SSO to ESS via Portal
Hi
Our szenario is:
kerberos from client to Portal
Reference System to map SAP User
Trust between Portal and HR
ESS Backendsystem with auth method SAPLOGONTICKET
-> Works all fine.
Now the problem is ...
We would like to "reduce" the TRUST to enable SSO only for ESS & MSS, and not allow SSO to use it eg. with an trunsaction iVIEW to HR. Simply said, a higher security.
We don't know how to do this. Anybody with ideas?
Am I right, that with SNC I cannot tansport the user to build SSO between Portal and HR?
The idea was, to use SNC, because with SNC you can specify on the HR side who is mapped and allowed to enter with SSO.
But it seems, that between JAVA and ABAP Systems SNC can only be used to encrypt transport messages ???
What I'm wondering is:
With SAP Business Object (BOE) you can setup a SNC connection from BOE => BW to do SSO, or not?
Regards Martin
Hello Martin
how about this:
1. create 2 'system' in your portal, one is for ESS/MSS only and this system can use the SSO.
2. create another system and use UIDPW as the logon method in your protal -> system landscape.
except the ESS/MSS, let all the other transaction iView use the second system.
Regards,
Thunder
Similar Messages
-
Calling a web dynpro application via portal using SSO
Hello Expert,
i have a requirement where i need to call a web dnpro application via portal.
But it is asking for user name and password.
i want to call using single sign on.
Can u please suggest a way.
i did the coding like this:-
CALL METHOD cl_wd_utilities=>construct_wd_url
EXPORTING
application_name = l_c_appl_name
IMPORTING
out_absolute_url = l_v_gv_url_string.
l_v_icf_url = l_c_icf_url_val. "#EC SYNTCHAR
CALL METHOD cl_icf_tree=>if_icf_tree~service_from_url
EXPORTING
url = l_v_icf_url
hostnumber = l_c_0
authority_check = space
IMPORTING
icfactive = l_v_m_sso_active.
IF l_v_m_sso_active = l_c_x .
CREATE OBJECT o_viewer
EXPORTING
parent = o_empty_co.
CALL METHOD o_viewer->enable_sapsso
EXPORTING
enabled = l_c_x
EXCEPTIONS
OTHERS = 0.
l_v_gv_url_c = l_v_gv_url_string .
CONCATENATE l_v_gv_url_c l_c_url_string p0022-pernr INTO l_v_gv_url_c.
CALL METHOD o_viewer->detach_url_in_browser
EXPORTING
url = l_v_gv_url_c
EXCEPTIONS
cntl_error = 1
OTHERS = 2.
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4
RAISING error_occured.
ENDIF.
cl_gui_cfw=>flush( ).
ENDIF.
but it is not working
thanks
MaheshHi Mahesh,
You need to setup a Single Sign On between SAP Portal and ECC system where yoy are doing the development.
Ask basis team to setup the single sign on and usually this is the job done by Basis teams. Refer the below link to get some idea on SSO setup:
http://scn.sap.com/community/enterprise-portal/blog/2013/12/15/sso-configuration-between-sap-portal-73-and-ecc-60-ehp-6
Thanks
Krishna -
GRC 10 - SSO via Portal - how to redirect url in notification variables
Dears,
I am in the process of designing our GRC 10 machine to be accessed via SSO in the Enterprise Portal. Yet I cannot find any info on what will happen with the URLs that are placed by ARM MSMP workflow in the variables of notifications/approvals.
I typically would (as in 5.3) expect a redirect URL to be made available as an option.
As an example: the Firefighter Log notification standard holds a variable pointing the URL to :
http://GRC10server:GRC10port/sap/bc/webdynpro/sap/grac_ui_spm_log_email?sap-client=001&sap-language=EN&WF_ID=53FB8FEAC9E260D6E10000000AF90C44&APP_TYPE=1
Yet now with SSO via the portal we also want this URL to go via the portal instead of directly to the GRC machine. How can we achieve that?
Is there a configuration way to have GRC10server:GRC10port adjusted to the portal address..
(mind that the WF_ID segment in this url is dynamically generated, so directly sqeezing in a static portal url is not an option)
Cheers,
JimHi Neeraj,
Thx for your reaction. This unfortunately will not do the job as pasting the URL in the notification template will make it static. The problem is that the URL inserted by default is a dynamically created one which holds a variable pointer to a workflow object id.
Now i am researching if a custom build portal redirect application will do the job. But there must be others having the same problem if you want the GRC iview in the portal to be the 'one-stop-shop' for your GRC users...
Cheers,
Jim -
Collaboration with vendor via Portal?
Hi everyone :
I meet a problem about collaboration with vendor. Our customer has lots of vendor ,and our customer expect that their vendor could query related R/3 report real-time via Portal on Internet .
I had done the SSO between Portal and R/3, and the user who had Portal user and R/3 both could access R/3 via Portal easily. We can create user for vendor in Portal easily, but it is impossible that we create user for all of vendors in R/3 , because of R/3 user need to pay for license. So vendors could not query R/3 report via Portal now .
My problem :
1. Vendors can't query R/3 report via Portal now.
Is there anyone met this problem ever , and How to solve this problem ?
2.On the assumption that our vendor can query R/3 report via Portal now, how can we control the authorization that certain vendor could query his data only, can't query other vendor's data ?
Any advice and discuss is welcome!
Best Regards,
Jianguo Chen
Message was edited by: jianguo chen
Message was edited by: jianguo chenHi Brian
which datasource u r using?
i think u used read only LDAP + Databse
when u chang the password for user in portal than after corresponding user password in LDAP directory are not changed thas't why it's generated a message that
password expires and u can't change the password
so try to change the password in LDAP also.
hope it's helps u.
regards,
kaushal -
SAPGUI for Windows via Portal - problem with frame
We are launching SAPGUI for Windows via Portal to drive single sign-on via AD. Our problem is that when SAPGUI launches, it is contained within an IE browser frame that causes some of the SAPGUI screens to not fit on the screen well. Those same screens fit just fine if we launch SAPGUI directly.
Is there any way to launch SAPGUI from Portal, with SSO enabled, but without the IE frame around it?Lonny,
The best way to authenticate users when they logon using SAP GUI for Windows, is to use SNC authentication in SAP GUi. Then, the browser iview will launch the GUI and the GUI will authenticate the user using their AD credentials issued during the Windows logon. You will need to setup an SNC library on both the ABAP system which the user is logged onto, and the workstation where SAP GUI is installed.
If you don't use SNC, and you just launch SAP GUI for Windows from browser, then an SSO2 ticket is used to authenticate the user to the ABAP stack, and this is not secure due to the fact that the SAP GUI session which is used to pass the SSO2 ticket is not protected - anybody can intercept the SAP GUI session, take the SSO2 ticket from this traffic and logon as that user - clearly this is bad security and needs SNC to make it secure.
Thanks,
Tim -
Goodday Guru's,
Need your take on this. We have a new requirement to create a new ESS iview (based on a certain infotype) in the portal which would allow ESS users to add, delete, change and display information. I'm thinking along the line to actually copy one of the function module for either Personal details, address or Bank information for this requirment. After which, i would then change the fileds selection and logic accordingly. My reason for doing so is because that the functionality for my requirement is the same with the ones of personal details, address, Bank details. Would that be a good option OR would would you suggest somethign else? Another question is, how can i actually create an Iview in the portal which would then call this new function module? Thanks guys.
Regards,
JohanIn that case you will be running your ESS via an external Internet Transaction Server (ITS), so you will need to build something that will run on that.
If you want to copy something like the standard "Address" service (PZ02), have a look in the R/3 table T77WWW_SC. You will see two sets of entries in there for PZ02, one for the initial list screen and one for the detail screen. You will also see the corresponding standard Function Modules in there. The main idea of this table is to allow for different country versions of the ESS screen.
You could create a custom "Z" transaction in SE93, copy and modify the standard FM's then add it all to the above table.
The other option is to create you own Internet Application Component (IAC) in SE80 and publish it to your ITS. This gives you the flexibility of defining your own HTML templates etc. Tip - don't use Flow Logic if you want your service to run on the integrated ITS after an upgrade to ERP2005.
Either way, once you have your ESS service up and running, just create a new iView in the portal based on the standard "SAP IAC iView" template.
Regards,
John -
Error when Enabling SSO in ESS/MSS for My SAPERP2004
Hi Friends,
Form past 3 days i am trying to enable SSO for my Enterprise portal to MySAPERP2004.
We have installed EP rapidinstaller sp14 in our system, since it is preconfigured, we are now trying to enable SSO to myERP system after maintaining JCO destination.
We have followed the procedure which is given in webclog called COnfiguring ESS, here the configuration part contains only assigning user to Employee on MySAPERP2004 side.
But if we did the correct steps also, when we are testing it in maintaining JCO destinations in webdynpro part, it is showing the following error:
com.sap.mw.jco.JCO$Exception: (103) RFC_ERROR_LOGON_FAILURE: The system is unable to interpret the SSO ticket received
and i searched for the solution in several forums but i couldnot get solution.
Please put your suggestions to solve this problem.
Thanks in advance,
Sireesha.BDid you follow step-by-step guide on
Configuring The Business Package For Employee Self Service (ESS)-mySAP ERP 2004
James -
Fetching data in R/3 via portal application(JSPDYNPage)
Hello Everyone,
I want to fetch data in R/3 server via portal application(JSPDYNPAGE) & display that data as an output of the portal application in TABLEVIEW format. Can anyone guide me on this (I:e-How to connect to R/3 server via portal component & fetch data & display the same). any similar application developed for a reference will be of great help.
Thanks,
ChetanHi Chetan,
I hope you know how to create a JSP Dyn Page, anyway I will explain it briefly.
Open NWDS->File->New->Create a portal application project->Specify the project name
right click on the project->New->Create a new portal application object->Portal component->Select JSP dyn page-(By default it creates class and all)->this is available under description on the right column-
Now goto the Java page->see the functions->attach zip and jar files(HTMLB plugin)
->Right click on the project->goto properties->Java build path->Add external jars->Select com.sap.portal.htmlbbridge.zip and htmlb.jar
This is how JSP page is created.
Now we want to do establish connection with R/3. That I will discuss in the next session.
Award points if this was helpful......
All the best for you
Regards,
Arun Jacob. -
SSO to SAP via SAP Logon Group
Hi,
I've tried to configure SSO to SAP via SAP logon group. When trying this I'll get the following error:
Connect to message server failed Connect_PM MSHOST=<server>, R3NAME=IB1, GROUP=IB1_Web LOCATION CPIC (TCP/IP) on local host ERROR The message received isn't from a message server. Are you really connected to the message server? Please check your connection parameters. (<server> / sapmsIB1) TIME Tue Dec 16 16:48:49 2008 RELEASE 640 COMPONENT MS (message handling interface, multithreaded) VERSION 4 RC -2
I've also configured the file services under winnt\system32\drivers\etc on the BO server with the following line:
+sapmsIB1 443/tcp +
Is there anything I'll have to configure too? Or what does this error mean? The server which I have tried to reach is a message server.
Thanks in advice.
ClaudiaHI Ingo,
yes I can connect with SAP GUI via message server and application server. I can also connect with BO via sso to the application server. Only the message server failed.
I have now found out that I had the wrong port. But also the right port doesn't work. I have tested the port with telnet. The port is reachable.
Thanks
Claudia -
Hi.
We need SSO from Non-SAP portal to EP.
The Non-SAP Portal has publish Form-based authentification.
I mean userid&password set to URL.
Then the EP can generate SAP Logon ticket to backend system?
regards,How to Enable Single Sign-on with Non-SAP Web Application
I have very good material coollected for the same implement this.
http://help.sap.com/saphelp_nw04/helpdata/en/12/9f244183bb8639e10000000a1550b0/content.htm
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a7b5ba90-0201-0010-4dbc-8f999dcd2798
Cheers!!
SJ. -
Sales Order Entry via Portal in R/3 4.7
Hi,
is there an iView (out of a Business Package) available for Sales Order Entry via Portal in R/3 4.7 ?
Or do we need to develop this from scratch?
Thanks & Regards,
ErikHi Erik,
The only one I found was in the Business package for Sales but it is listed for ERP2004 only. I found another one in the Business Package for Retail 50.2 that was 4.7 compatible but it is shown as out of maintenance and I was unable to download it. I didn't try very hard to get the download to work. You may want to take a look.
Good Luck,
John -
Problem about showing report via Portal after modifying BWReports.css
Hi folks,
I use BEx 3.X.
I wanna make title of table column to be shown in the center of table cell.
So, I modify class SAPBEXstdItem in BWReports.css, and I changed text-align of SAPBEXstdItem into 'center'.
I run the report via Web Application Designer (SAP BW 3.x).
the title is located in the center of table cell.
However, I run the report via Portal, the title is still located on the left of table cell.
I don't know why.
Could you help me to solve the issue?
Thanks in advance.I can't find wad link here.
Do you mean BEx Web Application Query String?
My BEx Web Application Query String is sap-language=<Request.Language>&bsplanguage=EN&cmd=ldoc&TEMPLATE_ID=ZXJP_C04_WT0110
Edited by: Xiaodong Ji on Nov 14, 2008 4:53 AM -
Backing up KM Folders via Portal Drive
Hi Experts,
We've implemented Netweaver Portal 7.0 with SP14 for a local company. Company migrated all shared folders from filesystem into KM via Portal Drive.
Portal is running on a VMWARE machine with Linux OS.
Followings are common questions, when we implement a Document Management SYstem on KM. I'm writing my answers but need help in Q2 esp.
Q1: How to backup files in KM?
A1: KM repostory is default DBFS mode ad all files within KM are stored in DB. So backing up DB means backing up KM thus all files.
Q2: How to backup/restore single/multiple files in KM in case of accidental deletion?
A2: In case of accidental deletion, with SP14 "Deleted Items" functionality given to KM and you can view and restore files deleted.
In case of permanent deletion, there is no option for KM file backup/restore other than DB.
Here we tried to simulate something following to backup files and restore in case of problem just like FileSystem document management:
On Backup Server, we installed Portal Drive and mapped the Portal KM Folders.
Then created a FileSystem backup on this mounted FS. But unable to backup in specific cases.
Not sure what is causing the problem, may be backup software, may be VMWARE architecture or may be linux or SAP portal for the last.
Here is the error code we get when we tried to backup KM Folders on a 32-bit windows 2003 server with Netbackup.
6/4/2008 2:14:53 PM - granted resource MediaID=@aaaae;Path=Z:\bck;MediaServer=bkcompany
6/4/2008 2:14:53 PM - granted resource test_disk
6/4/2008 2:14:53 PM - estimated 16 kbytes needed
6/4/2008 2:14:54 PM - started process bpbrm (88520)
6/4/2008 2:14:54 PM - connecting
6/4/2008 2:14:54 PM - connected; connect time: 00:00:00
6/4/2008 2:14:58 PM - begin writing
6/4/2008 2:15:05 PM - Error bpbrm(pid=88520) socket read failed, An existing connection was forcibly closed by the remote host. (10054)
6/4/2008 2:15:10 PM - Error bpbrm(pid=88520) could not send server status message
6/4/2008 2:15:10 PM - end writing; write time: 00:00:12
file read failed(13)
also the event log entry:
Faulting application bpbkar32.exe, version 6.5.2007.1115, faulting module bpbkar32.exe, version 6.5.2007.1115, fault address 0x00067581.
May be this specific case is encountered by any of you
Does anyone have any solution or sample implementation like above.Hi
Have you tried ICE Offline scenario?
[How to distribute KM Content using ICE Protocol|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/802c1739-d270-2910-ad9f-f369de07c1bf]
Check the Offline scenario, not Online.
Regards
Aparnna -
Hi!
I am getting javascript error when trying login to Messaging via Portal.
Can anybody help me with it?
Thank You
SimonSimon Fugler wrote:
Hi!
I am getting javascript error when trying login to Messaging via Portal.
Can anybody help me with it?
Thank You
SimonYou cant view iMS with the channel attached, you have to detach the
channel and make login in the iMS.
chears Ram -
Accessing ECC system via portal
Hello,
We are in the process of implementing netweaver 2004s components for one of our client. In the landscape we have ECC6.0, BI 7.0 and XI 7.0. We are planning to use Enterprise Portal for the SSO activation. Presently the client is having windows active directory.
My question is if I need to integrate ECC6.0 with the EP for the SSO, is there any portal development effort is required?. How do we access the ECC from the portal. For each ECC tcode do we need to create any iviews? Kindly advice.
Regards
SachinHi Sachin,
You can easily do that. Create you transaction iview using "Session_Manager" transaction. This transaction will bring the user on initial screen as he gets in ECC after logging. Due to this Iview he will be able to see the menu bar as in traditional ECC screen. So from there the user can navigate to other transactions as well for which the user is authorized.
You can create the transaction ivews from portal following these steps:
1) Logon to portal with Content Administrator Role.
2) Select Content Administration> Portal Content. On Right Side Select Portal Content.
3) Right Click Portal Content>new>iview. On right side select Iview Template out of three radio buttons. Click Next.
4) Select SAP Transaction Iview from the list of Iview Templates.
5) Provide Iview Name, ID properties.
6) Select SAP GUI Type say "SAP GUI for HTML" for HTML.
7) Here Select your System Alias name to which you want to connect, TCode need to be accessed. Click Next and then Finish.
If your system is successfully created and running then you will be able to preview the iview.
I hope the information provided will be very useful to you..
Regards,
Sumit
Maybe you are looking for
-
I want to change my icloud id on my iPhone, but it won't let me now that i have upgraded. I no longer have the password and the problem is It is using an old id which the email isn't valid and the security question does not think my birthday is vali
-
Network time machine backup not showing on Yosemite
Hi, One of the people within the office is having a problem with their Time machine backups. The password had been changed on the computer where the hard drive is shared but they where not concerned with their backups as they are using a Macbook so t
-
Motion text output low quality
Hi, I created this title with Motion. However, the text in the final output(NTSC DV) looks very fuzzy(see image below). When I play it in Motion timeline, everything looks sharp and smooth. What's going on? Thanks! Shaun see image here: http://img513
-
My iPad is saying I have 9.8GB of 'other' when I have hardly anything
Just bought the iPad 2. Everything updated fine. But for some reason it says I have 9.8GB of 'other' I have cleaned everything off, but it still says the same in iTunes. I have 16GB of apps on a 32G Pad. Did not have this problem with the iPad 1.
-
Business Object Types for Z-tables
hi could anyone please guide me how to create business-object-types for Z-tables? thanks in advance regards pavan