SSO to BO Launchpad out of R/3
Hi together,
is it possible to start Launchpad out of R/3 and to connect via SAP SSO?
How does the start of the Launchpads needs to be configured?
Thank you
Regards,
Markus
Hi Markus,
You would need to configure server side trust between the SAP server and XI3.1 or BI4.0.
The following note details this quite well:
1396213 - How-To: Access BusinessObjects documents based on SAP data sources without providing SAP username and/or password
If this does not cover your workflow can you please clarify further.
I hope this is a very helpful answer to you.
Kind regards,
John
Similar Messages
-
Need help on SAP SSO with SAML & SSO2
Dear expert,
We met an SSO issue on launchpad.
Here is our scenario and SSO structure. We use fiori launchpad to display all SAP apps.
1. When an user visit launchpad URL, URL will redirect user to identity provider (IDP) for SAML authentication.
2. Then IDP authenticate with SAML2.0 token back to gateway.
3. Gateway accept the SAML2.0 token and issue SSO2 logon ticket.
4. Use logon ticket to backend ABAP ERP system for transaction apps.
5. Use logon ticket to HANA system for factsheet.
Now the first step above is OK as SAML token can be authenticated back to gateway. But after that, the basic form authentication pop-up for user credential on both backend system and HANA, which should not. We found out that launchpad was stucked with error message "/sap/es/ina/GetServerInfo HTTP/1.1 401 Unauthorized" at ERP backend service "GetServerInfo". By checking the cookies, we found out that after SAML token accepted by gateway, gateway did not issue any MYSAPSSO2 ticket.
However, when we disabled SAML and use form authentication for launchpad, SSO2 logon ticket works perfectly among GW, ERP and HANA. So, there should be no issue configuration regarding SSO2 logon ticket in SAP GUI.
here is the system information:
GW: NW740 SP5
ERP: ECC6 on NW740 SP5
HANA: v70
Please kindly help us out on this issue. Please ask if other information is needed. thanks.
Best regards,
Xian' anThis discussion thread belongs to the SAP Gateway space. For generic SSO related queries where portal is not involved the correct space is SAP NetWeaver Application Server. This space is for NetWeaver Single Sign-On (NWSSO, the separately purchasable product) topics only.
-
I am trying to resolve the logout URL issue with our APEX application configured as a partner application with SSO. The partner application name is SSO_APEX and the logout URL is defined in partner application as
http://OID_Server:7777/pls/orasso/orasso.wwsso_app_admin.ls_logout where OID_Server is our OID server name.
In the APEX application page, I tried to open the application that was imported from another apex server.
Home>Application Builder>Application 107>Shared Components>Authentication Schemes
SSO_Auth - current is
&INFRA_NAME./pls/orasso/ORASSO.wwsso_app_admin.ls_logout?p_done_url=&SERVER_NAME./pls/htmldb/f?p=&APP_ID.
The logout link is http://INFRA_NAME:7777/pls/orasso/ORASSO.wwsso_app_admin.ls_logout?p_done_url=http://SERVER_NAME/pls/cms/f?p=107 , The application is retrieving the INFRA_NAME and SERVER_NAME values from a database table and they correspond to the OID and 10g application servers respectively.
The logout link should take it to the login page where the user will be prompted to enter login credentials again however it is currently taking to the above logout link page from APEX. It is not changing even though I specified a different logout link in partner application page. Moreover the check box beside SSO_APEX in the logout page is unchecked.
The authentication scheme of application is overriding the partner application configuration. How can I make sure the logout is actually happening? Thanks in advance for any suggestions.
Pavan.Scott,
I am having the same issue, and have posted on another thread about this same thing. I know that's inappropriate to post the same thing in multiple threads, but I was searching the forum again today, and Pavan described exactly what I'm experiencing.
We have been using SSO for about 4 years or so now, and haven't had logout issues. Our DBA at the time had written his own logout function for SSO where he invalidated the cookie with owa_cookie calls. It's worked until now. We have upgraded our database servers and all URLs referencing those servers are now in a different domain than our OAS server. Now the logic in the logout function is no longer invalidating the cookie for SSO (because it's in a different domain). SSO login and authentication still work, it's just the logout that does not.
I'd like to just alter the logout URL to redirect to the OAS server for logout as you described. But here's what's happening. I press logout link, and it takes me to the OAS Single Sign-Off page where it shows the services it's logging you out of, but it doesn't automatically redirect (just sits there until I press the Return button).
Is that expected (no automatic redirect)?
And as Pavan mentioned, the Partner application name (APEX_SERVERNAME_SSO) doesn't show a checkmark next to it. If I go back to my application, I get right back in without being prompted for SSO (ie, not logging out successfully then).
I know there are a lot of question marks here, but I'm not sure if there's something obvious I am missing or if there's something else I need to fix that I don't know about.
Can you offer any guidance?
Thank you for your time,
Chris -
Unexpected error in SSO login page
Hi all,
We have a problem with our SSO, or with our LDAP directory, or with the way in which they work, not sure about. In the past we were using version 9.x and everything worked fine. Now we migrated to version 10.1.2.0.2 and we discovered that using the same functionality to register and log user is crashing. After a bit of debugging, the problem seems to be that the PASSWORD of the created users is encrypted using some Hash and retrieve in an array of bytes, insted of in plain text as before. In principle this shouldn't affect the way in which we use the LDAP & SSO, but for some reason, when the user tries to log in using the recently created user account and password, the SSO login page gives an "unexpected error" message. The SSO login page is the original page coming with the SSO infrastructure, no change at all on it.
Any idea why this might happened? Is the some way to configure the SSO or the LDAP so they don't encrypt the user password? Any other possible config detail that we should check?
Thanks in advance,
LuisSo after finding the log files on our SSO server, I found out the exact error message that the SSO was throwing was that the account was still not activate!!! Then I realized that we started to make use of the "Start date" LDAP field recently, and event when the date was set to the current date when the account was created, the time was set to 0s, event when the current time was also passed to the LDAP. I don't know what's the reason why the LDAP didn't get our time, passing the date-time with the format the LDAP was asking for (yyyyMMddHHmmssz), but just by rolling one day back the start date, the user accounts were automatically activate when they're creating, solving our problem.
Regards,
Luis
Edited by: lagh on Dec 15, 2008 11:52 AM -
Hi,
Can someone please provide me the MOS DOCs or any other docs for : How User Authentication will happens in EBS when using SSo.
IF with out SSO user authentication via FND_USEER table.
How it differs when using SSO ? And what are the tables and / or files it touched during this process ?
Thanks
VijayPlease see these docs.
How to unlink a FND_USER user account in Oracle EBusiness Suite that is linked to an SSO Account in Oracle Internet Directory [ID 429375.1]
11i: How to Change user password in E-Business Suite when the "Applications SSO Login Types" profile value is set to either Both or SSO [ID 422731.1]
Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On [ID 261914.1]
Basic checks for user integration when using Oracle E-Business Suite 11i with Oracle AS 10g [ID 444573.1]
Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On 10gR3 (10.1.4.3) [ID 376811.1]
Users Created In Active Directory Are Not Provisioning To e-Business Suite [ID 1055584.1]
Thanks,
Hussein -
Read and write Values from Configuration File in BizTalk
There is a requirement where Biz talk orchestration read the value dynamically from Config Store.After some process updating the value in config store.
I though to use SQL Server and create one table with single column.Biztalk will call the Storeproc to get the value and similary for update system will call another SP.
Instead of using SQL Server DB is there option to implement this requirement like app.config,BTSsvcxxexe.config ,SSO Config store etc.
If multi-users access the value from Config store and try to update ,how to handle lock mechanism.Hi BizQ,
Refrain from using BTSConfig file or any custom config file if you have a requirement to update the data. Modifying a
configuration file at runtime can cause some nasty, unexpected behavior inside your application if it's not managed properly.
I would suggest you to use Custom DB or SSO Database in this case.
Both have their Pros and Cons.
SSO Database:
You get out of the box encryption
It is a central store which will service all BizTalk servers within your group
SSO implements a caching mechanism internally for the data
Custom DB:
By storing the configuration in the database you don’t have to worry about consistency of data across servers like you would with a config file.
Cache needs to be implemented by program to avoid delays in reading from physical file.
In your case I recommend to go with SSO DB as in terms of storing custom configuration data in SSO for End Point/Application
specific information and credentials and potentially configuration information which you also need to write and update at runtime from your code or via an administrator.
You can use Richard Seroter's tool to store values as "Config Store" in SSO database and then write a .net helper
utility to retrieve it using SSOConfigStore class. It has method GetConfigInfo and you need to pass application name with other parameters. It returns ConfigurationPropertyBag from where you can read property name and values.
http://seroter.wordpress.com/2007/09/21/biztalk-sso-configuration-data-storage-tool/
http://blogs.msdn.com/b/teekamg/archive/2009/08/19/sso-configuration-application-mmc-snap-in.aspx.
Rachit
Please mark as answer or vote as helpful if my reply does -
Oracle Application Server 10g/Oracle Fusion Middleware 11g
Hi folks, This question related to migration/upgrade of Oracle Application Server infrastructure.
I see that the Oracle has come up with Oracle Fusion Middleware 11g. Is it the next release of Oracle Application Server 10g. I have the following questions. Appreciate if any one can provide answers to the following questions. Please correct me if my understanding of these oracle products is not right! Thanks
1. What is the future of Oracle Application Server?
2. Is it Oracle Fusion Middleware(OFM) 11g is the upgrade path if one need
to upgrade?
3. Is it expected that expected that customers need(if require) to move to OFM 11g?
4. Does OFM 10g comes with Oracle Application Server? If not what does
it comes with?
5. If it does not, what about customers having applications built using oracle forms and reports? Does OFG 11g
support Oracle forms and reports?
I understand that OFM 10g comes with Oracle web logic server!
Thanks in advance.
movvaTo run Forms and Reports in Oracle Fusion Middleware 11g you have to use the distribution "Portal, Forms, Reports and Discoverer" in the FMW 11g software pack.
The structure of what we used to call "the application server" has changed a bit however, in the following way:
- In 11g you need to install the Javaserver WebLogic software (version 10.3.3 for the current Forms 11g version 11.1.1.3) first.
In 10g the installation of the Javaserver (OC4J) was part of the App server install.
Note that you just have to install the software, the configuration script for creating a Forms app server instance creates the WebLogic domain (comparable with the OC4J instance) for you.
- In 11g the Fusion Middleware software installation is separate from the creation of an application server instance.
This is more convenient and comparable to Oracle database and Weblogic installation.
- The Fusion Middleware Configuration script installs two parts of the product: 1. A WebLogic Domain. 2. A Fusion Middleware instance.
The first contains everything related to Java, such as the servlet configuration file (formsweb.cfg), while the latter contains everything that has less to do with the Javaserver
- No more Infrastructure server
The Infrastructure server does not exist anymore. If you want to use Single Sign On with Forms/Reports 11g you can install Identity Management 10.1.4.3 (or use Identity Management 11g, and configure separately the 10.1.4.3 Single Sign On) or keep your old 10g Infrastructure installation.
During installation you just have to specify you want to use OID and SSO and it configures out of the box.
Under normal circumstances the same licenses apply to 10g and 11g (as long as you do not use WebLogic for other purposes). -
Users And Security Best Practice
Dear Experts
I am designing an application with almost fifty users scattered in different places. Each users should access tables according to his/her criteria. For example salessam, salesjug can see only the sales related tables. purchasedon should access only purchase related tables. i have the following problems
Is it a best practice to create 50 users in the DB i.e. 50 Schemas are going to be created? Where are these users normally created?
or is it better for me to maintain a table of users and their passwords in my design itself and i regulate through the front end. seems that this would be risky and a cumbersome process.
Please advice
thanks
Manish SawjianiYou would normally create a single schema to own the
objects and 50 users to use them. You would use roles
and object privileges to control access.Well, this is the classic 'Oracle' approach to do this. I might say it depends a bit on what you want to achieve. Let's call this approach A.
The other option was to have your own user/pwd table. You can create your own custom authentication but I would go for the built-in Application Express Users - authentication scheme. You can manage the users via the frontend (Application builder > manage Application Express Users) . There you can manage the groups and end users which you can leverage in your Apex app. You can even use the APIs to create the users programmatically. It is all done for you. Let's call this approach B.
Some things to consider:
1) You want to create a web application and also other applications that access the data stored in Oracle (another PHP / Oracle Forms / Perl ) or allow access via SQL/Plus. Then you should use approach A. This way you don't need to reimplement security for these different approaches.
2) You want to create one (or multiple) Apex applications only. This will be the only mechanism the users will access your data. Then I would go for approach B.
3) When using approach A some users didn't like that all users will have access to their workspace, including the sql command line and having the capability of building applications and possibly being able to change the data they have access to through the Oracle roles. Locking down this capability is possible but it takes some effort and requires an Apache as a proxy.
4) When using approach A you will need DBA privileges to manage the users and assign the roles. This might not always be possible nor desired. Depends on who will manage the Oracle XE instance.
5) Moving the application including the end users to another machine is a bit easier using approach B since they are exported via the application export mechanism. Using approach A you would have to do it yourself. Be aware that the passwords are lost when you install the users into a different Oracle XE instance.
6) If you design the application using approach B you will have to design security in a way that doesn't rely on the Oracle roles / grants security mechanisms. This makes it easier to change the authentication scheme later. For example, later you want to use a LDAP directory, a different custom authentication scheme or even SSO (SSO is not available out of the box but feasible). This is directly possible.
Using approach A you would have to recode the security mechanisms (which user is allowed to update/delete which data).
Hope that clarifies your options a bit.
~Dietmar.
Message was edited by:
Dietmar Aust
Corrected a typo in (5): Approach B instead of approach A , sorry.
Message was edited by:
Dietmar Aust -
First impressions of the 3.0 update from a 1st gen iPhone user
MIne is a 1st gen iPhone purchased opening day 2 years ago and I had a brief period of non working stocks and weather apps that are now fine (apparently an issue that was widespread today across the diff iPhones). After that everything is business as usual. I did reset my settings after the install and restore my iphone with a current back up as a precaution and so far works great.
First impressions: The camera is a little snappier and sharper in photo taking.
Copy and paste: RAD!!!
Voice memos: Can send instantly via e-mail MY LADY LIKES....KINDA KINKY!!!
Find my phone: Would be cooler with GPS the 1st gen won't help you find exactly where it is.
Spotlight: very functional and useful for a phone packed with stuff...like mine.
Landscape keyboard: nice but should have been there 1st time out.
Overall it's the kind of update that a moderately smart user that can RTFM will install and enjoy. If you are an idiot who tries to install it from a buddies computer or likes to unplug things in midstream you won't like it, because your phone will be useless until you do it properly and follow the simple steps.hi,
we were trying an export from one database to another- and ran into problems- portal created a package under the portal30 schema (dbms_lob- a copy of which originally exists under the sys schema) that was previously not there.
so we decided to uninstall the portal and the sso schemas. we carried out this step:
1) Drop the Portal, SSO, and their respective _public DB users cascade.
but the portal30 schema will not allow us to drop the dbms_lob package that it created (which incidentally compiles with an invalid package body)
it continues to give the following error message:
ORA-00600: internal error code, arguments: [16201], [], [], [], [], [], [], []
is there any way to complete the unistallation of portal without unistalling the entire database?
thanks for any help.
sharadha
null -
Hi,
I have to authenticate oim1gR2 users against Active Directory instead of oim db repository.
SSO approach is ruled out.
Is there any other way to achieve it..
Pointers to oracle docs related to this requirement will be very helpful.
Thank you.we need to do it without using oam or any other access management products..
-
REALLY CLOSE TO MY WITS END SERIOUSLY
i have an wd ehd, i was trying to move info via timemachine from my imac accross to me mac air........scrap that dont want to i only needed a few thinga.
SO SO SSO F^%$#%& , alright thats out i go to computer try to delete all info on ehd to trash error 50 something.
then go to diskutility tried number of reccommended configurations................really everyone is a mac exoert, good grief.
everthing i try results in cannot unmount disk.......................want to wipe it all totally clear and use it for another platform all together, a guranteed six pack of your choice shipped to your door by bws if anyone can solve this problem.............ps, Keep "geek" speak to a minimum im not even close to knowing what quantum physics let alone which end of a spoon to use when i eat.
Bennieok only one cursing word it was warranted as its soo frustrating. i want to make the wd ehd back to how i got it.............out of box, i try to repair i try to erase but it says cannot unmount disk. once we have solved this i have another issue with a larger ehd, which i have sorta broken but one att a time!
-
Error with Connection to Oracle with Wallet , JDBC, and UNIX
Hello - our application has been getting this error periodically while connecting to an oracle database using OCI JDBC drivers.
caused by: java.sql.SQLException: ORA-28759: failure to open file
at oracle.jdbc.driver.DatabaseError.throwsSqlException(DatabaseError.java:125)
at oracle.jdbc.driver.T2CConnection.checkError(T2CConnection.java:681)
at oracle.jdbc.driver.T2CConennection.logon(T2CConnection.java :362)
at oracle.jdbc.driver.PhysicalConnection.<init>
at oracle.jdbc.driver.T2CConnection.<init>
at oracle.jdbc.driver.T2CDriverExtension.getConnection
at oracle.jdbc.driver.OracleDriver.connect
at java.sql.DriverManager.getConnection
at java.sql.DriverManager.getConnection
Once we get this error we keep getting it and are unable to get a connection until we restart it. the file it has the issue with is the cwallet.sso, which I figured out by turning on tracing. The file is there and it gets the connection originally - but for some reason periodically we lose access to that file. But when we get the error the file is there and when we restart the process it's perfectly fine.
The only way we have been able to replicate this error is by create a sameple JAVA app which just keeps opening connections to the database with the wallet without closing the connections. Everytime we hit the 50th connection that error appears and it's unable to get another connection. If we close the connections everytime it's alright.
It's not a limit on the amount of connections to oracle because we have no limit set. The best explaination we can find is that unix has some sort of limit on how many concurrent accesses to that file can be done within one process. We have been unable to figure out that limit. We tried playing around with the file descriptor limits to see if it gets more or less then 50, but no luck.
If anyone has any other suggestions it would be greatly appreciated - we are stuck right now.
Thanks!No suggestions?
-
Is it possible to add points of interest to the new Apple Maps, or does Apple itself have to do it? If it is possible, how can I do it?
Thanks!Mapviewer is not rendering the maps with SSO authentication. With out this the map is rendered. When I run the omserver?getv=t I get the following instead of the version number...
<?xml version="1.0" encoding="UTF-8" ?>
<oms_error>Message:[oms] empty or null xml map request string. Tue Feb 05 11:38:36 GMT 2008 Severity: 0 Description: at oracle.lbs.mapserver.oms.getXMLDocument(oms.java:860) at oracle.lbs.mapserver.oms.doPost(oms.java:303) at oracle.lbs.mapserver.oms.doGet(oms.java:235) at javax.servlet.http.HttpServlet.service(HttpServlet.java:743) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64) at com.gts.gis.security.SecurityCheckFilter.doFilter(SecurityCheckFilter.java:138) at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:629) at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:376) at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:870) at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:451) at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:299) at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:187) at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260) at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303) at java.lang.Thread.run(Thread.java:595)</oms_error>
Please help... -
SSO Partner Application and Session Time out
Hi ,
We have an application on forums.oracle.com which is implementing the Authentication scheme as SSO, that is working well, now we want to implement Session Time out if the user is idle for some time and ask him to login again after the session fails, I have tried to implement this feature as given by Scott in the thread session timeout , well the problem is since we dont have a login page here how do we set the cookies owa_cookie.send(
name => 'HTMLDB_IDLE_SESSION',
value => to_char(sysdate+(20/1440),'DD-MON-YYYY HH24:MI:SS'),
expires => null,
path => '/',
domain => null
and where is the current point to implement it.
Any help on this is greatly welcome.
Thanks in Advance.Naveen,
I don't remember how the solution works. But if you don't have a login page you can usually put code in the post-authentication process of your authentication scheme to do whatever the login page process would have done.
Scott -
SSO - session time out while navigating across applications
Hi,
Problem statement
Handling session time out while navigating across applications involving SSO
Current approach
Application 1
1. Create session1.
2. URL rewrite the sesssion ID1 into the link refering to App2.
Application 2
1. Create session2
2. Get the session Id of App1.
3. send the session ID of App1 in the header
4. Invalidate the session2
Application 1
Get the ID from request and invoke getSession.
I'm having a very large session timeout at App1.
Is there a better approach. Ex: Having global session which is shared across multiple
webapplications."madhav" <[email protected]> wrote:
>
Hi,
Problem statement
Handling session time out while navigating across applications involving
SSO
Current approach
Application 1
1. Create session1.
2. URL rewrite the sesssion ID1 into the link refering to App2.
Application 2
1. Create session2
2. Get the session Id of App1.
3. send the session ID of App1 in the header
4. Invalidate the session2
Application 1
Get the ID from request and invoke getSession.
I'm having a very large session timeout at App1.
Is there a better approach. Ex: Having global session which is shared
across multiple
webapplications.
I have similiar problems in my system. What do you do if the session 1 times out
during ongoing operations in App 2 ?
Thanks
Kejuan
Maybe you are looking for
-
How can we map s.o.p as a log file in weblogic9.2
how can we mapp System.out.println("object"); as a log in weblogic server for a particular path like c:/bea/logs/soplogs/stdio.txt;plz tell me the configuration setting in weblogic 9.0 for this.
-
One of my imported MOV files turns "black" after editing with it for a time and I can't retrieve the images. This has happened three times, only this file. The placeholder is still there. Files are fine on hard drive. What gives? how to stop this? is
-
Readability add-on buttons are not possible to hide from toolbar.
I have installed Readability add-on from the official website - https://www.readability.com/addons This adds three buttons left off my navigation bar, as depicted here - https://i.imgur.com/SgYjJnp.png Ideally, I would like to move "Read" button move
-
How to re-install Elements 10 onto iMac without hard drive?
I originally bought Elements 10 on a disk, which I loaded onto my macbook. I have now bought an iMac, and the file transfer of the elements 10 from the MAcbook to the iMac didn't work. Adobe support tell me to re-install Elements 10 into the iMac. Bu
-
Error found at the time of posting of t code : FAGL_FC_VAL
Hi guru, At the time of posting through said T code,the following errors are coming: Document no: ERROR 15 Doc Error 015 does not exist in co code 1000 or has been archived. Due to that error i am unable to post it . Pl advise. Regards, Samar