SSO Between SAP EP 7.0u2013 BOXIR2 SP1 u2013 BW3.5 Is SNC required?
We are trying to enable SSO between SAP EP, BO and BI so that users will be able to access Crystal reports (which have got backend as BW) from Enterprise Portal which are scheduled in BO enterprise server
Below are the details on our landscape.
1) SAP EP 7.0 Integrated with AD and SP Nego configured(if it fails users will use AD user id and pwd)
2) BO u2013 AD authentication is available as well as SAP Authentication got enabled using SAP BO Integration Kit. In BO reports are there which got backend as BW and scheduled successfully.
3) BW 3.5 is using SAP authentication(Not AD authentication)
4) SSO has been established between SAP EP and BW (user ids will be same in AD and BW)
5) BO has two servers bo1.yy.comp.com and bo2.yy.comp.com
6) SAP EP and BW has domain names as EP.xx.yy.comp.com and BW.xx.yy.comp.com u2013 additional u201Cxxu201D is there in the domain trail. So we have created a dns entry bo.xx.yy.comp.com which will resolve to bo2.yy.comp.com (CMS is running in this server) so that we meet the prerequisite for SSO with EP u2013 BO - BW.
7) BW is not configured with SNC.
Question 1- As per point 3 u2013 SAP Authentication is available in BO u2013
So in that BO server can we use ASPX page to read MYSAPSSO2 cookie generated by SAP EP and use that cookie to access report which got BW as backend?
Question 2
Do we need any more configuration for the SSO from EP - BO u2013 BW? (do we need to go for SNC?)
Even after reading many threads I couldn't understand the flow of SSO. Any advice will really help us overcome the hurdles.
Thanks in Advance
JayCeeDee
Question 1- As per point 3 u2013 SAP Authentication is available in BO u2013
So in that BO server can we use ASPX page to read MYSAPSSO2 cookie generated by SAP EP and use that cookie to access report which got BW as backend?
>>> Assuming you are getting SSO tickets from the portal that happens automatically when the SAP authentication is configured.
Question 2
Do we need any more configuration for the SSO from EP - BO u2013 BW? (do we need to go for SNC?)
>> You mention on the one hand SSO tickets, on the other hand Windows AD. Which one is it ? What is the authentication that the user will leverage to connect to the BusinessObjects Server ?
Ingo
Similar Messages
-
SSO between SAP Portal 7.3 and Ruby on Rails
Hello Everyone,
We are planning to integrate SAP Portal 7.3 and a RoR application and I am wondering If someone can share some experience (If you have any of course) on how to establish SSO between SAP Portal and RoR.
The SAP Portal will act as service provided and RoR as a consumer, we don't have LDAP, so the Portal UME is in ABAP and RoR uses an own UME database. We have SSO between our Portal and SAP Backend systems.
In RoR customers will have access to their own information (Invoices, etc..) that will be provided by the backend system.
URL transaction and iFrames is not an option for us.
The second option is to call Web Services, directly or through the SAP Portal (we are using a central sr).
I am a NetWeaver consultant who heard about RoR but have no experience in this field.
All help and tips are greatly appreciated!.
Regards,
RidouanWe used Client certificates. Still working on the PoC.
-
SSO between SAP EP and JAVA app on WebSphere Application Server 5.1
Hi. I have 2 questions.
I am implementing SAP EP6 and need to display content from a WebSphere JAVA application inside the portal. The application is currently running on WAS 5.1.
1. Does anyone have any sample code or documentation regarding how to pass the SAP logon ticket to WebSphere JAVA application to accomplish SSO when inside the portal?
2. Does anyone have any sample code or documentation regarding how to pass the SAP logon ticket to WebSphere JAVA application to accomplish SSO when outside the SAP EP, but still within the same IE browser window where the SAP logon ticket exists?
Thanks for any feedback you could provide.Hello Kevin,
please look here: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/ibm/how to set up sso between sap enterprise portal and ibm websphere portal using tai.pdf
Regarding your second questions: as long as you did not log off from SAP EP your browser hosts the SAP Logon Ticket cookie (within its timeframe of validity which is typically a couple of hours). So if you access a non SAP application that accepts SAP logon ticket with your browser, you're authenticated.
Please note that the cookie based authentication only works withing the same DNS domain. So if your SAP EP is configured to issues the SAP logon ticket to "company.com" then your browser sends it only to servers in that domain.
Regards
Michael -
My experience of SSO between SAP Portal6.0 and non-Sap Application
Firstly I announce that I am not a Sap developer or a Sap Consultant. I am a Cognos Consultant. I need do SSO between Sap Portal and Cognos Portal in my project, So I have to make SSO between two portals.
I tested SSO between the two products on IIS5 of Windows XP and IIS6 of Windows 2003 and passed.
Step 1: Copy sapsecin.exe and sapsecu.dll on any directory where you want, such as C:PortalSecurity
Then add this directory to your Environment variable PATH. You can find the two files on sapserv<x> under general/misc/security/SAPSECU/<platform>;
Step 2: Copy your Filter ISAPI Files IIS_SSO.dll or IIS6_SSO.dll in any directory where you want, such as C:PortalFilter. You can find this two files on SAP note 442401.
Step 3: Get you verify.pse which is located in
<irj>
ootWEB-INFpluginsportalservicesusermanagementdata and put it on the same directory with your ISAPI Files ,such as C:PortalFilter
(According Sap Support articles , IIS_SSO.dll should be used on IIS 5 and IIS6_SSO should be used on IIS 6,but I can not load IIS_SSO.dll on IIS 5 of Windows XP, I use IIS6_SSO.dll );
Step 4: Create a new file named verify.properties , the content of this file see the appendix A;
Step 5: Load the IIS6_SSO.dll on your IIS. On IIS5, Select Website PropertiesISAPI FilterAdd IIS6_SSO.dll and name it wp . On IIS6,do as such and Create a Web Extensions named wp and allocate file IIS6_SSO.dll. Finally restart the www service.
I
If you can load the filter successfully, you will see the filter color is green.
On IIS6,Maybe you find that you cant load your ISAPI file IIS6_SSO.dll, Its state is unloaded and its color is red. I am confused by this question long time. I finally found you must install some R3 dll files on your system! The .dll files which I mentioned can be found in SAP note 684106, put it in a same directory with your security files, such as C:PortalSecurity and restart your web server.
(The steps above I reference Chris beck s topic)
Step 6: I write an ASP file named headerdumper.asp on my website and create a i-view to show my asp file in SAP Portal. If you succeed, you can see the http header variable<your logon name> in ASP page. If you application can receive http header variables, then Congratulations! You have apply SSO successfully.
If your log file show Can't find MYSAPSSO2 ticket cookie for URI "" on host "", dont worry about it. I am confused by this question long time though. I found the key cause the errors are cross domain or different DNS suffix.
I tested 3 scenarios :
1 if your Sap Portal URL is http://sap-server:50000/irj/protal ,and your asp file is located in http://sap-server:80/headerdumper.asp, You cant access this asp page from i-view . I am sorry that I have no idea about this.
2 if your Sap Portal URL is http://sap-server:50000/irj/protal ,and your asp file is located in http://your-server:80/headerdumper.asp, Your log will show Can't find MYSAPSSO2 ticket cookie for URI "" on host "". because they have no domain name, which is seemed that they meant different domain.
3 you must deploy your asp file and sap portal like below ,So you can apply SSO correctly:
you must access SAP Portal like : http://sap-server.domain.com:50000/irj/portal
you must access your asp file like http://yourserver.domain.com:80/headerdumper.asp
then add your asp file as i-view to your SAP Portal which URL is like above , you can get Http header variable correctly.
I am not an native English speaker, I hope you can understand what I said.
Appendix A The Content of Verfy.properties
remote_user_alias=REMOTE_USER
pse_file=C:PortalFilterverify.pse
application=portal
log_file=C:PortalFilterverfy.log
log_level=3
cache_size= 1000
Appendix B The Code of headerdumper.aspI'd recommend to cross-post your inquiry to the Security
-
Hi,
We have a situation where we want to establish SSO between SAP BW (3.5 with out java stack running on UNIX machine) and MS Sharepoint server.
Can you kindly let me know what could be the best solution and any documentation?
I've looked at various docs and mostly all are boiling down to have a Java Stack. I'm unable to figure out a correct solution for the above scenario.
Thanks and regards
AarthiHi Andre,
We have Windows NTLM (not kerberos) enabled for IWA to logon to Sharepoint portal.
Thanks and regards
Aarthi -
SSO Between EP and R/3 6.4
Hi,
I am trying to implement SSO between SAP EP 6.0 and SAP R/3 6.4 using logon tickets.
I've downloaded the .pse and .der files from Portal,uploaded the .pse in the backend system,added it to the ACL,but when i tried to test the connection in portal using system admin->system configuration->UM configuration->SAP system
i am getting an error----
(System ID): com.sap.mw.jco.JCO$Exception: (101) RFC_ERROR_PROGRAM: 'mshost' missing
(System ID & System Number): com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to SAP gateway failed Connect_PM TYPE=A ASHOST=ctsgvcsap3 SYSNR=03 GWHOST=ctsgvcsap3 GWSERV=sapgw03 PCS=1 LOCATION CPIC (TCP/IP) on local host with Unicode ERROR service '?' unknown TIME Thu Feb 23 16:24:39 2006 RELEASE 640 COMPONENT NI (network interface) VERSION 37 RC -3 COUNTER 2
Where am i going wrong?Please help.
If anyone is having detailed documentation please forward the same.
Thanks in advance
SwarnaDeepika.
Message was edited by: SwarnaDeepikaHi Swarna
the procedure for importing portal certificate in r3 system i already mentioned
u have a authorization for strustsso2 on r3 system
ask for that to basis person or done with their id
after importing portal certificate into r3 system u have to restart the r3 system no need to restart the portal system
and make sure for SSO both portal and R3 system are in same domain.
i.e
sapr3.mydomain.com
portal.mydomain.com
if not u have to specify the DNS entry for that by creating alias.
regards,
kaushal -
Configure SSO between the SAPGUI and ECC 6
Hi,
I need a help to configure SSO between the SAPGUI and ECC 6. I configured the SNC using the parameters:
snc/accept_insecure_rfc = 1;
snc/accept_insecure_gui = 1;
snc/accept_insecure_cpic = 1;
snc/identity/as = p:Domain\SAPService;
snc/enable = 1;
snc/data_protection/use = 1;
snc/data_protection/min = 1;
snc/data_protection/max = 1;
snc/gssapi_lib = D:\usr\sap \ <SID>\SYS\exe\nuc\NTI386\gssntlm.dll.
I configured desktop with the DLL sncgss32.dll but is not functioning. Somebody has some idea the how solve this problem?
Thanks
AlexHi Alex
You have
snc/identity/as = p:Domain\SAPService;
Check the following (wrong user)
snc/identity/as = p:Domain\SAPService<SAPSID>
Where SAPService<SAPSID> is the user who runs the SAP System.
You have
snc/gssapi_lib = D:\usr\sap \ <SID>\SYS\exe\nuc\NTI386\gssntlm.dll
Check the following (nuc is a wrong directory, the correct is uc)
snc/gssapi_lib = D:\usr\sap \ <SID>\SYS\exe\uc\NTI386\gssntlm.dll
Please, reward points if helpful
Edited by: Eydar Del Angel on Apr 21, 2008 4:54 PM
Edited by: Eydar Del Angel on Apr 21, 2008 4:55 PM -
SAP SSO between Microsoft AD and SAP R/3 GUI&WebGui
Hello Everybody,
We are looking in to implementing SSO between Mircosoft AD and our SAP CRM ABAP 7.0.
We have users both logging in through SAP Gui and also the web gui.
Found there a multiple options for achieving SSO:
1) SNC
2) X.509 cerfificate
3) Kerberos
I would like to go with X.509 certificate , and have already implemented the SAPCRYPTOLIB 5.5.5. Now am trying to download the "SAP NW Single Sign on 2.0" for installing the Secure Login Library SSL. And when i looked at PAM the required product versions are only:
1. SAP EHP1 for SAP NW 7.3
2. SAP NW 7.3
3. SAP NW 7.4
4. SAP NW CE 7.2
So I went back and looked at PAM for SAP NW SINGLE SIGN ON 1.0 required product versions and I only see the below:
1. SAP EHP1 FOR SAP NETWEAVER 7.3
2. SAP NETWEAVER 7.3
3. SAP NETWEAVER CE 7.2
Our version of SAP is CRM ABAP 7.0, so I am not sure how/which version of Single Sign on I have to use.
Can someone please advise.
Thanks!Thank you Donka for the information!
Looks like NW SSO 2.0 is supported for AIX 7.1 SAP ABAP CRM 7.0.
But we also have users logging in to ABAP CRM 7.0 via HTTP Web dispatcher.
And the PAM does not mention if NWSSO 2.0 is supported for X.509 method for web gui users logging in via HTTP.
Also if we decide to go with SSO 2.0 and I manually Install the COMMONCRYPTOLIB 8 instead of the SAPCRYPTOLIB 5.5.5, I should be able to use the Secure Login Library files that come with the SSO 2.0 right?
Here's our current Kernel version:
kernel make variant 720_REL, 64 BIT AIX, UNICODE , Patch number 500
Thanks! -
How to Set Up SSO Between IBM WebSphere and SAP EP Using JAAS
Hi
I have read the article on SDN called "How to Set Up SSO Between IBM WebSphere and SAP EP Using JAAS", which is also the name of my posting.
The reason why I post this is that I've tried to follow the links in the PDF to get the file WebsphereEpSsoLib.zip but I get an error 403, which tells me that the file is not there.
Does anybody know where this file went or can somebody tell me an alternative place to get this file?
JacobPlease open the associated whitepaper, and you can find the download link to the .ZIP file on page 4.
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/ibm/how to set up single sign-on between an ibm websphere portal and the sap enterprise portal using jaas.pdf
Hope that works!
Elise -
Setting up SSO between EP and back-end SAP systems
Can anybody give me some insight about setting up SSO between EP and back-end SAP systems. If possible some links to write up would be great.
ThanuHi,
This link gives you a detailed information on setting up SSO : http://help.sap.com/saphelp_nw04/helpdata/en/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm
Some How-guides:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e676ec90-0201-0010-cfa3-90b7c1291903
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/77378b3d-0b01-0010-ffa5-c6941e286c43
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/80fbc690-0201-0010-1aba-93d5c8232b4a
Regards,
Sunil -
We are implementing ESS MSS on 4.7 , ITS 4.7 with EP 6.0
Can some one point me as to how to configure the SSO between these various landscapes. I Think we would require SSO between EP and ITS for ESS in MSS services.
regards
Sam
Message was edited by:
sameer chilamaHi Sameer,
All the information you are looking for is in the help.sap.com
http://help.sap.com/saphelp_nw04/helpdata/en/89/6eb8e1af2f11d5993700508b6b8b11/frameset.htm
This help guide is really very clear and thorough.
Regards
Daniel -
SSO between ITS 620 R/3 and EP
Hi,
I need to use ITS 620 for R/3 4.7 and EP 6.0 for ess/mss implementation
I have to configure SSO between R/3 and EP.
Do I also need to configure SSO between ITS and R/3 , ITS and EP also for this?
If yes can any one tell me the steps in configuring SSO between ITS and R/3, ITS and EP ?
advance thanks,
PKUPDATE:
I have installed a portal (SAp netweaver 7.0 Java stack) and have connected it to a ECC6.0 SR3 backend and I needed only to configure the SSO between portal and backend abap instance, and all worked fine. There was no need to configure the SSO between the integrated ITS and abap instance.
About the error message mentioned in my previous forum entry:
I did not only do the steps for SSO between portal and backend as described in the blog "Configuring the Business Package for Employee Self-Service (ESS)", but I also did all the additional steps as mentioned in "10 golden rules of SSO".
After that the error message "SSO logon not possible; logon tickets not activated on the server" did not appear anymore. (Instead a screen that asks for username and password always appears with the warning "No switch to HTTPS occurred, so it is not secure to send a password". But I think that's ok.) -
SSO to SAP works but no OLAP Connection per SSO Auth
Hi experts,
we have setup an SSO for the Authentication of SAP BW and SAP BO and used the portal integration. We are using SAP BO 4.1 SP4 and SAP BW 7.4.
We use the Login via Netweaver Portal go then to the SAP BO where the reports are stored.
The SSO login works fine, but the OLAP connection to the SAP BW system does not fly. I have tried to create a connection via IDT. This works.
After that I created a WebI report in the Applet and chose BEx Connection and retreived the error:
error.openSapBwBrowsingSessionFailed
Then i tried the WebI Rhich Client and recieved the message: Unknown Error in SL Service and Even do not recieve the list of possible Bex connections.
We are using SNC for the user authentication in SAP BW.
An now it is getting very unnormal:
When i go the IDT tool and create the connection again and republish this to the repository and try to connect again via WebI Applet, i do not get the error message again.
Can you please assist, as our Business user can not publish their OLAP connection.
Regards,
MarkusThe new Business Objects version (BI 4.0) comes with a new authentication
technology to create a trust relationship between a non-SAP user and the SAP
data source. How to determine the correct method to be used?
When using legacy .unv universes (XI 3.1 technology) = SNC
When using .unx environments (BI 4.0 new semantic layer) = STS
when you try to connet BICS connection or IDT it is important to use the STS methodology.
check the below link to have configurations.
Follows a Wiki link with a "How to setup SSO against SAP BW in SBO BI4.0 for LDAP users". and follow the raunak kumar suggestion when you configire SNC and STS.
http://wiki.sdn.sap.com/wiki/display/BOBJ/How+to+setup+SSO+against+SAP+BW+in+SBO+BI4.0+for+LDAP+users -
SSO to SAP EP6 (for Employee Self Service) using WebSEAL
Hi SDN friends,
We are about to embark on a SSO implementation using IBM WebSEAL for SAP EP6 ESS (Employee Self Service) connecting through to an SAP R/3 4.7 server. Since the ESS solution for 4.7 still uses ITS services, this means that we have ITS iViews in the EP6 portal.
We have managed to look through the whitepaper 'IBM Tivoli Access Manager - Single Sign On for SAP NetWeaver - September 2005' described at https://www.sdn.sap.com/irj/sdn/developerareas/ibm
We have the following queries, if anybody has a simple answer to these:
- Is it absolutely necessary to configure an SNC connection between ITS/EP6 and R/3 server to achieve SSO for the portal?
- Given that SAP EP6 references ITS IAC iviews, is it necessary for us to configure both ITS and EP6 for SSO, or can we simply configure EP6 for SSO? If so, is it also necessary to configure both for SSL?
- Otherwise, how easy is it to set up SSO in this scenario without SSL (for demo purposes)?
Any thoughts would be greatly appreciated.
Cheers
John MoyHello John,
regarding your questions:
ad 1) no. SNC is only mandatory if you use X.509-based SSO to R/3. You can also use SAP logon ticket-based SSO from EP to R/3 or usermapping that do both not require SNC.
ad 2) yes, you have to configure both EP and ITS at WebSeal.
ad 3) you can always omit SSL. However for production use, it is recommended.
Regards
Michael -
Configuring SSO Between Portal & Any Third Party Website.....
Hello All,
I have a requirement to configure the SSO between Porat & any Website, Does anybody have experience of it. pls provide if any Doc is there or way of doing that ??
thanks
SmitaHi Smita,
You can follow these steps:
UPLOAD:
1.Upload the par in PCD
SYSTEM CREATION:
1)Create ->System from par -> select com.sap.portal.howtos.webapp -> web application->give name & Id
2)Properties-->object->system definition
Name of the server : login.yahoo.com
Port : (empty)
URI :/config/login
3)create alias
4)set user Mapping
IVIEW CREATION:
1)Iview from par
2)Iview type:com.sap-appintegrator.sap
3)template:generic
4)Properties Setting:
System : (system alias name )
URL Template :<System.protocol>://<System.server><System.uri>?<Authentication>
URL Template fragment for UserMapping: <System.protocol>://<System.server><System.uri>?<Authentication>
You can have a look at this blog:
Step-By-Step Guide to implement Application Integrator
Regards,
Dhana
Maybe you are looking for
-
Under which directory the HttpclusterServlet bging configured in an weblogic11g environment
Hello, I am new to weblogic server and currently in the process of configuring a managed server (standalone) with HttpclusterServlet as a load balancer.As part of this I am unable to find under which directory the HttpclusterServlet being configured
-
Question about iCloud and mail
I totally do not understand all of this iCloud stuff. I hope you can help me. I have a .mac account that I know can be pushed to the Cloud. In the Mail Program I have two other accounts with different providers. One is an IMAP and the other a PO
-
Since downloading ios8 to my I pad mini I am unable to sync movies, however I can sync them on my I phone 5s with same update? How can I change this?
-
Map the second occurrence of IDOC
Hi All, i have been facing problem to map the second occurences of IDOC to target field.Ex:IDOC[02]-field1. In the mapping for source i have specifed IDOC and generated advanced used defined function and mapped to target field. But i have ent
-
How to set JCO.Server to unicode
Hi, I'm trying to call a Java class (myExample5)from a R/3 that is unicode compliant. Using example5 in the sapjco-ntintel-2.1.5.zip, I've created the ABAP program to call STFC_CONNECTION with the destination 'JCO'. I get to my JAVA program, but th