SSO Between SAP EP 7.0u2013 BOXIR2 SP1 u2013 BW3.5 Is SNC required?

Similar Messages

• SSO between SAP Portal 7.3 and Ruby on Rails

  Hello Everyone,
  We are planning to integrate SAP Portal 7.3 and a RoR application and I am wondering If someone can share some experience (If you have any of course) on how to establish SSO between SAP Portal and RoR.
  The SAP Portal will act as service provided and RoR as a consumer, we don't have LDAP, so the Portal UME is in ABAP and RoR uses an own UME database. We have SSO between our Portal and SAP Backend systems.
  In RoR customers will have access to their own information (Invoices, etc..) that will be provided by the backend system.
  URL transaction and iFrames is not an option for us.
  The second option is to call Web Services, directly or through the SAP Portal (we are using a central sr).
  I am a NetWeaver consultant who heard about RoR but have no experience in this field.
  All help and tips are greatly appreciated!.
  Regards,
  Ridouan

  We used Client certificates. Still working on the PoC.

• SSO between SAP EP and JAVA app on WebSphere Application Server 5.1

  Hi.  I have 2 questions.
  I am implementing SAP EP6 and need to display content from a WebSphere JAVA application inside the portal.  The application is currently running on WAS 5.1.
  1. Does anyone have any sample code or documentation regarding how to pass the SAP logon ticket to WebSphere JAVA application to accomplish SSO when inside the portal?
  2. Does anyone have any sample code or documentation regarding how to pass the SAP logon ticket to WebSphere JAVA application to accomplish SSO when outside the SAP EP, but still within the same IE browser window where the SAP logon ticket exists?
  Thanks for any feedback you could provide.

  Hello Kevin,
  please look here: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/ibm/how to set up sso between sap enterprise portal and ibm websphere portal using tai.pdf
  Regarding your second questions: as long as you did not log off from SAP EP your browser hosts the SAP Logon Ticket cookie (within its timeframe of validity which is typically a couple of hours). So if you access a non SAP application that accepts SAP logon ticket with your browser, you're authenticated.
  Please note that the cookie based authentication only works withing the same DNS domain. So if your SAP EP is configured to issues the SAP logon ticket to "company.com" then your browser sends it only to servers in that domain.
  Regards
  Michael

• My experience of SSO between SAP Portal6.0 and non-Sap Application

  Firstly I announce that I am not a Sap developer or a Sap Consultant.  I am a Cognos Consultant. I need do SSO between Sap Portal and Cognos Portal in my project, So I have to make SSO between two portals.
  I  tested  SSO between the two products on IIS5 of Windows XP and IIS6 of Windows 2003 and passed.
  Step 1:  Copy sapsecin.exe and sapsecu.dll on any directory where you want, such as “C:PortalSecurity”
  Then add this  directory  to your Environment variable PATH. You can find the two files on sapserv<x> under general/misc/security/SAPSECU/<platform>;
  Step 2: Copy your Filter ISAPI Files IIS_SSO.dll or IIS6_SSO.dll in any directory where you want, such as “C:PortalFilter”. You can find this two files on SAP note 442401.
  Step 3:  Get you ‘verify.pse’  which is located in
  <irj>
  ootWEB-INFpluginsportalservicesusermanagementdata  and put it on the same directory with your ISAPI Files ,such as C:PortalFilter
  (According Sap Support articles , IIS_SSO.dll should be used on IIS 5 and IIS6_SSO should be used on IIS 6,but I can not load IIS_SSO.dll on IIS 5 of Windows XP, I use IIS6_SSO.dll );
  Step 4:  Create a new file named ‘verify.properties’ , the content of this file see the appendix A;
  Step 5:  Load the IIS6_SSO.dll on your IIS. On IIS5, Select  Website Properties—ISAPI Filter—Add IIS6_SSO.dll and name it ‘wp’ . On IIS6,do as such and Create a Web Extensions  named  ‘wp’ and allocate file IIS6_SSO.dll. Finally restart the www service.
  I
  If you can load the filter successfully, you will see the  filter color is  green.
  On IIS6,Maybe you find that you can’t load your ISAPI file IIS6_SSO.dll, Its state is unloaded and its color is red. I am confused by this question long time. I finally found you must install some R3 dll files on your system! The .dll files which I mentioned can be found in SAP note 684106, put it in a same directory with your security files, such as C:PortalSecurity and restart your web server.
  (The steps above I reference Chris beck ‘s topic)
  Step 6: I write an  ASP file named ‘headerdumper.asp’ on my website and create a i-view to show my asp file in SAP Portal. If you succeed, you can see the http header variable<your logon name> in ASP page. If you application can receive http header variables, then Congratulations! You have apply SSO successfully.
  If your log file show ‘Can't find MYSAPSSO2 ticket cookie for URI "" on host "", don’t worry about it. I am confused by this question long time though.  I found the key cause the errors are cross domain or different DNS suffix.
  I tested 3 scenarios :
  1 if your Sap Portal URL is http://sap-server:50000/irj/protal ,and your asp file is located in http://sap-server:80/headerdumper.asp, You can’t access this asp page from i-view . I am sorry that I have no idea about this.
  2 if your Sap Portal URL is http://sap-server:50000/irj/protal ,and your asp file is located in http://your-server:80/headerdumper.asp, Your log will show ‘Can't find MYSAPSSO2 ticket cookie for URI "" on host "". because they have  no domain name, which is seemed that they meant different  domain.
  3 you must deploy your asp file and sap portal like below ,So you can apply SSO correctly:
  you must access SAP Portal like : http://sap-server.domain.com:50000/irj/portal
  you must access your asp file like http://yourserver.domain.com:80/headerdumper.asp
  then add your asp file as  i-view to your SAP Portal which URL is like  above , you can get Http header variable correctly.
  I am not an native English speaker, I hope you can understand what I said.
  Appendix A The Content of Verfy.properties
  remote_user_alias=REMOTE_USER
  pse_file=C:PortalFilterverify.pse
  application=portal
  log_file=C:PortalFilterverfy.log
  log_level=3
  cache_size= 1000
  Appendix B The Code of headerdumper.asp

  I'd recommend to cross-post your inquiry to the Security

• SSO between BW and Sharepoint

  Hi,
  We have a situation where we want to establish SSO between SAP BW (3.5 with out java stack running on UNIX machine) and MS Sharepoint server.
  Can you kindly let me know what could be the best solution and any documentation?
  I've looked at various docs and mostly all are boiling down to have a Java Stack. I'm unable to figure out a correct solution for the above scenario.
  Thanks and regards
  Aarthi

  Hi Andre,
  We have Windows NTLM (not kerberos) enabled for IWA to logon to Sharepoint portal.
  Thanks and regards
  Aarthi

• SSO Between EP  and R/3 6.4

  Hi,
  I am trying to implement SSO between SAP EP 6.0 and SAP R/3 6.4 using logon tickets.
  I've downloaded the .pse and .der files from Portal,uploaded the .pse in the backend system,added it to the ACL,but when i tried to test the connection in portal using system admin->system configuration->UM configuration->SAP system
  i am getting an error----
  (System ID): com.sap.mw.jco.JCO$Exception: (101) RFC_ERROR_PROGRAM: 'mshost' missing
  (System ID & System Number): com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to SAP gateway failed Connect_PM TYPE=A ASHOST=ctsgvcsap3 SYSNR=03 GWHOST=ctsgvcsap3 GWSERV=sapgw03 PCS=1 LOCATION CPIC (TCP/IP) on local host with Unicode ERROR service '?' unknown TIME Thu Feb 23 16:24:39 2006 RELEASE 640 COMPONENT NI (network interface) VERSION 37 RC -3 COUNTER 2
  Where am i going wrong?Please help.
  If anyone is having detailed documentation please forward the same.
  Thanks in advance
  SwarnaDeepika.
  Message was edited by: SwarnaDeepika

  Hi Swarna
  the procedure for importing portal certificate in r3 system i already mentioned
  u have a  authorization for strustsso2 on r3 system
  ask for that to basis person or done with their id
  after importing portal certificate into r3 system u have to restart the r3 system no need to restart the portal system
  and make sure for SSO  both portal and R3 system are in same domain.
  i.e
  sapr3.mydomain.com
  portal.mydomain.com
  if not u have to specify the DNS entry for that by creating alias.
  regards,
  kaushal

• Configure SSO between the SAPGUI and ECC 6

  Hi,
  I need a help to configure SSO between the SAPGUI and ECC 6. I configured the SNC using the parameters:
  snc/accept_insecure_rfc = 1;
  snc/accept_insecure_gui = 1;
  snc/accept_insecure_cpic = 1;
  snc/identity/as = p:Domain\SAPService;
  snc/enable = 1;
  snc/data_protection/use = 1;
  snc/data_protection/min = 1;
  snc/data_protection/max = 1;
  snc/gssapi_lib = D:\usr\sap \ <SID>\SYS\exe\nuc\NTI386\gssntlm.dll.
  I configured desktop with the DLL sncgss32.dll but is not functioning. Somebody has some idea the how solve this problem?
  Thanks
  Alex

  Hi Alex
  You have
  snc/identity/as = p:Domain\SAPService;
  Check the following (wrong user)
  snc/identity/as = p:Domain\SAPService<SAPSID>
  Where SAPService<SAPSID> is the user who runs the SAP System.
  You have
  snc/gssapi_lib = D:\usr\sap \ <SID>\SYS\exe\nuc\NTI386\gssntlm.dll
  Check the following (nuc is a wrong directory, the correct is uc)
  snc/gssapi_lib = D:\usr\sap \ <SID>\SYS\exe\uc\NTI386\gssntlm.dll
  Please, reward points if helpful
  Edited by: Eydar Del Angel on Apr 21, 2008 4:54 PM
  Edited by: Eydar Del Angel on Apr 21, 2008 4:55 PM

• SAP SSO between Microsoft AD and SAP R/3 GUI&WebGui

  Hello Everybody,
  We are looking in to implementing SSO between Mircosoft AD and our SAP CRM ABAP 7.0.
  We have users both logging in through SAP Gui and also the web gui.
  Found there a multiple options for achieving SSO:
  1) SNC
  2) X.509 cerfificate
  3) Kerberos
  I would like to go with X.509 certificate , and have already implemented the SAPCRYPTOLIB 5.5.5. Now am trying to download the "SAP NW Single Sign on 2.0" for installing the Secure Login Library SSL. And when i looked at PAM the required product versions are only:
  1. SAP EHP1 for SAP NW 7.3
  2. SAP NW 7.3
  3. SAP NW 7.4
  4. SAP NW CE 7.2
  So I went back and looked at PAM for SAP NW SINGLE SIGN ON 1.0 required product versions and I only see the below:
  1. SAP EHP1 FOR SAP NETWEAVER 7.3
  2. SAP NETWEAVER 7.3
  3. SAP NETWEAVER CE 7.2
  Our version of SAP is CRM ABAP 7.0, so I am not sure how/which version of Single Sign on I have to use.
  Can someone please advise.
  Thanks!

  Thank you Donka for the information!
  Looks like NW SSO 2.0 is supported for AIX 7.1 SAP ABAP CRM 7.0.
  But we also have users logging in to ABAP CRM 7.0 via HTTP Web dispatcher.
  And the PAM does not mention if NWSSO 2.0 is supported for X.509 method for web gui users logging in via HTTP.
  Also if we decide to go with SSO 2.0 and I manually Install the COMMONCRYPTOLIB 8 instead of the SAPCRYPTOLIB 5.5.5, I should be able to use the Secure Login Library files that come with the SSO 2.0 right?
  Here's our current Kernel version:
  kernel make variant           720_REL, 64 BIT AIX, UNICODE , Patch number 500
  Thanks!

• How to Set Up SSO Between IBM WebSphere and SAP EP Using JAAS

  Hi
  I have read the article on SDN called "How to Set Up SSO Between IBM WebSphere and SAP EP Using JAAS", which is also the name of my posting.
  The reason why I post this is that I've tried to follow the links in the PDF to get the file WebsphereEpSsoLib.zip but I get an error 403, which tells me that the file is not there.
  Does anybody know where this file went or can somebody tell me an alternative place to get this file?
  Jacob

  Please open the associated whitepaper, and you can find the download link to the .ZIP file on page 4.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/ibm/how to set up single sign-on between an ibm websphere portal and the sap enterprise portal using jaas.pdf
  Hope that works!
  Elise

• Setting up SSO between EP and back-end SAP systems

  Can anybody give me some insight about setting up SSO between EP and back-end SAP systems. If possible some links to write up would be great.
  Thanu

  Hi,
  This link gives you a detailed information on setting up SSO : http://help.sap.com/saphelp_nw04/helpdata/en/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm
  Some How-guides:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e676ec90-0201-0010-cfa3-90b7c1291903
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/77378b3d-0b01-0010-ffa5-c6941e286c43
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/80fbc690-0201-0010-1aba-93d5c8232b4a
  Regards,
  Sunil

• SSO between ITS and EP

  We are implementing ESS MSS on 4.7 , ITS 4.7 with EP 6.0
  Can some one point me as to how to configure the SSO between these various landscapes. I Think we would require SSO between EP and ITS for ESS in MSS services.
  regards
  Sam
  Message was edited by:
          sameer chilama

  Hi Sameer,
  All the information you are looking for is in the help.sap.com
  http://help.sap.com/saphelp_nw04/helpdata/en/89/6eb8e1af2f11d5993700508b6b8b11/frameset.htm
  This help guide is really very clear and thorough.
  Regards
  Daniel

• SSO between ITS 620 R/3 and EP

  Hi,
  I need to use ITS 620 for R/3 4.7 and EP 6.0 for ess/mss implementation
  I have to configure SSO between R/3 and EP.
  Do I also need to configure SSO between ITS and R/3 , ITS and EP also for this?
  If yes can any one tell me the steps in configuring SSO between ITS and R/3, ITS and EP ?
  advance thanks,
  PK

  UPDATE:
  I have installed a portal (SAp netweaver 7.0 Java stack) and have connected it to a ECC6.0 SR3 backend and I needed only to configure the SSO between portal and backend abap instance, and all worked fine. There was no need to configure the SSO between the integrated ITS and abap instance.
  About the error  message mentioned in my previous forum entry:
  I did not only do the steps for SSO between portal and backend as described in the blog "Configuring the Business Package for Employee Self-Service (ESS)", but I also did all the additional steps as mentioned in "10 golden rules of SSO".
  After that the error message "SSO logon not possible; logon tickets not activated on the server" did not appear anymore. (Instead a screen that asks for username and password always appears with the warning "No switch to HTTPS occurred, so it is not secure to send a password". But I think that's ok.)

• SSO to SAP works but no OLAP Connection per SSO Auth

  Hi experts,
  we have setup an SSO for the Authentication of SAP BW and SAP BO and used the portal integration. We are using SAP BO 4.1 SP4 and SAP BW 7.4.
  We use the Login via Netweaver Portal go then to the SAP BO where the reports are stored.
  The SSO login works fine, but the OLAP connection to the SAP BW system does not fly. I have tried to create a connection via IDT. This works.
  After that I created a WebI report in the Applet and chose BEx Connection and retreived the error:
  error.openSapBwBrowsingSessionFailed
  Then i tried the WebI Rhich Client and recieved the message: Unknown Error in SL Service and Even do not recieve the list of possible Bex connections.
  We are using SNC for the user authentication in SAP BW.
  An now it is getting very unnormal:
  When i go the IDT tool and create the connection again and republish this to the repository and try to connect again via WebI Applet, i do not get the error message again.
  Can you please assist, as our Business user can not publish their OLAP connection.
  Regards,
  Markus

  The new Business Objects version (BI 4.0) comes with a new authentication
  technology to create a trust relationship between a non-SAP user and the SAP
  data source. How to determine the correct method to be used?
  When using legacy .unv universes (XI 3.1 technology) = SNC
  When using .unx environments (BI 4.0 new semantic layer) = STS
  when you try to connet BICS connection or IDT it is important to use the STS methodology.
  check the below link to have configurations.
  Follows a Wiki link with a "How to setup SSO against SAP  BW in SBO BI4.0 for LDAP users".  and follow the raunak kumar suggestion when you configire SNC and STS.
  http://wiki.sdn.sap.com/wiki/display/BOBJ/How+to+setup+SSO+against+SAP+BW+in+SBO+BI4.0+for+LDAP+users

• SSO to SAP EP6 (for Employee Self Service) using WebSEAL

  Hi SDN friends,
  We are about to embark on a SSO implementation using IBM WebSEAL for SAP EP6 ESS (Employee Self Service) connecting through to an SAP R/3 4.7 server.  Since the ESS solution for 4.7 still uses ITS services, this means that we have ITS iViews in the EP6 portal.
  We have managed to look through the whitepaper 'IBM Tivoli Access Manager - Single Sign On for SAP NetWeaver - September 2005' described at https://www.sdn.sap.com/irj/sdn/developerareas/ibm
  We have the following queries, if anybody has a simple answer to these:
  -  Is it absolutely necessary to configure an SNC connection between ITS/EP6 and R/3 server to achieve SSO for the portal?
  -  Given that SAP EP6 references ITS IAC iviews, is it necessary for us to configure both ITS and EP6 for SSO, or can we simply configure EP6 for SSO?  If so, is it also necessary to configure both for SSL?
  -  Otherwise, how easy is it to set up SSO in this scenario without SSL (for demo purposes)?
  Any thoughts would be greatly appreciated.
  Cheers
  John Moy

  Hello John,
  regarding your questions:
  ad 1) no. SNC is only mandatory if you use X.509-based SSO to R/3. You can also use SAP logon ticket-based SSO from EP to R/3 or usermapping that do both not require SNC.
  ad 2) yes, you have to configure both EP and ITS at WebSeal.
  ad 3) you can always omit SSL. However for production use, it is recommended.
  Regards
  Michael

• Configuring SSO Between Portal & Any Third Party Website.....

  Hello All,
          I have a requirement to configure the SSO between Porat & any Website, Does anybody have experience of it. pls provide if any Doc is there or way of doing that ??
  thanks
  Smita

  Hi Smita,
  You can follow these steps:
  UPLOAD:
  1.Upload the par in PCD
  SYSTEM CREATION:
  1)Create ->System from par -> select com.sap.portal.howtos.webapp -> web application->give name & Id
  2)Properties-->object->system definition
         Name of the server : login.yahoo.com
         Port : (empty)
         URI :/config/login
  3)create alias
  4)set user Mapping
  IVIEW CREATION:
  1)Iview from par
  2)Iview type:com.sap-appintegrator.sap
  3)template:generic
  4)Properties Setting:
       System : (system alias name )
       URL Template :<System.protocol>://<System.server><System.uri>?<Authentication>
       URL Template fragment for UserMapping: <System.protocol>://<System.server><System.uri>?<Authentication>
  You can have a look at this blog:
  Step-By-Step Guide to implement Application Integrator
  Regards,
  Dhana