Single-Sign-On (SSO) configuration on JAVA Stack through HTTP Header method

Hello SDN community,
in the context of a Proof of Concept, we are testing the integration of Microsoft Sharepoint Portal with SAP Backend (addin) systems.
As the architecture impose use an external scenario (access from the internet), we couldn't use the Kerberos (SPNego) solution and thus we chosed the http header solution which in short uses an intermediary web server (in this case the IIS of the MOSS solution) which will act as authority.
I miss information on how the workflow works for this http header authentication method. Through the visual administrator of the addin JAVA stack, it is possible to configure each application with a customized authentication (a choice of security modules). But this all that I know.
My task is to configure SSO. From a sharepoint portal, the user should be able to access Web Dynpros and BSPs. I imagine that the very first call to a webdynpro or bsp (or maybe when we log on the sharepoint portal), the request to the WDP or BSP will first be forwareded by the intermediary server to the JAVA stack (or is it the SAP dispatcher that has to be configured).
Is there an application to be built on the java stack to deal with the authentication, modify http header?
What will the Java stack return? a sap long ticket? a token?
How will the redirect work (to by example a BSP which is in the ABAP stack)?
SAP preconise to secure with SSL the link between the intermediary web server and the JAVA stack, is IP restriction also a solution?
A lot of questions about how this SSO http header should work,
I would be very greatful for any help, or info,
Kind regards,
Tanguy Mezzano

Hi Tanguy,
to tell you the truth I'm really unsure about what you are trying to achieve. When I started posting to your thread I thought all you wanted was trying to access your J2EE engine via Browser and authenticate against the engine using HTTP Header Variables. Nevermind:
Here are some answers to your question:
in fact I did succeed, the problem was that even after domain-relaxation done by the J2EE, I had to change the domain of th SAP cookie to the bbbb.domain.com to be understood (I would have thought that all hosts in/under domain .domain would have accepted such a cookie but it seems that no...).
The server does not care about the domain because Cookies in an HTTP Request do not contain any domain information. The domain is just important when the Cookie is set by the server so your Client (Browser) will know in which cases the Cookie may be sent or not. So if your domain is xxx.yyy.domain.com and your cookie is issued to .domain.com then your Browser will definitely sent it to all hosts under .domain.com (This includes xxx.yyy.domain.com etc.)
My current scenario is: in a first request get a SAP Logon Ticket from the Java Stack, then change its domain and then directly call the backend with it.
You can do that but there is no Client involved in this scenario. So this is useful if you just want to test the functionality (e.g. authentication to J2EE using Header Variables (This works finally!!!) and then use the fetched Logon Ticket to test SSO against any trusted Backend!!)
So everything's is in a Java Client application without using any redirection.
If I understand you, you're solution is from the Browser call a servlet (which is deployed on the Java Stack and has no authentication schema) by passing to it our http header.
No, you should initially authenticate somewhere! I thought that maybe you had some resource you access before accessing the Java Stack. This could be any application (e.g. deployed on a Tomcat or JBOSS or other server or if you like even SAP J2EE). After authenticating there you are aware of the username and could use it to  procceed (e.g. Authenticate against the J2EE using the same user and HTTP Header authentication for that particular user!)
That servlet will transfer the http header (with the HttpClient app) in order to get from the Java Stack a SAP Logon ticket, and then to redirect to the resource and by sending back the cookie in client browser. Am I correct?
This was just a suggestion because I realized that there was no Client ever involved in any of your testing (looked strange to me!). I was just thinking that it would be easier for you to just get the Cookie into your Browser so your Browser would do the rest for you (in your case finally send the Logon Ticket Cookie to your Backend to test SSO using Logon Tickets!).
The AuthenticatorServlet somehow serves as a Proxy to your client because your client is not able to set the Header Variable. That's why I initially suggested to use a Proxy (e.g. Apache) for that purpose. The problem is just that if you use a Proxy you will have to tell it somehow which username it should set in the Header Variable (e.g. using a URL Parameter or using a personalized client certificate and fetch the username (e.g. cn=<username> from the certificate!)
This way of doing would simplify the calls for sso for each new application needing authentication, instead of having all code each time in it...
I'm stuck again! Do you want to authenticate an End User or do you want to authenticate an application that needs to call any resources in your Backend that requires authentication?
So my problem now, is how to call the servlet from the client browser:
I'm trying to call my servlet from the browser but I don't succeed. I am able to understand how to reach a jsp from the Java Stack, but not to reach a servlet. I don't find the path to my servlet:
<FORM method="POST" action="SSORedirect2" >
A JSP is a servlet too. There is just no JAVA Class involved!
You do not need any POST Request to invoke a Servlet.
I see that my servlet is deployed, but I don't how what path to give to my form to invoke the servlet, here follows my web.xml
  <?xml version="1.0" encoding="UTF-8" ?>
  <!DOCTYPE web-app (View Source for full doctype...)>
- <web-app>
  <display-name>WEB APP</display-name>
  <description>WEB APP description</description>
- <servlet>
  <servlet-name>SSOredirect2</servlet-name>
  <servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
  </servlet>
- <servlet>
  <servlet-name>SSORedirect2.jsp</servlet-name>
  <jsp-file>/SSORedirect2.jsp</jsp-file>
  </servlet>
- <security-constraint>
  <display-name>SecurityConstraint</display-name>
- <web-resource-collection>
  <web-resource-name>WebResource</web-resource-name>
  <url-pattern>/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
- <auth-constraint>
  <role-name>DefaultSecurityRole</role-name>
  </auth-constraint>
  </security-constraint>
- <security-role>
  <role-name>DefaultSecurityRole</role-name>
  </security-role>
  </web-app>
If you have an AuthenticatorServlet Class all you need is to add the Servlet Mapping in your web.xml file
e.g.
<servlet>
  <description>
  </description>
  <display-name>AuthenticatorServlet</display-name>
  <servlet-name>AuthenticatorServlet</servlet-name>
  <servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
</servlet>
<servlet-mapping>
  <servlet-name>AuthenticatorServlet</servlet-name>
  <url-pattern>/AuthenticatorServlet</url-pattern>
</servlet-mapping>
You can directly call the Servlet in your Browser by calling the URL provided in the url-pattern of your Servlet mapping ( in this case /AuthenticatorServlet). The engine will invoke the Class "com.atosorigin.examples.AuthenticatorServlet" in the background and do whatever you defined there!
I have also to pass my http header and the redirectUrl in the GET request.
If you like! I just suggested this for testing purposes. As I stated before you need a way to tell your proxy (or in your case AuthenticatorServlet) which user should be set when calling the Engine in order to authenticate using HTTP Header. You could use the URL Paramater to define the user you actually want to use when you set the Header Variable.
I just introduced the redirectURL because you were talking about redirects all the time. So if you finally want to call the Backend you could define the Backend URL in the redirectURL Parameter and the Servlet will make sure that you are redirected to this location after the whole process!
Thx for your input very helpful,
But again 0 points
Cheers

Similar Messages

  • WCI single sign on(SSO) configurations with Oracle Access Manager(OAM)

    I have to integrate the oracle access manager with the WCI(ALUI) for the SSO implementation.What are the configurations required to implement SSO with oracle access manager in WCI/ALUI

    Any answer to the last question on..?
    No, better explain my query with 2 scenarios:
    Scenario 1:
    Usual scenario authentication of a user to a web application without the single web functionality on the acces single manager:
    Login screen of the web application ====> Access to the web application home
    Scenario 2:
    Scenario authentication of a user to a single web application with web functionality on the acces single manager:
    Login screen oracle access manager ====> Display login web application ====> Access to the web application home
    My query is:
    You can configure the functionality of single sign on to access manager with a web application that does not have its login screen of the web application. For example:
    Login screen oracle access manager ====> Access to the web application home

  • Single Sign-On (SSO) in Web Server 7.0u5

    Hello,
    I am in the process of trying to configure single sign-on (SSO) between several apps in the same SJWS 7.0u5 virtual server, and I'm not having much luck. This appears to be very similar to the problem reported in another thread (http://forums.sun.com/thread.jspa?forumID=759&threadID=5281564) that applied to 7.0u2.
    I found one interesting detail that the previous post did not mention, however, and I think it is key to resolving this issue.
    I've been using the SSO feature of WS7 since day one, and up to this point is has worked flawlessly. However, I am in the process of adding a new webapp that differs from the prior webapps in one significant way: it uses form-based login, and all the previous webapps used basic authentication.
    Using the "Live HTTP Headers" Firefox add-on I captured the cookie exchanges between the client and server, and this is what I see:
    1. Logging in to any of the apps that use basic authentication results in both the JSESSIONID for the current webapp and the JSESSIONIDSSO for the entire server to be returned in the response.
    2. If I then go to a secured URI in the new (form login) webapp the JSESSIONIDSSO cookie is sent, but I still land on the login page.
    3. When completing the login form and submitting it, no JSESSIONIDSSO is returned.
    In both types of apps, my web.xml includes the appropriate configuration. FORM authentication:  <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>ldap</realm-name>
        <form-login-config>
          <form-login-page>/login.jsf</form-login-page>
          <form-error-page>/error.jsf</form-error-page>
        </form-login-config>
      </login-config>...and BASIC authentication:  <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>ldap</realm-name>
      </login-config>From this, it appears as though the SSO functionality is not working when using FORM authentication, only when using BASIC authentication.
    The web apps developer's guide specifically says that SSO works for all webapps in the same virtual server with the same realm-name, which is certainly the case for me. It doesn't say that SSO is not supported in FORM-authenticated webapps, but that would appear to be the case.
    Or is this a bug?
    Or am I simply doing something obviously wrong?
    Thanks!
    Bill

    In addition, I set the logging level to "fine", and I see these entries for the FORM authentication:
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Process request for '/testSso/'
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:  Checking for SSO cookie
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:  SSO cookie is not present
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Security checking request GET /testSso/
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:   Matched constraint 'SecurityConstraint[secureURIs]' against GET /index.jsp
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:   Matched constraint 'SecurityConstraint[secureURIs]' against GET /index.jsp
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:  Calling hasUserDataPermission()
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:   User data constraint has no restrictions
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:  Calling authenticate()
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Restore request from session '19FFE2F63CF4E8756C19B60AC6F7A65E'
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Authenticated 'testUser' with type 'FORM'
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Registering sso id '2698AFCE8889EF9877778386855517BC' for user 'testUser in realm ldap' with auth type 'FORM'
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Associate sso id 2698AFCE8889EF9877778386855517BC with session StandardSession[19FFE2F63CF4E8756C19B60AC6F7A65E]
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports: Proceed to restored request
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:  Calling accessControl()
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:   Checking roles testUser
    [06/Sep/2009:22:52:57] fine (20013): for host 127.0.1.1 trying to GET /testSso/index.jsp while trying to GET /testSso/, service-j2ee reports:  Successfully passed all security constraintsThat seems to indicate that an SSO ID is created and a cookie should be sent with the response, but as show in the Live HTTP Headers output, that is not the case.
    The log entries for the BASIC authentication are as follows:
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Process request for '/ppc/'
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:  Checking for SSO cookie
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Security checking request GET /ppc/
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:   Matched constraint 'SecurityConstraint[ppc]' against GET /index.jsp
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:   Matched constraint 'SecurityConstraint[ppc]' against GET /index.jsp
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:  Calling hasUserDataPermission()
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:   User data constraint has no restrictions
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:  Calling authenticate()
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Logging in user [testUser] into realm: ldap using JAAS module: ldapRealm
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Password login succeeded for : testUser
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Authenticated 'testUser' with type 'BASIC'
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Registering sso id 'A58B93F0A00C619AF18F53C2F7C00D16' for user 'testUser in realm ldap' with auth type 'BASIC'
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: Associate sso id A58B93F0A00C619AF18F53C2F7C00D16 with session StandardSession[EF2E1F7E8B3FB7E3FDD4607E4A62D99E]
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:  Calling accessControl()
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:   Checking roles testUser
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports: No role found:  administrator
    [06/Sep/2009:22:57:29] fine (20013): for host 127.0.1.1 trying to GET /ppc/index.jsp while trying to GET /ppc/, service-j2ee reports:  Successfully passed all security constraintsIn this case, you can see that the SSO ID that is generated matches the value set in the response.
    Bill

  • Can Captivate pull a user's login information from a Single Sign On (SSO) page?

    Looking to start pushing out quizzes and trainings via Captivate.  We currently do not have a LMS, so I started testing using Acrobat.com.  We have a Single Sign On (SSO) page that passes our users credenitals on to all the sites and apps.  Is there a way for Captivate to get those credentials, when submitting quiz results?  Do they have to submit their quiz answers via an Acrobat sign in?  Can Captivate auto submit answers or does the end user have to hit the Submit/Submit All button?

    Hi there,
    There is no native feature for getting SSO information in Captivate course.
    If you don't have an LMS, and if you would like to use Acrobat.com reporting, then learner will have to click on the post results button, and enter their Adobe.com or Acrobat.com credentials, then hit submit. (Learners must have an Account on Acrobat.com or Adobe.com to submit the results.)
    If the course will be accessed within the organization's network, then you can also use Internal server reporting, that works exactly same except learners do not need an account on Adobe.com
    They will have to enter their Name and E-mail address to niquely identify them while fetching result reports.
    Thanks.

  • CRM single sign on (SSO) to R/3 system via ITS 6.20

    Hi all
    I try to configue CRM2007 single sign on (SSO) to R/3 system via ITS 6.20.
    my configuraion process
    1. on CRM2007
    -profile : login/accept_sso2_ticket = 1
                  login/create_sso2_ticket = 2
    - t-code : strustsso2 --> export system PSE
    2. on R/3 system
    - profile : login/accept_sso2_ticket = 1
                   login/create_sso2_ticket = 0
    - t-code : strust --> import certification --> add certification list --> save
    - t-code : oss2 --> execute with crm rfcdestination --> all green.
    3. ITS
    ~appserver      r/3.domain
    ~client     
    ~clientcert      1
    ~cookies      1
    ~exiturl     
    ~hostsecure      itshost.domain
    ~hostunsecure      itshost.domain
    ~language     
    ~login     
    ~logingroup     
    ~messageserver     
    ~multiinstanceservices      1
    ~password     
    ~portsecure      443
    ~portunsecure      80
    ~routestring     
    ~runtimemode      pm
    ~systemname      R/3 SID
    ~systemnumber      R/3 system no
    ~theme      99
    ~timeout      600
    ~urlimage      /sap/its/graphics
    ~urlmime      /sap/its/mimes
    ~usertimeout      240
    ~xgateway      sapdiag
    ~xgateways      sapdiag,sapxgwfc,sapxginet,sapextauth
    ~mysapcomgetsso2cookie 
    ~mysapcomusesso2cookie  1
    ~mysapcomssonoits  1
    for SSO check, execute web ui and then log on web ui
    I go to the Interation center and then go to the ERP information.
    but ITS log on screen appear.
    crm user and r/3 user is same.
    how can I do ??

    You use Server Port 3600, message server.
    It means, while creating a system you used wrong template and picked "SAP system using dedicated application server".
    You should use "SAP system with load balancing", since message server is doing load balancing.
    Once you selected correct template you will see "Message Server" instead of App and GW servers.
    Make sure to fill in
    Group  - Logon group to use. If not defined in R3, use SPACE
    Message Server - ansapdev01
    SAP Client = 150
    SAP System ID <SID> = DEV
    Server Port 3600
    System Type = SAP R/3
    It should work.
    Regards,
    Slava

  • Configuring JCo3 Connection Pool with single sign on on non SAP Java server

    Hi Everyone,
    i have configured a connection pool on JBoss as per JCo3 Documentation and is working great.
    Now I need help to configure this connection pool with single sign on so that RFc on SAP ECC systems are executed using end users credential rather than using single user name password used to configure JCo connection pool.
    On SAP Java stack I am sure its possible within Java WebDynpro    and i assume using JCA resource adapter. But what if we don't want to use SAP Java App server.
    Any help will be appreciated.
    Thanks,
    Divyakumar Jain

    Eason, 你好!
    I have exactly the same problem.  Did you find a solution to this problem?  If so, please let me know!

  • How to configure SSO for WAS Java stack

    Hi all,
    I want to configure our WAS server with java stack as a SAP ticket issuing system. This system does not have Portal installed on it.
    I want to know weather it is possible or not. if possible how it can be done.
    actually ABAP stack their are transaction like SSO2,SSO to do the task. but what about WAS with Java stack?
    Thank all.

    HI Kumar
    Follow this link.
    http://help.sap.com/saphelp_nw04/helpdata/en/53/695b3ebd564644e10000000a114084/frameset.htm
    Hope this helped you
    Reagrds,
    RK

  • Single Sign On (SSO) Issue

    We are running Business Objects Enterprise XI 3.1, SP2 (BOBJ) in a Windows environment and have implemented single sign on for Windows AD.  Randomly single sign on does not work for some of our users when either accessing InfoView or when executing a WebI report via an OpenDocument call.  These users can log into InfoView using the Windows ID and Password manually.  The users also have the u201CEnable Integrated Windows Authenticationu201D option checked in IE.
    We have checked the InfoViewApp web.xml and OpenDocument web.xml settings and everything appears to be setup correctly for using sso and vintela (per SAP Note 1251945).  Required SPN entries appear to have been made.  The maxHttpHeaderSize setting in the Tomcat server.xml is set to 16384.  We do tend to make substantial use of Windows AD Groups within our security model.
    When the users are unable to login via sso, here is the error stack that appears in the Tomcat stdout.log:
    SEVERE: Servlet.service() for servlet action threw exception
    java.lang.IllegalStateException
         at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:418)
         at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:117)
         at com.businessobjects.sdk.credential.WrappedServletResponse.sendError(WrappedServletResponse.java:30)
         at com.wedgetail.idm.sso.AbstractAuthenticator.setUnauthorizedResponse(AbstractAuthenticator.java:1328)
         at com.wedgetail.idm.sso.MechChecker.authenticate(MechChecker.java:144)
         at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:1060)
         at com.wedgetail.idm.sso.AbstractAuthenticator.authenticateServiceTicket(AbstractAuthenticator.java:998)
         at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication(AbstractAuthenticator.java:953)
         at com.wedgetail.idm.sso.AuthFilter.doFilter(AuthFilter.java:122)
         at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.doFilter(WrappedResponseAuthFilter.java:66)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
         at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
         at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
         at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
         at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
         at java.lang.Thread.run(Thread.java:595)
    Before we go about installing SP3 in an effort to resolve the problem, can anyone look at the above error stack and tell us what might be going on here?  Would the above error stack be consistent with an Httpheader getting truncated?
    Thanks in advance for your help.
    Wendell Giedeman

    That error is part of a logging bug and not related to your issue. If SSO is working consistently from infoview then it probably is not a web.xml setting either. The most common problems with opendoc have been related to sessions. Are the users using a new IE window or possibly one that had previous documents open? If it is the session issue then SP3 may help as some work has been done in that area. If you are sure the users are using new IE windows for the opendoc calls then more troubleshooting may be required to identify the problem.
    Regards,
    Tim

  • IRecuritment: Resume Parsing with Single Sign on (SSO)

    Application Version:11.5.9
    RDBMS Version:9.2.0.7
    Patch Level:IRC.D, HR_PF.G
    Problem Description/Question:
    Anyone successfully parsed resumes with Single Sign On enabled. We are unable to parse resume with SSO. If I disable the SSO the parsing is working fine. With the SSO enabled resume parsing giving the following error:
    javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr
    Pl. let me know if you have any suggestions/work around to resolve the issue. Client is going to live in 3 weeks. Any help is appreciated.
    Thanks,
    V

    Hi Rainer,
    you can find this setting in your Internet Explorer. Use Tools -> Internet Options -> Advanced. In the section "Security", check "Enable Integrated Windows Authentication (requires restart)" and restart your browser.
    If the error still persists Note
    934138 might be useful. 
    Hope this will help out.
    Regards,
    André

  • Proxy Server and single sign on (SSO)

    We are currently running Portal 7.  I've enabled single sign on via logon tickets from portal to our backend ECC 6.0 and CRM 5.0 systems and its working fine.  For demoing to clients we've employed the Apache webserver for reverse proxy.  This reverse proxy server is located in the DMZ, on a domain of its on.  I can access the portal fine through the reverse proxy but now the single sign on to our backend ECC and CRM systems doesn't work.  I know the issue lies with the difference in the domain.
    Has anyone come accross an issue such as this and can lend me some help?

    Hi,
    Domain relaxing will not work in this setting, ref. RFC 2109 http://www.ietf.org/rfc/rfc2109.txt
    What you need to do is to create a DNS alias for the portal on domain [something].[company].com. Then create a portal component which returns the MYSAPSSO2 cookie and create an URL iView for it with the DNS alias hostname and add it to the default framework page. In this way, persons logging in will get the MYSAPSSO2 cookie for both domains [sap subdomain].[network domain].local and [network domain].[company].com
    Regards
    Dagfinn

  • Configuring Single Sign On (SSO) in JAAS

    Hi All,
    I am trying to configure SSO in JBoss . I have my custom LoginModules which I have configured in login-config.xml
    <application-policy name="LoginModule1">
       <authentication>
           <login-module code="com.MyLoginModule" flag="required">
           </login-module>
       </authentication>
    </application-policy>
    <application-policy name="LoginModule2">
       <authentication>
           <login-module code="com.MyLoginModule" flag="required">
                <module-option name="useSharedState">true</module-option>
           </login-module>
       </authentication>
    </application-policy>The name of my web applications are sso1 and sso2 . Both of them use the same instance of JBoss .
    I have also configured auth.conf
    sso1 {
    com.MyLoginModule required;
    sso2 {
    com.MyLoginModule required  useSharedState=true;
    };I am logging in to sso1 and their I am checking
    if user is logged in , if not then user is presented with login page .
    The username and passwords are checked and then user is forwaded to
    next page .
    The MyLoginModule code is :
    if ("true".equalsIgnoreCase((String)this.options.get("useSharedState")))
         userName = (String)this.sharedState.get("javax.security.auth.login.name");
         password = (String)this.sharedState.get("javax.security.auth.login.password");
    } else {
         userName = request.getParameter("userName");
         password = request.getParameter("password");
         //save the username and password into the shared state
         this.sharedState.put("javax.security.auth.login.name",userName);
         this.sharedState.put("javax.security.auth.login.password",password);
    }     when user logs in for the first time the
    username and password is put into sharedstate . Now when I fwd the user
    to sso2 application , MyLoginModule again comes into action , the 'if'
    part of the code is executed but the
    this.sharedState.get("javax.security.auth.login.name") or
    this.sharedState.get("javax.security.auth.login.password") returns null
    I have configured the jboss-web.xml also in respective webapps.
    <jboss-web>
    <security-domain>java:/jaas/LoginModule1</security-domain>
    <context-root>/sso1</context-root>
    </jboss-web>
    <jboss-web>
    <security-domain>java:/jaas/LoginModule2</security-domain>
    <context-root>/sso2</context-root>
    </jboss-web>Also server.xml is configured properly
    <Valve className="org.apache.catalina.authenticator.SingleSignOn" />     Any idea whats failing ?

    Hi All,
    I am trying to configure SSO in JBoss . I have my custom LoginModules which I have configured in login-config.xml
    <application-policy name="LoginModule1">
       <authentication>
           <login-module code="com.MyLoginModule" flag="required">
           </login-module>
       </authentication>
    </application-policy>
    <application-policy name="LoginModule2">
       <authentication>
           <login-module code="com.MyLoginModule" flag="required">
                <module-option name="useSharedState">true</module-option>
           </login-module>
       </authentication>
    </application-policy>The name of my web applications are sso1 and sso2 . Both of them use the same instance of JBoss .
    I have also configured auth.conf
    sso1 {
    com.MyLoginModule required;
    sso2 {
    com.MyLoginModule required  useSharedState=true;
    };I am logging in to sso1 and their I am checking
    if user is logged in , if not then user is presented with login page .
    The username and passwords are checked and then user is forwaded to
    next page .
    The MyLoginModule code is :
    if ("true".equalsIgnoreCase((String)this.options.get("useSharedState")))
         userName = (String)this.sharedState.get("javax.security.auth.login.name");
         password = (String)this.sharedState.get("javax.security.auth.login.password");
    } else {
         userName = request.getParameter("userName");
         password = request.getParameter("password");
         //save the username and password into the shared state
         this.sharedState.put("javax.security.auth.login.name",userName);
         this.sharedState.put("javax.security.auth.login.password",password);
    }     when user logs in for the first time the
    username and password is put into sharedstate . Now when I fwd the user
    to sso2 application , MyLoginModule again comes into action , the 'if'
    part of the code is executed but the
    this.sharedState.get("javax.security.auth.login.name") or
    this.sharedState.get("javax.security.auth.login.password") returns null
    I have configured the jboss-web.xml also in respective webapps.
    <jboss-web>
    <security-domain>java:/jaas/LoginModule1</security-domain>
    <context-root>/sso1</context-root>
    </jboss-web>
    <jboss-web>
    <security-domain>java:/jaas/LoginModule2</security-domain>
    <context-root>/sso2</context-root>
    </jboss-web>Also server.xml is configured properly
    <Valve className="org.apache.catalina.authenticator.SingleSignOn" />     Any idea whats failing ?

  • ESS/MSS sso configure between java and abap instance

    Dear Gurus,
    I want to configure sso between java and abap instance for ESS/MSS. I couldnt find any guide for it, could you please help me gurus ?
    Other question is, is there any specific role for ESS/MSS users in JAVA instance. I want to create users and assign this role to them.
    Best Regards

    Hi Kemal,
    Hope you are doing good.
    There should be a / in the ITS path before SAP.
    Basically the entry that you have mentioned here should be accessible via browser as well. For eg in your case:
    http://<its hist name>/sap/bc/gui/sap/its/webgui should be accessible over browser.
    I also think you have put in a extra space in "w  ebgui". It should be "webgui".
    If the connector settings are working, then we can be sure that system connection is fine. You do not need to configure ITS settings.
    Also for SSO, refer the SAP note:1083421 and configure the SS0 settings again.
    Please run the SSO2 wizard and then make the automatic connection to
    the abap server. This will solve any inconsistencies on the server
    due to manual interventions.
    Most likely reason for the error is that certificates were loaded
    manually rather than using SSO wizard.
    More help:
    <http://wiki.sdn.sap.com/wiki/display/EP/Troubleshooting+SSO+between+AS-ABAP+and+AS-JAVA>
    The SSO enabling parameters should be set on the R/3 server.
    SSO Logon Ticket-> login/accept_sso2_ticket and login/create_sso2_ticket
    More info:
    <http://help.sap.com/saphelp_nw04/Helpdata/EN/22/41c43ac23cef2fe10000000a114084/frameset.htm>
    Thank you and have a nice day :).
    Kind Regards,
    Hemanth
    SAP AGS

  • Single Sign On (SSO) Internet Access via ASA

    Good Afternoon,
    I'm looking for a way for users to authenticate through the ASA to determine whether or not they are granted access to the Internet. I would like to provide two separate Active Directory groups, for example, GRP-NO-INTERNET and GRP-INTERNET. When a user accesses the Internet I would like the firewall to obtain a SSO credential and query AD to see if they have access or not and respond accordingly.
    I'm currently working with TAC to investigate the possibility of using DAP but was curious if others have successfully tested this or what other options may be available. The end result would be to eliminate the credentials prompt by the firewall and have the authentication done in the background (somehow) without user interaction.
    Thanks in advance to anyone's suggestions.
    -Mike

    Actually, it should be possible starting ASA 8.4.2. You will have to configure an AD Agent on Windows. Please see the following link
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_idfw.html
    Please rate if it helps. Kind regards

  • Third party application forcing java stack to restart when logged in through SSO

    Hi
    We have APW Third party application installed on Enterprise portal  7.4.
    When we tried to login APW portal through SSO it forces Java stack services to restart.If we use APW directly without SSO it works fine.
    Can you help me tto resolve the issue.

    Hi Manish,
    Please check  the configuration once agian about the third party connection  and  the portal.
    Also provide the "dev_server0" which under in directory /usr/sap/SID/J00/work and default trace which under in “/usr/sap/SID/J00/j2ee/cluster/server0/log" to analyze the issue. There is some other tool as well to check the issue using "httpwatch" log tool. But, mostly issue can be identified in dev_server0 or defalut trace".
    Thanks,
    Brindavan

  • Test Connector error; Single Sign On configuration

    Hi,
    I did a test on my SAP BI query system created in the portal. When I perform the "Test Connector with Connector" results are as follows;
    Test Connection with Connector
      Test Details:
    The test consists of the following steps:
    1. Retrieve the default alias of the system
    2. Check the connection to the backend application using the connector defined in this system object
      Results
    Retrieval of default alias successful
    Connection failed. Make sure that Single Sign-On is configured correctly
    So my SSO is not configured correctly. Does anyone know where in the portal I can check my SSO configuration and what to look for?

    Hai,
    Check the below link.....
    http://help.sap.com/saphelp_nw04s/helpdata/en/a3/e5a0404dd52b54e10000000a1550b0/frameset.htm
    Regards,
    Yoganand.V
    Edited by: Yoganand Vedagiri on Jan 28, 2009 11:23 AM

Maybe you are looking for

  • Single Sign-On and session information

    I have an Oracle Portal application with many Java Web Applications. I wish to provide Single Sign-On to this applications. I know how to configure Single Sign-On and how to get the user login in Java. I want to store session information such as: Use

  • Flash lite problem,,,need help soon

    why the protocol ftp is not suported by the flash player and how to make flash lite support ftp

  • Horizontal scroll in table

    Hi all, How can I implement a horizontal scroll in a table? NW 7.0 SP 15 Thanks, Michael Beilin

  • Can anyone help me troubleshoot my VPN client issue, DART log attached

    Hi all I am having issues connecting with my anyconnect client, version 2.5 running Windows 7 64 bit It keeps saying repairing vpn adapter, then encountered an error, there is no AV running, and I have reinstalled it many times here is the log files

  • How can avoid to close the window?

    My problem is that when user decides to close a window, system should ask conferm to that action, if user responds no, the window should stay, vice versa window should be closed if user conferm closing. Ok my code: void this_internalFrameClosing(Inte