Single SignOn with SAP

Can anyone tell me if we can have single signon between SAP-xMII and SAP-ERP

Same thing, same mechanism.  You can pass the SSO2 Ticket from the xMII login session (assuming you entered xMII through EP) through to the JCO action(s).
In version 12.0, xMII will be capable of generating SSO2 tickets natively, without needing Enterprise Portal.
You also need to export/import certs across all of the affected systems in order for the SSO2 ticket(s) to work properly.
That said, you lose a lot of performance benefits since you cannot do JCO caching or connection pooling with this mechanism.
- Rick

Similar Messages

  • Single Signon and Integration with Active Directory

    Hi,
    We have a requirement to integrate Active Directory with SAP and implement Single Signon solution. Our Active Directory is running on Windows 2003 and we are having systems 4.7 , ECC6.0 which run on Linux OS in our landscape.
    Can anyone of you help me by answering following questions
    1. Is there any need of any third party solution(tool) to integrate  Active Directory and SAP and activate single signon?
    2.Is there any difference in integration from SAP 4.7 and ECC6.0 of SAP on Linux OS with Active Directory ?
    3. If possible please share any documents or links on above issue.
    Suitable answers will be rewarded with points. Thanks in advance for your help
    Regards
    Murali

    > Thank you very much for providing me the link. But the document on link seem to be in German. Can you please let me know how to get English version of this document.
    I'm sorry, you'd have to ask Realtech for that document in English.
    Basically you can follow
    http://osdir.com/ml/encryption.kerberos.general/2004-11/msg00007.html
    Markus

  • Issue with SAP Single Sign-On and Scheduling Reports

    Hello --
    We are on XI 3.1 with SAP BW and SSO.  Some users are getting failures with this error message when they schedule a report to run:
    "A database error occured. The database error text is: Unable to connect to SAP BW server System received an expired SSO ticket. (WIS 10901)." 
    It SEEMS as though the users are fine if they schedule the report to run immediately and have it run every hour (or less) after that.  If they schedule it to run several hours from the time they are in the system, however, it looks like they begin getting failures around 8 hours after they were in the system.  This would make sense from looking at the "InfoView and Central Management Console Session Management" document (https://www.sdn.sap.com/irj/boc/index?rid=/library/uuid/405547f9-b840-2b10-44b5-8e17ff9e48a9&overridelayout=true) since a logon token expires after 8 hours, but since it is a scheduled report, and the user is not logged in through a browser, how is a token being passed?  Is it captured and included when the report is scheduled?  Would disabling logon tokens fix this issue?  How is authentication handled here if they are disabled? 
    Thanks for any info
    Casey

    Hi Gurus
    I am facing the exact same error.
    However, we are not trying to schedule the WEBI report.
    The user gets this error even when he is running on demand from the portal.
    Here are the various steps tha twe have tried and still it doesnt work:
    1) Refreshed and created new Universe connection
    2) Bounced BOE server
    3) Synced up the SSO timeout ticket to 8 hrs on all systems including BOE
    4) Changed browsers
    5) Removed cache, cookies etc
    Please help.

  • CrystalReports XI RDC causes a disfunction of Lotus Notes Single SignOn

    Our customer uses Lotus Notes. When he installed the CR RDC merge modul (XI Rel. II, SP6), the single signon for Lotus Notes doesn't work anymore. That means the customer has to type in username and password once more if he want's to use Lotus Notes. It seams that the single signon service is running.
    The registry key "ProviderOrder"="RDPNP,LanmanWorkstation,WebClient,npnotes" is correctly sorted (I found that in another forum). Any suggestions? TIA, F. Bartsch

    Hi Frank,
    Well there may be an issue with the RDC, but it seems that yourself and one other have just seemed to report it. We don't have any other information then that. I want to add my two-bits similar along the lines of what Don and Ludek was saying. Personally I would look at the runtime differences before and after the RDC stuff is installed. We have an application called modules, that takes a snap-shot of the runtime in memory for all applications currently running on the system. By running lotus before your RDC install creating a modules snap-shot, and after the install then you will see what the differences are. Perhaps this is just a difference in the COM files on the system.
    As for creating a support case, there is only so much we can do on the forums. Support cases allow you to engage an engineer directly to try trouble shooting and modules would probably be the first thing they would get you to do. If this does turn out to be an issue with our product then there is a process to get a refund on the case. However this is contingent on us determining that it is in deed our issue.
    You can find modules at https://smpdl.sap-ag.de/~sapidp/012002523100006252802008E/modules.zip
    Trevor

  • Single SignOn Configuration

    Hi Experts,
    I've to insert SAP User Interface inside a custom java portal.
    Users should not re-logon when from java portal they pass to CRM User Interface.
    I've found that I've to enable ticket logon, but I'm unable to find any documentation that explains how to configure the system to accept ticket logon and permit single sign on.
    Could you help me explaining how to solve this requirement?
    Thank you
    Alessandro

    Hi  Shikha ,
        this is kumar .... ? I too have the same problem.. I hope you might have find the solution for this problem.. If you have the solution for this problem please send your solutions to this
    Email Id: [email protected].
    Please help me shikha...
    I have this problem
    Hi
    We have completed configuration of XI.
    On the server machine we proceed as follows :
    1. We log on to the Integration repository , it askes us for login (userid and password )
    2. We enter , say , id as xisuper , with password
    3. Now Java Web Start is started and all jar fikles are uploaded automatically
    4. Now we get IR page and we can work on it (It is working perfectly )
    Now, we proceed on local desktops as follows:
    1. We log on to the Integration repository , it askes us for login (userid and password )
    2. We enter , say , userid as xisuper , with password
    3. Now Java Web Start is started and all jar files are uploaded automatically
    4. Now an error popups , saying “Single Signon failed” and it asks for login and password
    Our question is , if it is properly working on server machine , then why is it not working properly on local desktops
    Please note that when we launch “System Landscape Directory” , this problem does not come
    Can someone please suggest us a solution
    Also we would like to know, which user should we use to access the Integration Repository. Is it the same as the super user ie xisuper or some special user
    Or is there some problem with Single signon configuration
    Please guide us on this as we need help urgently

  • Siebel Single SignOn

    Hi,
    I would like to know what options are available for providing Single Signon for Siebel? I know that Siebel can be intagrated with OAM for SSO. Can Siebel be integrated with Oracle Application Server Single Signon? If so what version and any links to information would be very helpful.
    Thanks

    Hi Marcus,
    You can use IISProxy in order to obtain Sigle Sign-on between Your Windows Network and the portal.
    http://help.sap.com/saphelp_nw04/helpdata/en/07/914e4f02a69f448aeee7263b2a9dc6/content.htm
    If you want more information about how to configure it, send me a email to [email protected]
    Regards.

  • How to bind a single Entity with Odata

    Hi experts,
    just playing around with UI5...short question:
    I have created a WebService in GW, reading user data (using  BAPI_USER_GET_DETAIL).
    Very easy, just for testing.
    No I want to show my own user data on a SAPUI5 page.
    Have created a controller:
    onInit: function() {
    var odataUrl = "/sap/opu/odata/sap/ZXYZ_SRV/";
    var odataUser = "user";
    var odataPass = "password";
    var oModel = new sap.ui.model.odata.ODataModel(odataUrl, false, odataUser, odataPass);
    this.getView().setModel(oModel);
    Okay, this is working
    Now I want to read a single entity with my WebService (this would be the GetEntity one, NOT the GetEntitySet).
    I have created a very simple view, including a MatrixLayout with 2 columns, here I wanto to add a Label and the value of the WebService.
    What I have done:
    var oMatrixPers = new sap.ui.commons.layout.MatrixLayout({
    layoutFixed: false,
    width : "300px",
    columns: 2
    var oLabel = new sap.ui.commons.Label({
    text : "Lastname"
    var oTF = new sap.ui.commons.TextField({
    editable: false,
    }).bindValue("value", "{/own_dataSet(TEST)}");
    oLabel.setLabelFor(oTF);
    oMatrixPers.createRow(oLabel, oTF);
    I'm sure it is an easy question - maybe someone can help?
    Thanks
    Michael

    All right, One more suggestion ,
    var oTF = new sap.ui.commons.TextField({ 
    editable: false, 
    value: "{THE PROPERTY NAME FROM THE ENTITY}"
    oMatrixPers.bindElement('/own_dataSet('TEST')');
    oMatrixPers.setModel(oModel); 
    This will most probably get you the value, if you do not get any other error in the Console

  • SAP R/3 4.7e with SAP XI

    Dear Experts,
    I want to install SAP R/3 4.7e along with SAP XI 7.0 on a single system (WINDOWS 2003 + ORACLE).
    Is it possible to do is? If yes, please help me and provide links to related documents on SDN.
    Regards,
    Younus

    Even in Sandbox landscape having R/3 & XI on the samebox is not recommended.
    Moreover SAP R/3E & XI 7.0 don't have the same WebAs version(R/3 WebAS- 6.40 & XI WebAs -7.00). Hence they cannot be installed due to product compatibility. It should be atleast ECC 6.0.
    -SM

  • Single-signon for multiple sites or sub sites

    Does anyone know of some good articles/publications or suggestions for
    implementing a single signon for multiple very secure internet sites in
    weblogic type environments.
    For example, bank1 has a internet site and bank 2 has an internet site.
    Bank 2 has some cool features they want to offer bank1's customers. They
    agree but, bank1 wants to present bank2 as a tab or part of bank1 site.
    IN order to do this there are lots of fun things, but the things Im
    interested in are how to authenticate between them and handle timeouts.
    timeouts seem particularly tricky in that if I dont hit a page on bank2
    for a while, it could time out its session for the guy on bank1. Also if
    im in the bank2 section of the site, then bank1 could time me out as
    well.
    any ideas let me know.
    thanks
    Joel

    I've been informed ;-) that a pure Java solution is also available from
    Entegrity. So here are a couple of URLs for you to research
    anagrammatically:
    http://www.netegrity.com
    http://www.entegrity.com
    Cameron Purdy
    Tangosol, Inc.
    http://www.tangosol.com
    Tangosol: How Weblogic applications are customized
    "Cameron Purdy" <[email protected]> wrote in message
    news:[email protected]...
    Netegrity?
    Cameron Purdy
    Tangosol, Inc.
    http://www.tangosol.com
    Tangosol: How Weblogic applications are customized
    "Tim Funk" <[email protected]> wrote in message
    news:[email protected]...
    This is long winded and I tried to have this make sense, if it doesn't
    just mark this as read ...
    I am running into the same issue. Out of need, different applications
    need to be hosted on different boxes/JVM's/web applications. I am
    experimenting with a customer single sign on process which is
    independent of Java but lends itself nicely to it. Here is my thoughts:
    1) All applications need to run under the same domain. For example:
    foo.redrose.net, www.redrose.net, bar.redrose.net, app1.redrose.net
    all reside under redose.net.
    2) You have a database table (secure) that contains the following:
    user id, password, session id, last access time.
    3) This database table contains all of the valid sessions across the
    domain (in this exmaple .redrose.net)
    4) There is a daemon running which runs every ?? seconds that deletes
    any records older than ?? seconds/(or minutes/hours) in the
    database.
    5) There exist a cookie which is set to the domain level that contains
    the session id.
    6) The session id provides a way to obtain the id and password for the
    user to authenticate to the container. For example in WL5.1SP8 there
    exists: weblogic.servlet.security.ServletAuthentication.weak(...) to
    authenticate to your container. By using this you will get the
    capability of setting up your roles and ACLS etc in you web.xml and
    weblogic.xml to handle authorization.
    7) All requests to any applications participating in this philosophy
    must do the following for EVERY request (or appropriate):
    Even if you are logged authenticated to the container and authorized,
    you may have timed out or logged out of another application. So the
    database table must be checked to see if the session id exists. At the
    same time, you must also update the last access time to prevent timeout.
    8) If the user tries to access a different application which he has not
    authenticated to yet - the user will be forwarded to a servlet whichwill:
    a) Look for the cookie at the domain level
    b) If the cookie is found - get the UID and PWD from database
    b2) Present login form if cookie is invalid/not exists
    c) Authenticate to container
    d) Forward back to original page and let the container handle
    authorization since you have already authenticated.
    I use have encapsulated the database activity into 3 stored functions:
    1) isValidSession(session_id) - Returns null or the user id and pwd
    concatentated which will need split apart if needed
    2) makeSession(user_id, password) - Returns a new unique session id and
    creates the appropriate record
    3) cleanUpSessions() - Arguements not yet determined. This will delete
    any records older than a certain time. I would like to have the proc
    know what to delete without being given a parameter but time to the
    second level can be tricky for some DBMS's.
    There is a concern of storing the user id and password in the database
    but this can be eliminated with a good design to restrict access to the
    database table and using encrypted connections.
    Hope this helps. Hopefully - a similar philosphy will be adopted by an
    application container so I may not have to worry about this and I can go
    back programming business functionality.
    -Tim
    Joel Nylund wrote:
    Does anyone know of some good articles/publications or suggestions for
    implementing a single signon for multiple very secure internet sites
    in
    weblogic type environments.
    For example, bank1 has a internet site and bank 2 has an internetsite.
    Bank 2 has some cool features they want to offer bank1's customers.They
    agree but, bank1 wants to present bank2 as a tab or part of bank1site.
    IN order to do this there are lots of fun things, but the things Im
    interested in are how to authenticate between them and handletimeouts.
    >>>
    timeouts seem particularly tricky in that if I dont hit a page onbank2
    for a while, it could time out its session for the guy on bank1. Alsoif
    im in the bank2 section of the site, then bank1 could time me out as
    well.
    any ideas let me know.
    thanks
    Joel

  • Changing session language during Single Signon in PeopleSoft

    Hi All,
    I have a working PeopleSoft Single Signon environment. It is simple architecture where I have used the "Allow Public Access" feature in web profile configurations and a signon peoplecode program.
    Users on an external portal are given PeopleSoft component specific URL's with user ID as a query string in the URL (for testing only). However, I'm unable to allow non-English (or user's language preference feature) login as "SetLanguage" is not supported in signon peoplecode. By default the login is in English.
    Please let me know if there are any work around for this problem.
    Many Thanks
    Srini

    Hello,
    Is there a way to hide the option of select your language on the signin.html, I have removed the html code on signin.html and cleared the web server cache, still it shows up on the signin,html page? Am I missing anything?
    Thanks
    Ram

  • Swift Net MT-103 Interface with SAP

    Hello all,
    I am having a hard time to understand the concept and reason to use the Swiftnet MT103 (Outgoing Payment).
    1)At what point I will consider MT103 solution versus EDI820 (Outgoing Payment)?
    2)What will be the considerations I need to take place when I am creating the Functional Design of this interface with SAP?
    3)What will be the steps I need to take on the config side?
    4)Do I need to setup inbound interface as well for confirmation once I sent the MT103 file?
    5)DME will be only solution that produce this format?
    6)Please provide me the File structure of MT103?
    I would appreciate your prompt response since I need to represent this to the client.
    Thanks

    Hi
    It is a good practice to know the status of payment file rather than waiting for the bank to call. Yes, if need be, you will need to create an inbound interface.
    Many things would depend on the method of communcation with banks you choose (i.e. direct connection or value added network), which needs to be secure and encrypted. SWIFTnet is a product that SWIFT offers to allow companies to build a single connection to SWIFT net and connect to thousands of banks around the globe. I am not sure whether this is a valid scenario for your project. Obviously, there is a cost implication attached to it.
    If you are using BCM module, you would need to use a format created in Payment media workbench for MT103 and PI to faciliate the file mapping, conversion, encryption and secure transmission to your bank. In this case, you would build an inbound interface for Status/Confirmation from bank into BCM for Batch monitor.
    while if you are not using BCM module, you would map IDOC to MT103. in this case, you would build an Inbound Interface to manage the confirmation message from bank. I have worked on this sort of interface development and developed a report output for users to run.
    Hope that this helps
    taro

  • Single SignOn in webdynpro ABAP

    Hi,
    I am pretty new in Netweaver Portal side and recently got an requirement from a customer for single Sign on:
    Requirement -
    We already had a SSO set up with MS Windows with SAP Portal. Hence in order to open SAP Portal, user has to use his Window's credential (Usually Company's own network credentials) instead of SAP credentials.
    Now customer also has another legacy portal where  client has similar SSO set up.
    Recently we had implemented SAP Learner Portal (SAP LSO Solution) and now user should directed to legacy portal only when he/she clicks a button in SAP portal's application (Webdynpro ABAP).
    Therefore, we need to implement same SSO inside Webdynpro Action. Please suggest me what should be our approach of doing so.
    Will APIs like IF_WD_PORTAL_MANAGER be handy ?

    Enable SSO between the portal and the AS ABAP system hosting the WDA. Using SAP Logon Tickets is the simplest way. Then access the WDA through the portal. That way you will have SSO since portal already has SSO using Windows Credentials. Another option is to enable SSO in the AS ABAP system hosting the WDA. Your options include at least SPNEGO for ABAP (part of the NWSSO suite), X.509 certificates and SAML.

  • Best practice identifying ERT modules with SAP / IS-Utilities

    Hi everybody,
    I'm looking for the best practice identifying ERT modules with SAP / IS-Utilities (electricity).
    Here's the physical device set up :
    The ERT modules are internal to the electricity meter. They're integrated into a multi purpose electronic circuit. So they can't be remove physically as a separate device.
    The ERT modules are used to transmit data from the meter to a radio frequency receiver (handheld or drive-by). The main data that is transmitted is the consumption reading. So the receiver stores the ERT module number and the reading value.
    They may be one or more ERT modules in a single meter, and each ERT module transmit his own specific consumption reading (energy reading, demand reading, etc...).
    Each ERT module has is own manufacturer number.
    My issue is :
    To find a way to identify in IS-U the ERT module within the meter's register group (or somewhere else???) in order to relate each register to his ERT module number.
    The purpose of all this is to create reading orders with the ERT module number following for each register.
    This way we can match, using a unique key, each reading order and his corresponding reading value uploaded from the radio frequency receiver (handheld or drive-by).
    Thanks for your help and ideas on best practice.

    Hi,
    1) The system (application) environment of BI (what is integrated in it - e. g. within the portal, there is a storage for unstructured information like documents or virtual rooms for collaboration between departments - and what does it make)
    Document management from RSA1 transaction of BI helps to attach any unstructured documents at specific level in BI.
    2) How does development in BI works (development environment, coding, debugging, building, deployment and test) and what is used stronger (ABAP or ABAP OO)? Here, I don't mean how to write ABAP or ABAP OO programs, only the infrastructure from development to transport to a target system
    BI has got  a separate tool and GUI to perform all the Extract, Transform and load related activities. ABAP is part of BI but you don't need much extensive ABAP learning. Basic ABAP is sufficient to write routines and extractors.
    3) How is a BI system to configure as default after installation?
    May be a BASIS person can help you out here about the configuration but this is not the job of BI person.
    4) Good guides (e/books) to learn ABAP and ABAP OO (as far as possible oriented on the practive)
    You can search for SAM Series learn ABAP in 24 days book. This book is sufficient to learn the ABAP required for working in BI.
    But except ABAP you will have to completly learn the BI system to work efficiently.
    Regards,
    Durgesh.

  • Will there performance improvement over separate tables vs single table with multiple partitions?

    Will there performance improvement over separate tables vs single table with multiple partitions? Is advisable to have separate tables than having a single big table with partitions? Can we expect same performance having single big table with partitions? What is the recommendation approach in HANA?

    Suren,
    first off a friendly reminder: SCN is a public forum and for you as an SAP employee there are multiple internal forums/communities/JAM groups available. You may want to consider this.
    Concerning your question:
    You didn't tell us what you want to do with your table or your set of tables.
    As tables are not only storage units but usually bear semantics - read: if data is stored in one table it means something else than the same data in a different table - partitioned tables cannot simply be substituted by multiple tables.
    Looked at it on a storage technology level, table partitions are practically the same as tables. Each partition has got its own delta store & can be loaded and displaced to/from memory independent from the others.
    Generally speaking there shouldn't be too many performance differences between a partitioned table and multiple tables.
    However, when dealing with partitioned tables, the additional step of determining the partition to work on is always required. If computing the result of the partitioning function takes a major share in your total runtime (which is unlikely) then partitioned tables could have a negative performance impact.
    Having said this: as with all performance related questions, to get a conclusive answer you need to measure the times required for both alternatives.
    - Lars

  • Single signon between JSP page and Net.Data page

    I am trying to setup a single signon between a JSP page hosted on a tomcat server, and a Net.Data page hosted on an IBM HTTP server. Both of these servers are running on an AS400. The JSP page (www.jsppage.com/menu) contains a link to the Net.Data page (www.netData.com/page2). In order to access www.jsppage.com/menu the user needs to login. Once this happens I want them to be able to go back and forth between the two pages without having to log in when they switch servers. Page navigation is handled through myServlet.java so that when a user clicks on a link the request is forwarded on to myServlet.java where the servlet determines where to redirect the user to. The servlet uses
    RequestDispatcher requestDispatcher = getServletContex().getRequestDispatcher(url);
    requestDispatcher.forward(request, response);
    to forward the user to the correct page. This works fine for the JSP pages but when I forward to www.netData.com/page2 I get an error telling me the address doesn't start with a /. I also need to send the user name and password for the net.data pages to avoid the second login window to popup.
    I understand that the requestDsipatcher.forward() method directs the browser to a page that is relative to the current root directory. If I try to use response.sendRedirect(url) I get sent to the right page but the signon window pops up. I would appreciate any help.

    I am trying to setup a single signon between a JSP
    page hosted on a tomcat server, and a Net.Data page
    hosted on an IBM HTTP server. Both of these servers
    are running on an AS400. The JSP page
    (www.jsppage.com/menu) contains a link to the Net.Data
    page (www.netData.com/page2). In order to access
    www.jsppage.com/menu the user needs to login. Once
    this happens I want them to be able to go back and
    forth between the two pages without having to log in
    when they switch servers. Page navigation is handled
    through myServlet.java so that when a user clicks on a
    link the request is forwarded on to myServlet.java
    where the servlet determines where to redirect the
    user to. The servlet uses
    RequestDispatcher requestDispatcher =
    getServletContex().getRequestDispatcher(url);
    requestDispatcher.forward(request, response);
    to forward the user to the correct page. This works
    fine for the JSP pages but when I forward to
    www.netData.com/page2 I get an error telling me the
    address doesn't start with a /. I also need to send
    the user name and password for the net.data pages to
    avoid the second login window to popup.
    I understand that the requestDsipatcher.forward()
    method directs the browser to a page that is relative
    to the current root directory. If I try to use
    response.sendRedirect(url) I get sent to the right
    page but the signon window pops up. I would
    appreciate any help.You can't do that without passing username and password.
    The servers keep track of the user by storing a cookie on the clients computer. The cookie is only valid for the domain that created it.
    So, to make this work you need to send the username and password as part of the sendRedirect. the forward() method won't work.
    What you could do is create some code on the .net machine that accepts username, password and target URL as input. Once it receives those parameters it should perform the .net login procedure and redirect to the correct page.
    In your servlet you should pass those parameters on to the .net machine and the user should get the correct page without ever seeing any login windows.
    Make sure to use https if you decide to follow this scheme since http will transmit the username/password in cleartext.
    /Christopher

Maybe you are looking for