SSO to BSP

Similar Messages

• SSO to BSP using NTLM with application parameters

  Hi all,
  As part of the CRM activity, the customer's system sends out an email to a user with a link pointing to a bsp. Part of the url is the call id which the bsp needs to display.
  The customer does not wish for the users to input user/pass when accessing the bsp.
  According to documentation, NetWeaver supports only SAP logon tickets and X.509 SSO methods(http://help.sap.com/saphelp_nw04/helpdata/en/02/
  d4d53aa8a9324de10000000a114084/content.htm).
  Found this thread that suggest a workaround:
  BSP without logon?
  Seems like it should work, but ITS forwards to a static URL.
  Any ideas on how I can make sure that after the whole sso process is complete, the bsp will still remember which call-id it needs to display?
  Regards,
  Eric

  The goal is to have the changes made inside the bsp recorded to the logged in user. So one user for all is not applicable.
  After fiddlig around with the forwarding settings and the ITS, I managed to get this thing working. Almost.
  When I access the BSP url, it gets forwarded to and from the ITS and I get a SSO2 ticket. However, when it comes back from the ITS I get a http 404 error page. If I refresh that page, the BSP loads fine, with the transferred parameters and the correct user.
  Can't get my head around why it gives me a 404.
  Eric
  Message was edited by: Eric Labiner

• SSO with BSP Not Working

  Hi
  I am running Nw2004s Portal with ECC5 as BackEnd.
  I have Configured the ECC5 for SSO using RZ10 and strustsso2.
  The Portal UserIDs are same as those in  ECC5 .
  The SSO is working fine with ESS in the Portal.
  But when i run  a BSP iView then it asks for UID,PWD in a PopUp.
  I am accessing the Portal with FQDN and in the properties of the System
  referred by BSP also maintained FQDN of the backend WebAS.
  How to get rid of this Login PopUp for BSP ?
  Any Help will be highly appreciated !
  Regards,
  Rajendra

  Hi Rajendrakumar,
  You probably haven't updated the ACL properly via STRUSTSS02.
  The portal server digitally signs logon tickets as it issues them to the portal users. SAP Systems need to accept the tickets and verify the portal server’s digital signature. The following information is important for the SAP System to be able to accept and verify logon tickets:
  ·        The SAP System should only accept logon tickets issued from their designated portal server. Therefore, the identity of the portal server needs to be entered in the SAP System’s Single Sign-On (SSO) access control list (ACL).
  ·        The SAP System needs to be able to verify the portal server’s digital signature. The portal server has a self-signed certificate, therefore the SAP System needs access to the portal server’s public-key information, which needs to be entered in the SAP System’s certificate list.
  Check the following procedure
  http://help.sap.com/saphelp_nw70/helpdata/en/78/f1a8490e7011d6999500508b6b8a93/frameset.htm
  Regards,
  Siddhesh

• Is anyone doing disaster recovery for a J2EE application?

  We generally use database log shipping to maintain a standby database for our ABAP instances.  We can successfully fail over our production application to our disaster recovery site with no real issues.  With the J2EE instances (EP, ESS/MSS, BI, etc), we have a few concerns:
  hostname cannot change, without going through a system copy procedure, so we would have to keep the hostnames in DR the same. (for example, ref: oss note 757692 - changing hostname is not supported)
  fully qualified domain name - from what I understand, there are potentially issues with changing the fqdn, for example SSO certificates, BSPs, XI has issues, etc.
  we can't keep both hostname and fqdn the same between DR and production, or we could never do a DR test.
  Has anyone implemented disaster recovery for any SAP J2EE application that has run into these concerns and addressed them?  Input would be greatly appreciated regarding how you addressed these issues, or how you architected your disaster recovery implementation.
  Regards,
  David Hull
  The Walt Disney Company

  I haven't done this personally, but I do have some experience with these issues in different HA environments.
  To your first point:  You can change the hostname, note 757692 tells you exactly how to do it.  However like the note says, "Changing the name of a host server in a production system is not automatically supported by SAP."  When it says "supported by SAP" I think it means SAP the company, not SAP's software.  So I would contact SAP to see if this configuration would be covered under your service agreement.  Then you have to think about whether you want to do something that isn't "officially supported" by SAP.  Also I'm sure you'll need some kind of additional licensing for the DR systems as their hardware keys will de different.
  To your second point:  As for SSO certs (SAP Login Tickets), I think they should still work as long as the SID and client number of the issuing system remain the same.  I don't think they are hostname or fqdn dependant.  For BSPs I would think they would still work as long as they use relative paths rather than absolute paths.  And for XI... I have no idea what kind of issues may arise, I'm not an XI guy.
  Again, I haven't done what you're describing myself.  This is just based on my HA experiences.
  Hope this helps a little,
  Glenn

• BSP to IIS with SSO

  Hi,
  Is it possible to go from a BSP to a IIS with SSO? Can I use ISAPI for it or are there better solutions? And is there some documentation about it?
  KR
  Steven

  Steven,
  Check note 442401 and thread /thread/11711 [original link is broken]
  for this.
  Eddy

• SSO to ABAP BSP without client

  Dear colleagues.
  In our scenario not-domain user need to reach ABAP BSP (ITS) application without entering password for ABAP WAS.
  Is there any option to use SAP Netweaver Single singon-on 2 server to create redirection URL?
  Regards
  Vladimir

  Hi Vladimir,
  SAP SSO issues certificates and deliver it automatically to the PC of the user (short living certificates -> 24 h standard), so it can be used for SSO. It is not a traditional CA. In a traditional CA you have to take care about the certificate lifecylcle which can be very costly but you can use the certificate for a longer timer. SAP SSO works with short living certificates, so you do not have to take care about the lifecylcle of the certificate.
  So if you really want to have a "password free" solution, you have to use long lived certificates but take a care about the lifecycle (maintain certificates which are not valid anymore and distribute this information to all related systems, ..... ). Otherwise you have a security problem.
  So it is really all about the use case (deployment, security requirements, ...), but you know now the options and you can decide dependig on the use case.
  Another option is of course SAP Logon Tickets or SAML. But both also reguire an initial authentication without an AD.
  Regards
  Matthias

• SSO for a BSP-appl that is called by a complete URL?

  Hi,
  is it possible to use SSO while calling URL's? The called URL is another BSP-application on the same WAS.
  I have a special situation:
  My BSP-application has only one "html"-page that has a frameset in which another BSP-application is loaded. The outer BSP-application is inside a BSP-iView and SSO works fine for it. This outer BSP-appl. is only a wrapper for portal-events. It has a JavaScript-function that receives the portal-event.
  Depending on the events the outer BSP-appl. loads another BSP-application with some parameters inside the frameset. This application will be called with a whole URL like:
  First I need to destroy the session: http://mycompany.com:8000/sap/bc/bsp/sap/z_test_start.htm&sap-sessioncmd=CANCEL
  Then I will load the BSP-appl new: http://mycompany.com:8000/sap/bc/bsp/sap/z_test_start.htm
  But now I must enter user/pw in the pop-up window. Is it now possible to add/send the SSO-ticket to the called URL? The BSP-application I call with the whole URL is situated on the same WAS as the other BSP-appl for which SSO works fine.
  Thanks a lot for any idea.
  Regards,
  Henning

  Hi,
  the parameters are set.
  SSO is working correct with other iViews. One iView shows a Java Web Dynpro application which is running on the same server. Even transaction iViews work fine. --> ABAP part is set correctly for accepting/creating SSO
  Even the BSP is working with SSO if I include it within an BSP iView. Only if I change the whole URL within the iView it is not working correct any longer.
  I do the following within the BSP-iView. It's a wrapper for portal events, that opens another BSP application with the whole URL. The URL is sent to the iView from another portal application.
  <%@page language="abap"%>
  <%@extension name="htmlb" prefix="htmlb"%>
  <SCRIPT src="epcfproxy.js"></SCRIPT>
  <script language="javascript">
  if(window.document.domain == window.location.hostname){
  document.domain = document.domain.substring(document.domain.indexOf('.')+1);
      EPCMPROXY.subscribeEvent("urn:com.company:DCEvents","testevent", window, "event_test_handler");
      function event_test_handler( eventObj )
          var pernr = eventObj.dataObject;
          ocument.getElementById('iframetest').src=eventObj.dataObject;
  </script>
  <htmlb:content design="design2003">
    <htmlb:page title = "Test">
      <iframe src="" width="100%" height="700" name="iframetest"></iframe>
    </htmlb:page>
  </htmlb:content>
  Henning

• SSO via Windows authentication for a BSP application

  Hi,
  is it possible to configure/implement a bsp-application, so that the user of the application is authenticated in the SAP system through the windows user (without entering the user or password). I search for a mechanism, that is like the SSO mechanism in the SAP EP. We don't have SAP EP, neither we have a java stack installation.
  Exists a way to implement this scenario?
  My idea was it, to use the same functionality, like in the SAP GUI, when configuring SSO. Unfortunately I don't find any hints about this topic.
  Regards,
  Thomas

  One best way is to embed the BSP page in the iview of the EP. As your are telling EP is not available i think there is no other way around.

• CIC0 -- BSP in R/3 -- Download File -- SSO not working

  Hi SDN Gurus,
  I have a peculiar situation and am hoping for some guidance.
  We are running several BSP's internally via CIC0 in CRM. These BSP's are actually developed in the R/3 backed system. One of the BSP's downloads a file from the SAP system.
  When the BSP is called via CIC0, it opens up the SAP simple browser. This browser contains a download link which when clicked opens a local (on the users PC) IE browser which then calls the standard download dialog for IE. Before this however, it asks for the R/3 user login and Password.
  Since users are logging in via a portal they dont necessarily know their userid and password.
  Is there anyway of avoiding the BSP or browser asking for a user id and password before download?
  We are using SSO with logon tickets which works for all other BSP's except this particular one with download option.
  Any help is highly appreciated and points will be awarded for helpful answers.
  Many Thanks,

  Did you check http://help.sap.com/saphelp_webas620/helpdata/en/99/15ee3adcf1913fe10000000a11405a/frameset.htm and
  http://help.sap.com/saphelp_webas620/helpdata/en/d2/91553b4d53273de10000000a114084/frameset.htm
  Other useful threads:
  WebAS SOAP Runtime - Transaction Commit Issue
  /people/sap.user72/blog/2004/10/25/sap-logon-ticket-based-single-sign-on
  /people/thomas.jung3/blog/2004/08/03/bsp-150-a-developer146s-journal-part-viii--user-authentication-single-sign-on
  http://help.sap.com/saphelp_me21sp2/helpdata/en/5c/b7d53ae8ab9248e10000000a114084/frameset.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/14/252f4069702d22e10000000a1550b0/frameset.htm
  Raja T
  Message was edited by:
          Raja T

• How to use Portal SSO with existing BSP application

  Hi all,
  we run SAP EP 6.0 here and have a single start BSP page of
  an application integrated with the SAP appintegrator for BSP. The rest of the existing BSP application still uses
  the login functionality based on CL_BSP_LOGIN_APPLICATION
  and is not integrated in the portal.
  Problem: If a user directly accesses one of the "old" BSP pages, he should be redirected to the portal to auth. him via SSO and afterwards the original BSP page with all its parameters should be processed.
  How to deal with that? Is there a similar mechanism like with the BSP_LOGIN_APP in between for the SAP EP?
  Thanks for your help!
  -RAINER-

  I think that doesnt solve the problem.
  I have 2 systems: SAP ECC with all BSPs and the portal on another system. So I have to entry points: Via portal using the appIntegrator BSP or directly to the ECC.
  As-is: If the auth. for the BSP appl. fails, the user is re-directed via the error page given in the service (SICF)
  to a BSP login app. and from there to the requested page.
  No portal in this concept.
  Must-be: A user is still able to directly access a BSP on the SAP ECC by entering the URL in the browser. It's not a must entering via the portal first.
  So when the login failed on the ECC (no SSO ticket), he should be redirected to the portal for getting his SSO.
  After he signed in successfully the user will be forwarded to the BSP page he entered in the browser the first place.
  I can't see a way to use the URL iView. I am thinking of simply changing the login mechanism of the BSP using the portal login functionality.
  The link you gave me offers an implementation of CL_ICF_SYSTEM_LOGIN. Any ideas?
  Regards,
  -RAINER-

• Port problem when testing bsps (sso)

  Hi Forum,
  I am facing a problem when testing bsps or wd4a.
  When testing an app, first of all the sicf service "myssocntl" gets called. This service listens under port 50077. But when testing the bsp app port 57700 gets called.
  Any ideas, where I can customize these ports?
  Thank you!

  hi,
  check your instace profile and chage the icm/server_port_0 value u can change.
  thanks
  ajai

• BSP: Logout does not work

  Hello.
  At the moment i am re-developing a bsp-application, that i have written about 2 years ago.
  I have to add a logout-funtion to the new version, as the users desperately want it (Some of our users seem to get nervous, when login on to a page, that provides no logout button...).
  I have already tried navigation->exit() but this method only drops the application context - the session will not be terminated, so that the user will not be promted for login-data when e.g. pressing the back-button of the browser.
  I read the documentation on help.sap.com carefully and the problem seems to be, that the appliaction is using "Basic Authentication" at the moment. Using this kind of authentification generates a session-cookie, that will persist until the browser is closed.
  My first attempt was to get rid of the cookie using jscript, but this did not work. First i thought, there was a bug in my jscript-coding, and so i opened the corresponding menu of my browser and deleted any cookie by hand. Unfortunatelly, this had no effect - i was still able to use the page and my session was still existent.
  So i searched for further informations and found out, that it should be quite easy to implement a logout, if SSO-Login was used for athentification. Unfortunatelly i also found out, that SSO is not available on our system, so i will have to find another way.
  Finally i found out, that a logout can be done by simply setting the application into stateless mode, if fields authentication is used.
  I tested this for a simple test-application i had written a few days ago and everything worked fine: I had to enter my logon-data at the first call of the application, the login worked as expected and setting the application to stateless mode ended my session immediatelly. Reloading the page or using e.g. the back-button of the browser did not cause any trouble, so i wanted to use this technique, because the behaviour of the testpage exactly met the requirement.
  My next step was to enter transaction sicf and to delete every authentication-mechanism except of "Fields Authentication" to enforce the usage of this mechanism for my bsp-application. It worked somehow, but not in the way, i expected.
  When trying to open my bsp-application, i had to enter my logon-data in an html-form (as expected).
  But sending the data did not create a session. I have to log in between 2 and 5 times (it differs for every try) before i finally see the first page of my bsp-application.
  Once logged in, the session is quite "unstable" - a simple reload of the page throws me back to the logon page again.
  I have no clue, what causes this creepy behaviour - i copied the settings of my testappliaction 1:1 in sicf, both applications are stateful by default and the only place, where the switch to stateless mode is done is my logout-page. Yesterday i even deleted the service of my application in sicf, created a new one and customized it in the same way, i had customized the service of my test-application, so there should be no differences (i have checked for about 10 times).
  As i have already searched the forum and did not find anything, that seemed to match to my problem, i hope, that somebody can give me some advice, because i really do'nt know, what else to try.
  Below you can see the configuration of the service in SICF. Any option not listed here has its initial value:
  Procedure: Alternative Logon Procedure
  Logon Procedure (The Table-control at the bottom of the page) holds only one entry: "Fields Authentication"
  System Logon: True
  Settings Selection->Define Service Specific Settings: true
  System Logon Settings->Select Display->System Messages: true
  System Logon Settings->Actions During Logon->Protocol: "Do Not Switch"
  System Logon Settings->Default->Client: 101
  System Logon Settings->Default->Language: "German"
  System Logon Settings->Logon Layout And Procedure->SAP Implementation: true
  System Logon Settings->Logon Layout And Procedure->Tmpl.: "Normal"
  System Logon Settings->Logon Layout And Procedure->SAP Icon: "Chrome"
  And here is some information according to the bsp-application:
  Initial BSP: set
  Application Class: set (My test-page did not use an application-class - this seems to be the only difference)
  Theme: not set
  Stateful: yes
  Supports Portal Integration: no
  I do'nt know, if there is any other information, that could be useful for solving the problem - if anything is missing, just ask for it and i will provide the infomation needed.
  Thanks in advance.
  Regards, Jörg Neumann

  Hello,
  up to now we also faced a lot of issues with that logout-problem.
  Especially the logout for IE 5.5 and the XUL-runner gave us a hard time.
  We had to change our logout-page about 10 times now, because some weird browser did not work like all the others - AGAIN...
  Here is, what we got so far.
  As far as i know, this stuff should work cross-browser, but it's still client-side jscript.
  <%-- --------------------------------------------------------------
  This is the jscript, that will log you out                      
  -------------------------------------------------------------- --%>
  <span id="onloadscript"><!--
    function DelSso2Cookie(sName,sPath){
      var sso2Domain = location.hostname;
      if (location.hostname.indexOf(".")!=0) sso2Domain = location.hostname.substr(location.hostname.indexOf(".")+1);
      p="";
      if(sPath)p=" path="+sPath+";";
      document.cookie = sName+"=0; expires=Fri, 31 Dec 1999 23:59:59GMT;"+p + "domain="+sso2Domain+";";
    try{
      document.execCommand( 'ClearAuthenticationCache' );
    } catch (e) {}
    DelSso2Cookie("MYSAPSSO2","/");
  //--></span>
  <%
  CALL FUNCTION 'HTTP_DELETE_SSO2_COOKIE'
    EXPORTING
      server = runtime->server.
  %>
  <%-- --------------------------------------------------------------
  Calling the script directly did not work in all browsers        
  so we had to use a trick, that may seem kind of weird...        
  We use the onLoad-Event of a transparent 1x1-pixel-image.       
  The query-string is a dummy-value, that will be ignored by the   
  server but it forces the client to reload the picture from the   
  server instead of reading it from the browser cache.             
  This dirty hack was necessary, because some browsers will not   
  fire the onLoad-Event, if the image was read from the browsers  
  cache.                                                          
  -------------------------------------------------------------- --%>
  <%
      DATA: lv_img_url TYPE string.
      CONCATENATE '/sap/public/bc/ur/nw5/1x1.gif?'
                  'dummy=' sy-datum '_' sy-uzeit
             INTO lv_img_url.
  %>
  <img src="<%=lv_img_url%>" onload="eval( document.getElementById('onloadscript').childNodes[0].nodeValue );">
  Regards, Jörg

• SSO and ITS

  Hello,
  We are trying to setup SSO for SAP System. Our architecture looks like this:
  3rd party logon mechanism(via web) --> ITS --> Web Dispatcher --> WAS (BSP's)
  We did extensive research and found that ITS might enable us to do that. But we are not clear if SNC is a must (Which we don't want to do). The documenation is not clear. The current URL without SSO points to Web Dispatcher which get us the bsp pages from the WAS.
  Following is what we want to achieve:
  1. Users will logon to the 3rd party logon mechanism via web(software is installed with APACHE 2.0)
  2. once users are authenticated we need to pass the ID via HTTP header or any other method available to logon to SAP BSP Pages.
  Currently users can logon to 3rd party software which redirects to the BSP application and requests user id and password.
  We are wondering if anyone has done this sort of setup.
  Thanks,

  Hi
  For SSO concept visit (You can also find usage in EP)
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/90277dbd-0401-0010-33a1-ac2c7e3a5659
  <b>Usage across portal:</b>
  Normally Portal provides you a page which has content from different backend applications. Portal actually provides single point of entry to these applications which reside outside Portal. Now with Single SingOn feature user does not have to logon to backend application again. That means when he clicks a link on Portal which points to Backend application, he does not have to enter user and password again for that application.
  for more info
  sso
  Some fundas related to SSO with portal
  What is meant by "SSO across multiple domains"
  some usefull blog
  Step-By-Step Guide to implement Application Integrator
  Hope that helps

• Single-Sign-On (SSO) configuration on JAVA Stack through HTTP Header method

  Hello SDN community,
  in the context of a Proof of Concept, we are testing the integration of Microsoft Sharepoint Portal with SAP Backend (addin) systems.
  As the architecture impose use an external scenario (access from the internet), we couldn't use the Kerberos (SPNego) solution and thus we chosed the http header solution which in short uses an intermediary web server (in this case the IIS of the MOSS solution) which will act as authority.
  I miss information on how the workflow works for this http header authentication method. Through the visual administrator of the addin JAVA stack, it is possible to configure each application with a customized authentication (a choice of security modules). But this all that I know.
  My task is to configure SSO. From a sharepoint portal, the user should be able to access Web Dynpros and BSPs. I imagine that the very first call to a webdynpro or bsp (or maybe when we log on the sharepoint portal), the request to the WDP or BSP will first be forwareded by the intermediary server to the JAVA stack (or is it the SAP dispatcher that has to be configured).
  Is there an application to be built on the java stack to deal with the authentication, modify http header?
  What will the Java stack return? a sap long ticket? a token?
  How will the redirect work (to by example a BSP which is in the ABAP stack)?
  SAP preconise to secure with SSL the link between the intermediary web server and the JAVA stack, is IP restriction also a solution?
  A lot of questions about how this SSO http header should work,
  I would be very greatful for any help, or info,
  Kind regards,
  Tanguy Mezzano

  Hi Tanguy,
  to tell you the truth I'm really unsure about what you are trying to achieve. When I started posting to your thread I thought all you wanted was trying to access your J2EE engine via Browser and authenticate against the engine using HTTP Header Variables. Nevermind:
  Here are some answers to your question:
  in fact I did succeed, the problem was that even after domain-relaxation done by the J2EE, I had to change the domain of th SAP cookie to the bbbb.domain.com to be understood (I would have thought that all hosts in/under domain .domain would have accepted such a cookie but it seems that no...).
  The server does not care about the domain because Cookies in an HTTP Request do not contain any domain information. The domain is just important when the Cookie is set by the server so your Client (Browser) will know in which cases the Cookie may be sent or not. So if your domain is xxx.yyy.domain.com and your cookie is issued to .domain.com then your Browser will definitely sent it to all hosts under .domain.com (This includes xxx.yyy.domain.com etc.)
  My current scenario is: in a first request get a SAP Logon Ticket from the Java Stack, then change its domain and then directly call the backend with it.
  You can do that but there is no Client involved in this scenario. So this is useful if you just want to test the functionality (e.g. authentication to J2EE using Header Variables (This works finally!!!) and then use the fetched Logon Ticket to test SSO against any trusted Backend!!)
  So everything's is in a Java Client application without using any redirection.
  If I understand you, you're solution is from the Browser call a servlet (which is deployed on the Java Stack and has no authentication schema) by passing to it our http header.
  No, you should initially authenticate somewhere! I thought that maybe you had some resource you access before accessing the Java Stack. This could be any application (e.g. deployed on a Tomcat or JBOSS or other server or if you like even SAP J2EE). After authenticating there you are aware of the username and could use it to  procceed (e.g. Authenticate against the J2EE using the same user and HTTP Header authentication for that particular user!)
  That servlet will transfer the http header (with the HttpClient app) in order to get from the Java Stack a SAP Logon ticket, and then to redirect to the resource and by sending back the cookie in client browser. Am I correct?
  This was just a suggestion because I realized that there was no Client ever involved in any of your testing (looked strange to me!). I was just thinking that it would be easier for you to just get the Cookie into your Browser so your Browser would do the rest for you (in your case finally send the Logon Ticket Cookie to your Backend to test SSO using Logon Tickets!).
  The AuthenticatorServlet somehow serves as a Proxy to your client because your client is not able to set the Header Variable. That's why I initially suggested to use a Proxy (e.g. Apache) for that purpose. The problem is just that if you use a Proxy you will have to tell it somehow which username it should set in the Header Variable (e.g. using a URL Parameter or using a personalized client certificate and fetch the username (e.g. cn=<username> from the certificate!)
  This way of doing would simplify the calls for sso for each new application needing authentication, instead of having all code each time in it...
  I'm stuck again! Do you want to authenticate an End User or do you want to authenticate an application that needs to call any resources in your Backend that requires authentication?
  So my problem now, is how to call the servlet from the client browser:
  I'm trying to call my servlet from the browser but I don't succeed. I am able to understand how to reach a jsp from the Java Stack, but not to reach a servlet. I don't find the path to my servlet:
  <FORM method="POST" action="SSORedirect2" >
  A JSP is a servlet too. There is just no JAVA Class involved!
  You do not need any POST Request to invoke a Servlet.
  I see that my servlet is deployed, but I don't how what path to give to my form to invoke the servlet, here follows my web.xml
    <?xml version="1.0" encoding="UTF-8" ?>
    <!DOCTYPE web-app (View Source for full doctype...)>
  - <web-app>
    <display-name>WEB APP</display-name>
    <description>WEB APP description</description>
  - <servlet>
    <servlet-name>SSOredirect2</servlet-name>
    <servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
    </servlet>
  - <servlet>
    <servlet-name>SSORedirect2.jsp</servlet-name>
    <jsp-file>/SSORedirect2.jsp</jsp-file>
    </servlet>
  - <security-constraint>
    <display-name>SecurityConstraint</display-name>
  - <web-resource-collection>
    <web-resource-name>WebResource</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
  - <auth-constraint>
    <role-name>DefaultSecurityRole</role-name>
    </auth-constraint>
    </security-constraint>
  - <security-role>
    <role-name>DefaultSecurityRole</role-name>
    </security-role>
    </web-app>
  If you have an AuthenticatorServlet Class all you need is to add the Servlet Mapping in your web.xml file
  e.g.
  <servlet>
    <description>
    </description>
    <display-name>AuthenticatorServlet</display-name>
    <servlet-name>AuthenticatorServlet</servlet-name>
    <servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>AuthenticatorServlet</servlet-name>
    <url-pattern>/AuthenticatorServlet</url-pattern>
  </servlet-mapping>
  You can directly call the Servlet in your Browser by calling the URL provided in the url-pattern of your Servlet mapping ( in this case /AuthenticatorServlet). The engine will invoke the Class "com.atosorigin.examples.AuthenticatorServlet" in the background and do whatever you defined there!
  I have also to pass my http header and the redirectUrl in the GET request.
  If you like! I just suggested this for testing purposes. As I stated before you need a way to tell your proxy (or in your case AuthenticatorServlet) which user should be set when calling the Engine in order to authenticate using HTTP Header. You could use the URL Paramater to define the user you actually want to use when you set the Header Variable.
  I just introduced the redirectURL because you were talking about redirects all the time. So if you finally want to call the Backend you could define the Backend URL in the redirectURL Parameter and the Servlet will make sure that you are redirected to this location after the whole process!
  Thx for your input very helpful,
  But again 0 points
  Cheers

• Supress default logon box after invalid logon via SSO

  Hi,
  We are using SSO to authenticate to the database. If the SSO authenication fails, Oracle Forms automatically brings up the default logon box. For example -
  A user registers and their userid and password are stored in the OID. The user's password is then reset by a DBA. The next time the user tries to access the application, the credentials stored in the OID are incorrect. The on-error trigger in the form fires and brings up an error message. Then the default logon box pops up. I would like to just display a message and then exit the form. I do not want the user to have the option to enter a userid and password. I have tried putting an exit_form in the on-error trigger, but it says that exit_form is a restricted procedure. No other triggers fire before the default logon box pops up.
  Does anyone know how I can supress the default logon box?
  Thanks,
  Kim

  Hi Caíque,
  Yes, we allowed pop-ups  and cokies in the browser and disabled the firewall.
  When we click a button on the CRM UI in internet explorer, the error message is
  -Invalid argument
  "http://acsmrcrm03.com:8000/sap(====)/bc/bsp/sap/bsp_wd_base/popup_buffered_frame_cached.htm?sap-client=100&sap-language=EN&sap-domainRelax=min"
  -Object does not support this property or method"