SSO In HANA DB

How do i install Kerberos in Linux to configure SSO in HANA DB?????

Hi Chandrish
Doesn't the SCN search function work for you?
When I typed in "SSO HANA" I found e.g. this nice article:
Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0,
a couple of SAP notes and this rather cummulative blog post:
Lessons learned setting up End-2-End SSO with Kerberos between BI and HANA
Might be a good point to start off, don't you think?
- Lars

Similar Messages

How to merge two Oracle SSO IDs?

As many have noticed, I have 2 SSO ids: 'Hans Forbrich' that I have had for many years; and Hans Forbrich (alt ID) that was created by the OU group for SSO access to OU sites.
I'm wondering how to merge these two IDs while retaining the Oracle University Single Sign On capability.

Have you tried to sign in to OU with the other ID? I
would think that you would be able to since OU uses
SSO as well (it may not have in the past).Oh yes. Does not work.
>
It may be just a matter of having some OU folks add
your other account to the database.Not quite that simple. They have a few extra settings, and permissions, tied to the user id. And effective and expiry dates. And ...

Error while creating a BO Universe (using IDT) on top of SAP HANA Calculation View with Input Parameters

Hi All..
We are trying to create a Universe (using IDT-Version4.0) on top of the HANA Calculation view. The Calculation view has 4 input parameters, So
in Universe side we have created the respective prompts. For the creation of derived table we have used the following code
SELECT *
FROM "_SYS_BIC"."<schema_name>.<CV_Calculation_View_test>"
'PLACEHOLDER'=('$$IP_A$$','@Prompt(A)'),
'PLACEHOLDER'=('$$IP_B$$','@Prompt(B)'),
'PLACEHOLDER'=('$$IP_C$$','@Prompt(C)'),
'PLACEHOLDER'=('$$IP_D$$','@Prompt(D)')
While validating the above code we are getting an error.
I have attached the snapshot of that error for your reference. Please find the attachment and help me in resolving it.
Thanks in advance.

Hello George,
I don't have any personalization set on the info space. Also I am using mapped Account in BI to connect to HANA. The confusing part is that it is able to validate the infospace with the input parameters and index it. However query does not return any results. I even tried running the same query which explorer sends to HANA in the SQL editor and there too the same results,the query does not return anything. The model does return data when I do a data preview and if accessed from other tools like AAO.
Also when I use SSO connection to HANA, indexing of the infospace fails. Where can I see the error log?
Thanks,

Need help on SAP SSO with SAML & SSO2

Dear expert,
We met an SSO issue on launchpad.
Here is our scenario and SSO structure. We use fiori launchpad to display all SAP apps.
1. When an user visit launchpad URL, URL will redirect user to identity provider (IDP) for SAML authentication.
2. Then IDP authenticate with SAML2.0 token back to gateway.
3. Gateway accept the SAML2.0 token and issue SSO2 logon ticket.
4. Use logon ticket to backend ABAP ERP system for transaction apps.
5. Use logon ticket to HANA system for factsheet.
Now the first step above is OK as SAML token can be authenticated back to gateway. But after that, the basic form authentication pop-up for user credential on both backend system and HANA, which should not. We found out that launchpad was stucked with error message "/sap/es/ina/GetServerInfo HTTP/1.1 401 Unauthorized" at ERP backend service "GetServerInfo". By checking the cookies, we found out that after SAML token accepted by gateway, gateway did not issue any MYSAPSSO2 ticket.
However, when we disabled SAML and use form authentication for launchpad, SSO2 logon ticket works perfectly among GW, ERP and HANA. So, there should be no issue configuration regarding SSO2 logon ticket in SAP GUI.
here is the system information:
GW: NW740 SP5
ERP: ECC6 on NW740 SP5
HANA: v70
Please kindly help us out on this issue. Please ask if other information is needed. thanks.
Best regards,
Xian' an

This discussion thread belongs to the SAP Gateway space. For generic SSO related queries where portal is not involved the correct space is SAP NetWeaver Application Server. This space is for NetWeaver Single Sign-On (NWSSO, the separately purchasable product) topics only.

SAP BW and BO Universe on HANA

Hi Experts,
I'm trying to teach myself SAP HANA and want to clarify few questions I have with what I have studied so far :
1) Can one HANA unit/Appliance be used as a data source for both BW and BO Universe where the data is coming from a number of SAP and non SAP source systems ?
2) Do we yet have the ability to use non SAP reporting tools on HANA ?
and the next question has confused me the most
3) difference between HANA as a Data Source for BW and BW as a source system for HANA ?
Any help on this will be really appreciated .
Thanks
Gaurav

Hi Mohammed,
SSO is not compulsory in a set up where SAP BW is backend and reporting front end is SAP BO. For eg:- in a company where very few business users alone are using BO reports, we can create enterprise users and define our security model in SAP BO.
But normally when you have common users in SAP BW and SAP BO who access particular data mart data alone, in your case different regional managers, implementing SSO would make security model easier. When a particular manager is having access only to particular regional or application datamart, you can import same roles and users to SAP BO and assign the same to the user so that he will be restricted with the data from only assigned datamart.
In first case where you create separate users in BO, you will have to define your separate security model in SAP BO and assign the same to users. SSO will make your data security model easier and it will be sync with SAP BW model. You have the option to use both models simultaneously in your set up, provided you should have security model defined for the same.
Refer below link for more details on implementing SSO.
http://wiki.scn.sap.com/wiki/display/BOBJ/Setup+of+SAP+SSO+Service+in+SAP+BO+BI4.0+CMC
Regards,
Nikhil Joy

Can't add cloud system to Eclipse - Password SSO problem

Hi folks,
Ok so I'm doing the openSAP Hanacloud2 course.
When I go to set up my Eclipse and in the HANA Development perspective I ask to "add cloud system", I put in hanatrial.ondemand.com, my account, user id and I've tried all my usual passwords, but it still doesn't work.
Regardless of what I put in I get the response:
"The identify of user i003170 could not be verified for
https://services.hanatrial.ondemand.com/services/v1/instances/i003170trial/persistence/v1/schemas/.
Please very the supplied user name and password and execute the command again."
The trouble is, as a SAP Employee, everything on the web logs me in by SSO. I can't see anywhere in the HCP to reset the password or anywhere in Eclipse to use SSO?
So I'm stuck. Any suggestions????
Rgds,
Jocelyn

Hey Jocelyn,
it's the SAP ID Service / SCN password. Here you go:
SAP Community Network: Forgot Your Password?
Cheers,
--Vlado

SSO to partner application running under IIS

Hi,
We have a complete set-up for 9iAS Release2 where some applications are running. In parallell we have an application running under IIS, and would now like to enable the IIS application as a partner application to 9iAS letting the 9iAS SSO server handle the authentication.
In the documentation of Oracle Proxy Plug-in I read that this proxy plug-in can be used to proxy requests from IIS to Oracle http server (OHS) and also in this way enable SSO.
My question is if this can be done only for applications running under 9iAS but having IIS as web server, or if it is also possible like in our case to enable SSO via the proxy plug-in to applications runnind under IIS?
If this is not supported is the only available solution to use the SSO SDK in my IIS application?
Thanks and regards,
Rikard

Here's a DIY answer.
See Metalink Note 269820.1 which shows you how to use Perl to overwrite the host name in the HTTP header and remove the port number.

SSO java sample application problem

Hi all,
I am trying to run the SSO java sample application, but am experiencing a problem:
When I request the papp.jsp page I end up in an infinte loop, caught between papp.jsp and ssosignon.jsp.
An earlier thread in this forum discussed the same problem, guessing that the cookie handling was the problem. This thread recommended a particlar servlet , ShowCookie, for inspecting the cookies for the current session.
I have installed this cookie on the server, but don't see anything but one cookie, JSESSIONID.
At present I am running the jsp sample app on a Tomcat server, while Oracle 9iAS with sso and portal is running on another machine on the LAN.
The configuration of the SSO sample application is as follows:
Cut from SSOEnablerJspBean.java:
// Listener token for this partner application name
private static String m_listenerToken = "wmli007251:8080";
// Partner application session cookie name
private static String m_cookieName = "SSO_PAPP_JSP_ID";
// Partner application session domain
private static String m_cookieDomain = "wmli007251:8080/";
// Partner application session path scope
private static String m_cookiePath = "/";
// Host name of the database
private static String m_dbHostName = "wmsi001370";
// Port for database
private static String m_dbPort = "1521";
// Sehema name
private static String m_dbSchemaName = "testpartnerapp";
// Schema password
private static String m_dbSchemaPasswd = "testpartnerapp";
// Database SID name
private static String m_dbSID = "IASDB.WMDATA.DK";
// Requested URL (User requested page)
private static String m_requestUrl = "http://wmli007251:8080/testsso/papp.jsp";
// Cancel URL(Home page for this application which don't require authentication)
private static String m_cancelUrl = "http://wmli007251:8080/testsso/fejl.html";
Values specified in the Oracle Portal partner app administration page:
     ID: 1326
     Token: O87JOE971326
     Encryption key: 67854625C8B9BE96
     Logon-URL: http://wmsi001370:7777/pls/orasso/orasso.wwsso_app_admin.ls_login
     single signoff-URL: http://wmsi001370:7777/pls/orasso/orasso.wwsso_app_admin.ls_logout
     Name: testsso
     Start-URL: http://wmli007251:8080/testsso/
     Succes-URL: http://wmli007251:8080/testsso/ssosignon.jsp
     Log off-URL: http://wmli007251:8080/testsso/papplogoff.jsp
Finally I have specified the cookie version to be v1.0 when running the regapp.sql script. Other parameters for this script are copied from the values specified above.
Unfortunately the discussion in the earlier thread did not go any further but to recognize the cookieproblem, so I am now looking for help to move further on from here.
Any ideas will be greatly appreciated!
/Mads

Pierre - When you work on the sample application, you should test the pages in a separate browser instance. Don't use the Run Page links from the Builder. The sample app has a different authentication scheme from that used in the development environment so it'll work better for you to use a separate development browser from the application testing browser. In the testing browser, to request the page you just modified, login to the application, then change the page ID in the URL. Then put some navigation controls into the application so you can run your page more easily by clicking links from other pages.
Scott

How to change SSO Partner Application Login_url and Logout_url

As part of a deployment in a different data centre, we needed to change the domain name of an application using SSO for authentication. We have gone through the process of re-registering the SSO server but this does not update the domain name
By using diagnostic tools from Oracle we have discovered that the file 'osso.conf' in $ORACLE_HOME/Apache/Apache/conf/osso contains incorrect entries for login_url and logout_url.
These settings are of the form:
login_url=http://www.ourolddomain.com/pls/orasso/orasso.wwsso_app_admin.ls_login
logout_url=http://www.ourolddomain.com/pls/orasso/orasso.wwsso_app_admin.ls_logout
Please can anyone tell me how these settings can be changed.

Hi,
[Solved] SSO fails to show success page you can find some information on re registering mod_osso.
Hope it helps.

HOW TO SET UP PARTNER APPLICATION TO USE SSO OUTSIDE OF PORTAL

If anyone knows how Portal switches context to run as the db user mapped to the lightweight schema and how it knows the db schema password please let me know.
Should you have any queries please do not hesitate to contact me on 07775 896738.
From document Oracle Portal Security Overview on PortalStudio.oracle.com:
In Single Sign On mode (EnableSSO=Yes in the DAD), mod_plsql determines the name of the light-weight user and mapped database schema by calling
WPG_SESSION_PRIVATE.GET_LW_USER and WPG_SESSION_PRIVATE.GET_DB_USER respectively.
** These calls are done using the Portal Schema (PORTAL30) and Portal schema password **
mod_plsql then executes the procedure in the requested URL by using the N-Tier Authentication feature to connect to the database as the user returned from
WPG_SESSION_PRIVATE.GET_DB_USER. ..... Note that N-Tier Authentication requires all schemas to be used for Portal user mappings to be granted 'connect
through' privleges to the Portal schema (PORTAL30).
The WWCTX packages are also used.
So this is how it works with standard Portal
- the document states that the WPG_SESSION_PRIVATE package is only accessible to the Portal schema
- but I checked and it is also available to PORTAL30_SSO
SQL> desc WPG_SESSION_PRIVATE
PROCEDURE CREATE_SESSION
Argument Name Type In/Out Default?
P_COOKIE_NAME VARCHAR2 IN
FUNCTION GET_DB_USER RETURNS VARCHAR2
FUNCTION GET_LW_USER RETURNS VARCHAR2
PROCEDURE GET_SESSION_INFO
Argument Name Type In/Out Default?
NUM_PARAMS NUMBER OUT
PARAM_NAMES TABLE OF VARCHAR2(32000) OUT
PARAM_VALUES TABLE OF VARCHAR2(32000) OUT
PROCEDURE RESET_SESSION
Argument Name Type In/Out Default?
P_COOKIE_NAME VARCHAR2 IN
In my case only the Login Server (PORTAL30_SSO) is going to be used/installed
- the SAMPLE_SSO_PAPP application will only work if the DAD used to access is it set to use Basic authentication, i.e. the actual integration with the Login Server
is done in the sample application code calls, stored in the database
- when a DAD has enableSSO=yes it automatically accesses Portal (PORTAL30) packages to implement N-Tier authentication
I'm currently testing:
1. Configuring the SAMPLE_SSO_PAPP sample as documented with a DAD with Basic authentication
2. Amending the ssoapp procedure to set context to another (db) user on successful authentication:
wwctx_api.set_context (
p_user_name => 'SCOTT',
p_password => 'TIGER' );
3. If this works then set_context with get_lw_user instead
I have now amended the ssoapp procedure as follows to print out
1. The userid entered when the login box is presented
2. The Database user which the Portal Lightweight user is mapped to
3. The Lightweight user Portal has used for authentication
Amendments to papp.pkb:
(ssoapp procedure, declare db_user_info and lw_user_info as VARCHAR2 in declare section)
htp.p('Congratulations! It is working!<br>');
db_user_info := wwctx_api.get_db_user;
lw_user_info := wwctx_api.get_user;
htp.p('User Information:' || l_user_info || '<br>');
htp.p('DB User Information:' || db_user_info || '<br>');
htp.p('LW User Information:' || lw_user_info || '<br>');
The following shows the interesting results from my testing:
- if the user owning the sample_sso_papp package is PORTAL30_SSO then the call to wwctx_api.get_db_user succeeds
- if the user owning the sample_sso_papp package is a non-portal schema e.g. SSOAPP below the call to wwctx_api.get_db_user generates a User Defined exception
Steps to test:
Created new schema SSOAPP on the database
- edited it in Portal and checked the use this schema for Portal users checkbox
- created new Lightweight user SSO_LW in Portal, mapped it to SSOAPP schema
- created new Lightweight user SSO_SCOTT in Portal, mapped to SCOTT schema
- loadjava -user ssoapp/ssoapp@portal30 SSOHash.class
- sqlplus portal30/portal30@portal30
@provsyns ssoapp
- sqlplus ssoapp/ssoapp@portal30
@loadsdk.sql
@loadpapp.sql
Created DAD with basic authentication SAMPLE_SSO_PAPP
- username: ssoapp
- default home page: sample_sso_papp.ssoapp
Registered the Sample SSO Partner Application with the Login Server and ran regapp.sql
Commented out the calls to get_db_user in papp.pkb to avoid exception
- called http://<server>/pls/sample_sso_papp
- logged on as SSO_LW/sso_lw
- got output:
Congratulations! It is working!
User Information: SSO_LW
LW User Information: PUBLIC
So the Portal lightweight user is not returned as SSO_LW
if anyone knows why the Lightweight User in my test is returned as PUBLIC not SSO_LW
Best Regards
MIchael

http://support.mozilla.com/en-US/kb/Changing+the+e-mail+program+used+by+Firefox

SSO for partner applications

Hi All,
I have installed 10g AS Release 2 on a system. I also have Application Express(formerly HTML DB) installed on the same system. I registered one of the HTML DB applications as partner applications and have put SSO authentication for it.
When I try to login the AS looks at the OID installed on the system(which I gave during installation). I want it to look at the Oracle gmldap.oraclecorp.com server OID so that only Oracle employees login.
Can anybody tell me how to change the OID and what are the entries to be give to configure it to gmldap.oraclecorp.com server??
Thanks,
Swaroop

See Task 3 in the Section 9.4 of the Oracle Application Server Administrator's Guide:
http://download-west.oracle.com/docs/cd/B14099_17/core.1012/b13995/chginfra.htm#i1014978
See the following for information about what to specify on each page.
http://download-west.oracle.com/docs/cd/B14099_17/core.1012/b13995/reconfig.htm#i1013341

SSO With XI 3.0 on IIS

I've searched these forums and finding bits and pieces of information so I'm hoping someone can help me out.
I've successfully installed XI 3.0 on a new server. We're trying to get SSO to work from our custom application so that users won't have to sign onto BO seperately.
Most of the documentation I've found has been related to XI 2.
I'm very new to administrating BO. I'm assuming that the SSO on XI 2 (which we currently have our users using) cannot simply be copied over (I've tried.). Also, I'm assuming that the SSO is part of a SDK or API. If so, are these installed by default or are they seperate downloads?
Can someone point me in the right direction?
Thanks

3.0 does not support IIS for infoview, only java app servers. We can enable SSO for those.
As far as what migrates over from XIR2, the users, groups, plugin config, but the SSO settings do have to be applied on the web/app server(s)
If you get 3.1 (same license code) that does support IIS/SSO. You should get 3.1 regardless 3.0 was the very 1st version of 3.x and therefor has the most bugs.
Regards,
Tim

SSO between a Java EE application (Running on CE) and r/3 backend

Hi All,
Over the past few days I have been trying to implement a SSO mechanism between NW CE Java Apps and R/3 backend without any success. I have been trying to use SAP logon tickets for implementing SSO.
Below is what I need:
I have a Java EE application which draws data from R/3 backend and does some processing before showing data to the users. As of now the only way the Java App on CE authenticates to r/3 backend is by passing the userid and pwds explicitly. See sample authentication code below:
BindingProvider bp = (BindingProvider) myService;
Map<String,Object> context = bp.getRequestContext();
context.put(BindingProvider.USERNAME_PROPERTY, userID);
context.put(BindingProvider.PASSWORD_PROPERTY, userPwd);
Now this is not the way we want to implement it. What we need is when the user authenticates to CE ( using CE's UME) CE issues a SAP logon ticket to the user. This ticket should be used to subsequently login to other system without having to pass the credentials. We have configured the CE and Backend to use SAP logon tickets as per SAP help.
What I am not able to figure out is: How to authenticate to SAP r/3 service from the java APP using SAP logon tickets. I couldnt find any sample Java code on SAP help to do this. (For example the above sample code authenticates the user by explicitly passing userid and pwd, I need something similar to pass a token to the backend)
Any help/pointers on this would be great.
Thanks,
Dhananjay

Hi,
Have you imported the java certificate into R/3 backend system ? if so.
Then just go to backend system and check on sm50 for each applicaion instance of any error eg.
SM50-> Display files (ICON) as DB symbol with spect.(cntrlshiftF8)
You will get logon ticket details.
with thanks,
Rajat

SSO requires double login for partner application

I'm having some trouble with SSO partner applications, when I login to a SSO protected application, the login works fine, but when I try to navigate to another application I'm presented with the login page again, the sso cookie seems to be working since clicking on the login button without entering the user credentials works. For example, I log in to portal and from there I navigate to a forms application that is on the same server and the same port (portal: https://apps.mydomain.com:4444/pls/portal --> forms: https://apps.mydomain.com/forms/frmservlet?config=app) I am presented with the login page and after clicking on the login button without entering any information everything works fine. This is happening for all the middle tiers that are connected to the same OID. Any ideas on what can be wrong on my configuration?

Hi Andrey,
The problem sounds really wierd.
Can you check your SSO settings for your Portal ECC system? I mean, please check the User Management/Administration properties in your System Adminstration of Portal System that points to ECC.
Regards
<i><b>Raja Sekhar</b></i>

SSO userid for a partner application

Hi,
We have one application deployed on WebLogic Application Server this is registred as Partner application over SSO server.
On application side we have installed Oracle HTTP Server as webserver and configured mod_osso.
Now when user attempt to access any secured page SSO askes for the authentication. And on successful login user landed back to application page configured while creating Partner application.
After login we need userid of user who logged in on sso server. I have tried following and getting null.
Remote User: <%=request.getRemoteUser() %>,
     Proxy-Remote-User: <%=request.getHeader("Proxy-Remote-User") %>
     Osso-User-Dn: <%=request.getHeader("Osso-User-Dn") %>
     Osso-User-Guid: <%=request.getHeader("Osso-User-Guid") %>
     Osso-Subscriber: <%=request.getHeader("Osso-Subscriber") %>
     Osso-Subscriber-Dn: <%=request.getHeader("Osso-Subscriber-Dn") %>
     Osso-Subscriber-Guid: <%=request.getHeader("Osso-Subscriber-Guid") %>
     Accept-Language: <%=request.getHeader("Accept-Language") %>
output:
Remote User: null,
Proxy-Remote-User: null
Osso-User-Dn: null
Osso-User-Guid: null
Osso-Subscriber: null
Osso-Subscriber-Dn: null
Osso-Subscriber-Guid: null
Accept-Language: en-us,en;q=0.5
Is any one there knows, what exactly i should do?
Thanks & Regards,
Kevin Chheda

So the user has successfully authenticated and can access protected areas of the application?
Have you tried using Http headers to see values/attribute names?
Can you try this:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body>
<%@ page import = "java.util.*" %>
<h1>Headers received:</h1>
Remote user header is: <% out.println(request.getRemoteUser()); %>
<p>
<table>
<%
Enumeration headerNames = request.getHeaderNames();
while(headerNames.hasMoreElements()) {
String headerName = (String)headerNames.nextElement();
out.println("<tr><td>" + headerName);
out.println(" <td>" + request.getHeader(headerName));
%>
</table>
</body></html>

SSO In HANA DB

Similar Messages

Maybe you are looking for