netweaver 7.01 SP6 ?
  - standard SSO : encrypted string between SAP portal and LMS: client sends encrypted string with userid...based on encryption algorithm.: Has someone developed this (java code) for SSO to an other system?
  But can they use Sap Login Tickets?
  Best regards
  Luc

  Hi,
  I just recently implemented SSO between SAP system and on demand solution from 3rd party provider. We didn't have any guy with Java skills so we implemented HTTP handler in SICF that generates web page with redirection to the 3rd party system. ABAP does not have a good support for various encryption algorithms so we used javascript interpreter available in ABAP AS. Portal just points to ICF service on ECC system that redirects to on demand solution. Implementation took one day. Obviously, in this case all users had to have account in ECC system.
  Cheers

• Single Sign On -- Enterprise portal and BI JAVA

  Hi,
  I need to watch reports BI J2ee from an EP 7.00. I have configured the single sign On but it works just for ABAP BI Stack.
  This is what I have done for SSO JAVA:
  Importing the BI JAVA Certificate to the SAP NetWeaver 2004s Portal (SAP EP 7.0)
         1.      Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%admingo.bat.
         2.      Connect to the portal server.
         3.      Choose  are the values of and of certificate SAPLogonTicketKeypair-cert (see above).
  You also have to add these values under evaluate_assertion_ticket:
     13.      Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%admingo.
     14.      Connect to the portal server.
     15.      Choose  (for example, CN=J2E)
  Any clue?
  Regards

  Hi Jorge,
  if the UME is used with an ABAP based system as the back-end user storage, do the following:
  Generate and export the Portal Certificate:
  Go to Visual Administrator
  Choose <SID> - Server - Services - Key Storage - from the tree Select the view TicketKeystore under Views
  If the SAPLogonTicketKeypair exist, delete it.
  If the SAPLogonTicketKeypair-cert exist, delete it.
  Generate a portal certificate using the following steps:
  Under Entry choose Create.
  Enter the folowing values in u201CKey and Certificate Generationu201D
  Organization Unit Name (OU) = J2EE
  Common Name (CN) = <SID>
  Entry Name = SAPLogonTicketKeypair
  Store Certificate: X
  Algorithm: DSA
  Click u201CGenerateu201D
  Import the Portal Java Certificate into ABAP
  STRUSTSSO2
  System PSE:
  u201CImport Certificateu201D - Choose your exported .crt file - File format = Binary
  Click u201CAdd to Certificate Listu201D
  Click u201CAdd to ACLu201D - System ID = <SID>, Client = 000
  save it.
  Export PSE ABAP Certificate and import into J2EE Portal:
  STRUST
  Choose PSE, export it and save as <SID>.pse
  sapgenpse export_p12 -p <SID>.pse <SID>.p12
  copy the generated p12 file <SID>.p12 to J2EE Portal
  Go to Visual Administrator
  Choose <SID> - Server - Services - Key Storage - from the tree Select the view TicketKeystore under Views
  export the .p12 ABAP certificate with "Load"
  adjust com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule:
  Choose <SID> - Server - Services - Security Provider - from the components tree select evaluate_assertion_ticket
  ensure that trustediss<n>, trusteddn<n>, trustedsys<n> are correct set.
  ume.configuration.active = true.
  restart the ICM in SMICM
  If you also want to use SSL, there are some further steps to be done.
  Regards,
  Gerd

• Single Sign-On intergration with 3rd party website portal

  A client of ours for whom we have developed a Business Catalyst (BC) website wants their website's users simultaneously authenticated on their own site and also on a MemberSuite member management website portal, which essentially amounts to a Single Sign-On (SSO) solution. Is there any capability within BC to allow a process like this? Any examples of others who have accomplished similar SSO integrations?

  There is no out of the box solution but it could be done via in a few ways, it would all depend on what the "membersuite member management website portal" could do. The BC database would have to be the master database in terms of username and password as there is no way to log someone in via an API, depending on how the other software is setup and what sort of output it could give and how it's authentication system worked, can you provide more info?

• Use single sign on for multiple portal domains

  Is it possible for a user to sign on once to a domain, and then be able to access other domains. What I'm trying to do is have one user registration page/login page, but use different portal server domains to present different sites, while at the same time having a type of single sign on, once a user has entered his credentials. Thus my registration process will create a new ldap user in an external directory, and i can then just point all the different domains to that External Ldap directory.

  I wouldn't recommend this because it would affect performance plus there are potential other issues like conflict that you would run into ..
  Everytime a user logs into a new session is created for him and this means a user might have multiple sessions on the server. The cookie that is also set is dependent on per portal domain so it might not work ..
  An alternative approach might be to have multiple roles and then customize the role for different views. You can modify the membership code in such a way that based on certain criteria you can assign him to a particular role, equivalent to your domain. However the problem could be if you want to provide delegated admin, currently the delegated admin is only at a domain level.

• SAP Netweaver Portal Single Sign On.

  Ok, I need some help!
  We have a dashboard that is accessed through a SAP Netweaver Portal.  The Dasboard gets it's data from a LiveOffice Crystal Reports object which when refreshed asks the user for the BOE logon credentials. The users do not want to have to Log in to the BOE for the Crystal Report to refresh, so the question is has anyone successfully managed to use some method of Single Sign On from SAP Netweaver to BOE (v3.1) for a dashboard SWF refresh?
  Many thanks
  [Charles|http://www.reportex.co.uk]

  Hi Charles,
  can you share with us the configuration steps needed in the SAP Portal in order to use SSO?
  Thank you.
  Best regards
  Victor

• Single  Sign on Issue for new Portal Users

  We are implementing ESS on EP 6.0. the architecture is like EP 6.0 - ITS - R/3.
  and we want to implement the single sign-on. so that when the users login the portal, the Portal Authenticates the user and then portal uses just the Portal UserID and logs in ITS/R3 without verifying the SAP PWD. Portal ID and SAP ID are same.
  The single sign on is working fine for those users who already have an SAP ID.
  we need to create new R/3 ID's for the new employees. and we don't wanna let the employees login in directly to R/3.
  When we create a new ID in R/3 and login for the first time in R/3, it asks to change the password.
  since the new employees won't be using R/3 and they login through portal and b'cos we implemented single signon, the portal tries to login in r/3 using the Portal ID/R3 ID, but the SAP R/3 ID is not actived since the user did not change the password, the SSO is failing.
  We didn't wanna assign the R/3 ID a password. since it will be an audit issue.
  Can anybody give any suggestions, so that the administrator need not assign a password and the users need not login in r/3 and change the pwd for the first time.
  Hope you understand my problem, if u need any clarification, let me know..
  Thanks.

  Hi Gopi-
  You can override the password check when a valid logon ticket is presented by setting the profile parameter:
  login/pasword_change_for_SSO   0
  using RZ10 in the instance profiles.  (Requires a restart of R/3)
  This overrides the password prompt/check when the user presents a valid logon ticket. 
  Hope this helps you out.
  Thanks,
  Marty

• Using the Portal Single Sign-On for java applet clients

  Hi
  We have a task to build a java applet working within a portlet and comunicating to some session EJB(wrapped BC4J) running on the OC4J. The applet is presumably connecting to server via RMI. This connection should be restricted to some groups of portal users.
  When a user is entering the applet he is supposed to be already logged into the Portal.
  There is a lot of information on building custom secure portlets using only a pure HTML(same as JSP) client whith the help of the Portal Single Sign-On.
  But, is it possible to use the Single Sign-On for establishing a secure RMI connection from applet to OC4J without entering a password in the applet once more?
  Yuriy

  Perhaps you can write a small JSP page or PLSQL
  web procedure that will grab user name from
  the SSO Server (via SSOSDK/mod_osso)
  and invoke the applet with encrypted user name.
  The applet will receive the encrypted username
  and decrypt it to get the clear user name.
  This help to get Single Sign-On.
  To make sure that environment is secure, encrypted
  user name parameter should have random salt,
  user name, and time stamp to prevent replay attack.
  Applet must make sure that the encrypted users name
  time stamp set by the JSP/PLSQL page has value
  within a reasonable time limit like 5 minutes

• Single Sign-On Error while uploading file via WEBADI

  Hello,
  I am getting error while uploading the file via WEBADI. Below is the error message.
  Error Message:
  The Single Sign-On server registration is invalid. Please contact the System Administrator.
  I noticed that this template is uploading data when I connect to Oracle applications and go to WEB ADI responsibility and create a new template.
  In order to make this WEBADI work do I have to create a new template each time I upload the file?
  Our goal is to use the same template, change the numbers and re load it.
  Also, Is there any way I can go to login screen when I click on UPLOAD under ORACLE in excel. That way connection is established.
  Thanks for the help.

  Hi, Actually NW Portal and SQL server has been installed on the same machine.
  Now I am trying to add my SQL server as a JDBC system and checking the connections and I do not see a property under User Management.
  When I try to connect to R/3 backend system "...Dedicated Application server" then I can see the property but not for the JDBC syste.
  any clue how to get rid of the error and to check the connection.
  Thanks in advance.
  Gopi m.

• Test Connector error; Single Sign On configuration

  Hi,
  I did a test on my SAP BI query system created in the portal. When I perform the "Test Connector with Connector" results are as follows;
  Test Connection with Connector
    Test Details:
  The test consists of the following steps:
  1. Retrieve the default alias of the system
  2. Check the connection to the backend application using the connector defined in this system object
    Results
  Retrieval of default alias successful
  Connection failed. Make sure that Single Sign-On is configured correctly
  So my SSO is not configured correctly. Does anyone know where in the portal I can check my SSO configuration and what to look for?

  Hai,
  Check the below link.....
  http://help.sap.com/saphelp_nw04s/helpdata/en/a3/e5a0404dd52b54e10000000a1550b0/frameset.htm
  Regards,
  Yoganand.V
  Edited by: Yoganand Vedagiri on Jan 28, 2009 11:23 AM

• Proxy Server and single sign on (SSO)

  We are currently running Portal 7.  I've enabled single sign on via logon tickets from portal to our backend ECC 6.0 and CRM 5.0 systems and its working fine.  For demoing to clients we've employed the Apache webserver for reverse proxy.  This reverse proxy server is located in the DMZ, on a domain of its on.  I can access the portal fine through the reverse proxy but now the single sign on to our backend ECC and CRM systems doesn't work.  I know the issue lies with the difference in the domain.
  Has anyone come accross an issue such as this and can lend me some help?

  Hi,
  Domain relaxing will not work in this setting, ref. RFC 2109 http://www.ietf.org/rfc/rfc2109.txt
  What you need to do is to create a DNS alias for the portal on domain [something].[company].com. Then create a portal component which returns the MYSAPSSO2 cookie and create an URL iView for it with the DNS alias hostname and add it to the default framework page. In this way, persons logging in will get the MYSAPSSO2 cookie for both domains [sap subdomain].[network domain].local and [network domain].[company].com
  Regards
  Dagfinn

• Single Sign Issue in Ess

  Dear All,
  EP7.0 SP9, ECC5
  We have an major issue in ESS, The problem is with single sign on.
  Here are the scenario's we are using :-
  1. We are using "training1" as EP login id and in PA30 in R/3 InfoType 105 and Sub Infotype 0001 The same ID "training1" (Same as EP log in), the portal is picking the data properly and working fine.
  2. If we use training1 as EP loginID and in PA30 in R/3 InfoType 105 and Sub Infotype 0001 if we use exeibckk (R/3 ID created for each individual user as communication user),
  we are getting error "User TRAINING1 does not exist in this period"
  we need to go ahead with the Step2, since all the EP login users are LDAP configured and,it has more than 15 characters, we cannot use EP login ID in InfoType 105 and Sub Infotype 0001
  since it is restricted to 12 Characters.
  e.g:
  EP user ID is - shivakumar_ks ( taken from LDAP)
  where as his R/3 or ESS user ID is - P000000002
  since the login ID and R/3 ID are different,The system is throwing the error mentioned above.
  We map the Shivakumar_ks with P000000002 in the EP Personalize option. But it is
  not picking up the mapping. It tried to find the Shivakumar_ks in R/3 and fails.
  Even though we are giving the UIDPWD in the system Logon Method.
  Can anyone please give me the solution on the above.
  Thanks in advane
  Ponnusamy P

  Hi,
  As correctly mentioned here by debasish, most of the iviews in ESS and MSS use JCo Connections but there are some iviews which are IACs.
  In this case, you need to configure both JCo connections as well as user mapping. Incase of PA30, which could be an IAC or a transaction iview, <b>you may just focus on User Mapping</b>. But for the webdynpro applications, you would need JCo Connections.
  The link provided by Antonio clearly explains the steps. In brief, these are the steps involved:
  1) Create System and an alias. Make sure that you use the logon method UIDPW.
  2) Using the Personalization link, select a system and give the backend username and password. Save it.
  Log off and test if it works.
  Hope this helps.
  Regards,
  Sunil
  PS: Reward points for helpful answers.

• Single Sign On after Systemcopy dosn´t work

  Hello,
  i have a problem with single sign on.
  What we did. We installed a new testportal (EP 6.0 SP 15) with a Systemcopy from our old testportal.
  Every thing works fine, but only single sign on dosn´t work.
  We deleted the old SSO Ticket in the SAP-Backend-System and imported the new SSO Ticket (from the new testportal) into the SAP-System.
  The result is: From the old portal Single Sign on works. But from the new portal i get the SAP-Login-Screen.
  What can i do?
  Thank you
  Martin

  Hi Martin,
  After the system copy I would suggest creating a new SAPLogonTicket keypair on the new portal, and add the public certificate to the certificate list and ACL of the backend:
  http://help.sap.com/saphelp_nw04s/helpdata/en/75/c80b424c6cc717e10000000a155106/content.htm
  As the SSO tickets are generated using this keypair it appears that your ticket is not 'recognized' as coming from the new portal. Note that if your new portal has a different SID you need it to add it to the ACL with this new SID. If you exchange the certificate you need to add the ACL entry again as well.
  Best regards,
  Walter

• Partner application single sign-on and Oc4j

  hello,
  I'm trying to test portal's partner application single sign-on, following the examples inside the "Oracle9 iAS Single Sign-On Application Developers Guide":
  With Tomcat as jsp engine everything works fine, but with Oc4j when I try to enter the protected jsp page i have this exception:
  oracle.security.sso.enabler.SSOEnablerException: java.lang.IllegalStateException: OutputStream already retrieved
       at SSOEnablerBean.getSSOUserInfo(SSOEnablerBean.java:153)
       at SSOEnablerJspBean.getSSOUserInfo(SSOEnablerJspBean.java:57)
       at /protetta.jsp._jspService(/protetta.jsp.java:37) (JSP page line 4)
  Any suggestion?
  Thanks in advance.

  I get the same problem with my partner application. It runs fine on JServer but I get the following problem on oc4j:
  oracle.security.sso.enabler.SSOEnablerException: java.lang.IllegalStateException: OutputStream already retrieved     
  at oracle.br.aerochain.sso.SSOEnablerBean.getSSOUserInfo(SSOEnablerBean.java, Compiled Code)     
  at oracle.br.aerochain.sso.SSOEnablerJspBean.getSSOUserInfo(SSOEnablerJspBean.java, Compiled Code)     
  at /jsp/papp.jsp._jspService(/jsp/papp.jsp.java, Compiled Code)     
  at com.orionserver[Oracle9iAS (9.0.2.0.0) Containers for J2EE].http.OrionHttpJspPage.service(OrionHttpJspPage.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpApplication.serviceJSP(HttpApplication.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.JSPServlet.service(JSPServlet.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java, Compiled Code)     at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.run(HttpRequestHandler.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].util.ThreadPoolThread.run(ThreadPoolThread.java, Compiled Code)
  Did anyone get a solution for this?
  TIA