SSO to third party in EP 7.0 (SP-21)

Similar Messages

• Integration of SSO with Third Party Application

  Hello Colleagues,
  I have requirement where I have to integrate SSO with a third party application.
  After some R & D I found out that there is some one class "SSO2Ticket.java" which can do that or help in verify the ticket.
  Since I am new to this area, I am not sure how do I go ahead with the execution of this java file.
  Can somebody help me with this.
  Also, is there any documents which talks about SSO integration or about the above mentioned JAVA file.
  Best regards,
  Arvind

  Which type of 3rd party application is this, and which SSO authentication methods does it support?
  If you can find a common one, then that will be good for you.
  Specifically for non-SAP systems re-using the SAP LogonTickets, I know that you can extract the user name from the ticket. I think SAP even provides some verification tools here for external applications to verify the ticket?
  Currently there is much excitement about SAML 2.0 which is also worth taking a look into as well.
  Cheers,
  Julius

• SSO with third party solution C.A.S

  Hi,
  Is there any feedback regarding implementation of third party SSO solution with SAP BW, R/3.
  We are imptemting to use C.A.S Solution based on LDAP Sun One, users are different in both systems.
  Regards

  UP

• Sso with third party java application.

  hi all,
  I want to have single signon for third party java application deployed on websphere 5.0 advanced server .
  I am using SAP EP6.0 SP13 .
  Can anybody help me out.
  thanx in advance.....
  Sarang

  Hi Sarang
  Please refer to the following thread. It should answer your question.
  SSO between SAP EP and JAVA app on WebSphere Application Server 5.1
  Also refer to the following document.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/ibm/how to set up sso between sap enterprise portal and ibm websphere portal using tai.pdf
  Hope that was helpful.
  Warm Regards
  Priya

• How to integrate single sign on with third party system

  we are in the process of implementing istore application. we already have home grown isupport application to contact support personnal for any issues. Now we are wondering how do we integrate oracle applications single sign on with our third pary system. Is there any recommendation provided by oracle to achieve the same.

  We too are in the process of implementing iStore with SSO features.
  And if you believe me it seems to me as nightmare.
  In our scenerio we are intgrating this SSO with Third party access control too (AD and Siteminder). I would request you to please respond me on the following mail id , so we can share our experince which will help us in our implementation
  [email protected]
  regards and thanks in advance
  Vikas Deep

• Third party application forcing java stack to restart when logged in through SSO

  Hi
  We have APW Third party application installed on Enterprise portal  7.4.
  When we tried to login APW portal through SSO it forces Java stack services to restart.If we use APW directly without SSO it works fine.
  Can you help me tto resolve the issue.

  Hi Manish,
  Please check  the configuration once agian about the third party connection  and  the portal.
  Also provide the "dev_server0" which under in directory /usr/sap/SID/J00/work and default trace which under in “/usr/sap/SID/J00/j2ee/cluster/server0/log" to analyze the issue. There is some other tool as well to check the issue using "httpwatch" log tool. But, mostly issue can be identified in dev_server0 or defalut trace".
  Thanks,
  Brindavan

• Third party SSO with a custom login module

  Hello everyone,
  I've found a few posts on the forum with questions similar to mine, but none have been answered.  I'm using a 3rd party authentication product along with a custom implementation of the AbstractLoginModule interface.
  The setup is standard: A 3rd party agent is installed on a reverse proxy web server to SAP. The agent is configured to protect SAP resources, and it handles the login screens and authentication. Once the user has been authenticated, the AbstractLoginModule implementation kicks in, decrypts and validates an SSO token, retrieves the username from it and creates an SAP Principal.   
  The login ticket template is configured as follows:
  1.  EvaluateTicketLoginModule   SUFFICIENT
                      2.  MyLoginModule                      REQUISITE
                      3.  CreateTicketLoginModule       OPTIONAL
  One of the integration's key requirements is that direct interaction with standard SAP authentication must be avoided.  More specifically, the user should never need to enter an SAP password.  I'm only seeing two problems, both of which violate this requirement.
  The first is in cases where there is no existing SAP user that matches the authenticated user.  In this case, the third party token and SAP Principal are created, the abort method is called, and the user is redirected to the SAP login page.   I need to either bring to user back to the third party login page or to a custom error page~.
  The second problem occurs when an SAP password change is required. Again in this case, an SAP form is displayed after the module has created the Principal (although once the user changes the SAP password, all's well). If I were to disable mandatory password changes, would this apply to fat client access as well? If so, then it's not a viable option.
  The general idea in both instances is that the SAP I'd appreciate any help or suggestions.  
  Thanks
  ~ Since the SSO token applies to applications outside of SAP, I may add a login module parameter to make this a configurable choice. (I.e. allow the administrator to decide whether to inform the user that SAP authentication failed while preserving the SSO token, or to destroy the token and force re-authentication). However, if there is a way to configure the "bad credentials" URL outside of the module's code/parameters, it may be better to place the choice there.

  Hi Julius,
  Thank you for the quick response - and on a Sunday, no less!
  I have considered verifying that the user existed in SAP before creating the Principal.  One might argue that that would be the common sense thing to do.  The reason I've held off is that the error should be so rare that it may not justify the overhead.  There's a requirement to have a one-to-one username mapping between SAP and the authentication application.  It would be more efficient to assume that this requirement has been met and to handle the Exception when it hasn't been.  Of course, that doesn't mean that it's the right way to go.
  +_Julius Bussche wrote:_+
  For the first concern, if they can access the logon page directly (anyway) you could disable it as you do not want any password based logons (right?) and redirect it to your external page or an error page.
  Yes, this is what I'm hoping to do, but I'm not sure how to do it.  Here are some comments and questions about this:
  1. What's involved in disabling the login page?  I would think you'd need to replace it with something else rather than just switch it off.   Could I limit this change to the login ticket template so that other templates (basic authentication, for example) are still available?
  2. Keep in mind that users will never get past the "real" login page unless they have been authenticated.  This complicates matters because we're dealing with a scenario in which the user has already been authenticated but doesn't exist in SAP.  Therefore, it wouldn't make sense to go back to either login page.   
  3. What's involved in redirecting to an external page?  Is this an explicit redirect in the module code, or can it be decoupled from the module?  It's not a big deal, but it would be nice to avoid mandatory module parameters for relative paths to error pages.   
  I think the question I'm after is: "Can I simply change an SAP login URL parameter to point to a custom error page, and allow everything to work as it does now (where SAP handles the redirect)".  If so, could I limit the scope of the change to the login ticket template?  What would be even better is if I could configure SAP's response to this error.  Somewhere, it's currently configured to display the login page.  Ideally, I'd be able to configure it to display myErrorPage, and then set myErrorPage to the appropriate URL.  
  +_Julius Bussche wrote:_+
  For the second concern, I assume that there are no valid passwords involved here which might have expired, so as long as the user does not have the option to activate a password again and anyway cannot logon via password as the option is not presented... then you should be fine here as well with a forward proxy. Not sure which Java APIs are offered here, but you could check this together with the existence check and react to both prior to accessing SAP "from the outside".
  The problem here is that the SAP passwords are needed outside of the integration.  It's true that whether an SAP password has expired is irrelevant to the integration.  However,  this is a Web-based integration; SAP passwords must still be available to users who have access to other clients.  With this in mind, could I create a user password policy that disables password expiration and automatic password change, but only apply it to Web client access?  If not, do you know how I might override SAPu2019s behavior?
  Once again, thank you for taking your time to help me out.  I am very grateful.
  - John

• 11g Forms and SSO Third-party / custom identity provider

  For 11g Forms, we currently use database accounts to authenticate users.
  With a custom written identity provider, I was wondering if anyone knew the high-level of how a user could be SSO authenticated with a Forms session.
  Here are some questions:
  Do you need other Oracle products (OAM or OID) to use Weblogic / Forms SSO authentication with a third-party identity provider?
  If you continue to use unique database accounts, don’t you need OID to bridge the link between an SSO account and an oracle database user account?
  If you don’t use unique database accounts (i.e. only use schema name for all users), what products are need to allow Webgate / Forms to use a third-party identity provider to launch a forms database session? i.e would the SSO name be passed to the database layer for user auditing.
  I would appreciate if anyone had concepts of what products/techniques are needed.

  For 11g Forms, we currently use database accounts to authenticate users.
  With a custom written identity provider, I was wondering if anyone knew the high-level of how a user could be SSO authenticated with a Forms session.
  Here are some questions:
  Do you need other Oracle products (OAM or OID) to use Weblogic / Forms SSO authentication with a third-party identity provider?
  If you continue to use unique database accounts, don’t you need OID to bridge the link between an SSO account and an oracle database user account?
  If you don’t use unique database accounts (i.e. only use schema name for all users), what products are need to allow Webgate / Forms to use a third-party identity provider to launch a forms database session? i.e would the SSO name be passed to the database layer for user auditing.
  I would appreciate if anyone had concepts of what products/techniques are needed.

• Jasig CAS + Beehive (third party SSO)

  Hello,
  We are currently evaluating Beehive and one of the requirements we have is to integrate it with a third party SSO provider (Jasig CAS). I have followed the steps defined in the Oracle Beehive Pluggable Authentication http://www.oracle.com/technetwork/middleware/beehive/plugauth-096705.html#compiling_and_packaging_plug-in and managed to get the sample sso identity plugin "working" (its working enough to redirect me to a login page).
  Now the question that I have (i hope you can provide some guidance) is that in order for me to integrate it with the "CAS Client", i need to add some filters to web.xml but everytime I do that, and I restart beehive, the BEECLIENT doesnt start.
  I don't know if its because I am missing a .jar (I copied the CAS .jar's to $ORACLE_HOME/j2ee/lib/ext) or if there is something I can enable (DEBUG MODE) on beehive which can help me troubleshoot the issue. Is adding additional filters in web.xml possible?
  This is more or less what I wanted to add (note , i tried this in the following file: $ORACLE_HOME/j2ee/BEECLIENT/applications/teamcollaboration/teamcollaboration/WEB-INF/web.xml)
  <filter>
            <filter-name>CAS Authentication Filter</filter-name>
            <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
            <init-param>
                 <param-name>casServerLoginUrl</param-name>
                 <param-value>https://login.server.com/cas/login</param-value>
            </init-param>
            <init-param>
                 <param-name>serverName</param-name>
                 <param-value>https://beehive.server.com</param-value>
            </init-param>
            <init-param>
                 <param-name>renew</param-name>
                 <param-value>false</param-value>
            </init-param>
            <init-param>
                 <param-name>gateway</param-name>
                 <param-value>false</param-value>
            </init-param>
       </filter>
       <filter>
            <filter-name>CAS Validation Filter</filter-name>
            <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
            <init-param>
                 <param-name>casServerUrlPrefix</param-name>
                 <param-value>https://login.server.com/cas/</param-value>
            </init-param>
            <init-param>
                 <param-name>serverName</param-name>
                 <param-value>https://beehive.server.com</param-value>
            </init-param>
            <init-param>
                 <param-name>proxyCallbackUrl</param-name>
                 <param-value>https://beehive.server.com/proxyCallback</param-value>
            </init-param>
            <init-param>
                 <param-name>proxyReceptorUrl</param-name>
                 <param-value>/proxyCallback</param-value>
            </init-param>
       </filter>
       <filter>
            <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
            <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
       </filter>
       <filter>
            <filter-name>CAS Assertion Thread Local Filter</filter-name>
            <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
       </filter>
       <!-- ************************* -->
  <!-- Sign out not yet implemented -->
  <!--
       <filter-mapping>
            <filter-name>CAS Single Sign Out Filter</filter-name>
            <url-pattern>/*</url-pattern>
       </filter-mapping>
  -->
       <filter-mapping>
            <filter-name>CAS Authentication Filter</filter-name>
            <url-pattern>/protected/*</url-pattern>
       </filter-mapping>
       <filter-mapping>
            <filter-name>CAS Validation Filter</filter-name>
            <url-pattern>/*</url-pattern>
       </filter-mapping>
       <filter-mapping>
            <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
            <url-pattern>/*</url-pattern>
       </filter-mapping>
       <filter-mapping>
            <filter-name>CAS Assertion Thread Local Filter</filter-name>
            <url-pattern>/*</url-pattern>
       </filter-mapping>
       <filter-mapping>
            <filter-name>CAS Validation Filter</filter-name>
            <url-pattern>/proxyCallback</url-pattern>     
       </filter-mapping>
  Thanks in advance!

  Richard,
  Thanks for the reply. Let me expand of what I am trying to accomplish:
  1. User goes to https://beehive.server.com/teamcollab
  2. The Beehive PAM plugin kicks in and the user gets redirected to https://cas.server.com/cas/login/?service=https://beehive.server.com/teamcollab
  3. Once the cas.server.com authenticates the user, it redirects the browser back to https://beehive.server.com/teamcollab/?*ticket=RANDOM_NUMBERS*
  At the very least, I need to be able to readthe "ticket" parameter and validate the RANDOM_NUMBERS against cas.server.com so that I can get the username (no cookie involved here) back from the CAS server.
  This is the code I was trying:
  public String getIdentity(HttpServletRequest req, Map<String, String> props) throws IdentityException {
  String ticket = req.getParameter("ticket");
            AttributePrincipal principal = null;
            String casServerUrl = "https://cas.server.com/cas";
            if(ticket == null || "".equals(ticket))
                 throw new IdentityException("Service Ticket is Null or empty", null);
            Cas20ProxyTicketValidator sv = new Cas20ProxyTicketValidator(casServerUrl);
            sv.setAcceptAnyProxy(true);
            try {
                 String legacyServerServiceUrl = "https://beehive.server.com/teamcollab";
                 Assertion a = sv.validate(ticket, legacyServerServiceUrl);
                 principal = a.getPrincipal();
            } catch (TicketValidationException e) {
                 e.printStackTrace(); // bad style, but only for demonstration purpose.
            String authuser = principal.getName();
            if(authuser == null)
                 throw new IdentityException("User is null", null);
            return authuser;
  But when I tried that, my browser (frefox) detected an invalid redirect and nothing worked. I don't know how to troubleshoot this piece of code (do you know how to increase debug level and or dump vairiables to a log file, and if so which log file its going?)
  Since I got the "invalid redirect" from firefox, i tried adding the cas filters (to web.xml) which in essence should allow me to just do something like String username = request.getRemoteUser(); and that is when beehive crashed.
  So based on your response, I should stay away from changing web.xml (good because I didn't want to modify it to begin with) but do you have any recommendation as to how to debug the code ? I would like to echo something like "Service Ticket Received is: blah blah blah" to $ORACLE_HOME/beehive/logs/oc4j/BEECLIENT/log.txt or a similar log
  Thanks for your help.

• Problem: Deploy a SSO Third Party Integration Adapter in Portal

  A user want to deploy a SSO third party integration adapter (Novell Access Gateway) in Portal (AS v10.1.2.0.2). And used method in Note 430877.1. They can login through Novell Access Gateway and login Portal, but when click search user button, there always show a blank IE. And no error log. How to resolve? Thanks.

  Hello,
  I have found out that in SAP Portal it must be possible to create a new system from a par-file which is uploaded to portal before.
  I have such a par-file. It is deployed and uploaded to the portal server. And the application which is contained by this PAR is running in SAP Portal.  But when I go to
  System Administration --> System Configuration --> Portal Content --> right mouse click to folder --> new System from par
  then this PAR can not find there.
  I have also tried to upload this PAR manually to portal. But the result is the same. This PAR does not exist in the radiobutton-options to create a new System.
  Please can anybody tell me how to create a system (or a system-template) from an uploaded PAR-file?
  Regards,
  Iris

• Third Party SSO to Peoplesoft

  What are steps in setting up Third Party SSO to Peoplesoft? A user is to click a link on an external website and he will be automatically logged on to Peoplesoft (provided that some encryption/decryption method is performed, which I have already done on the SignOn Peoplecode)
  I do have some documents to read but got mixed up with different approaches. I know I did one thing right, that is, to create a SignOn Peoplecode.
  Are nodes needed to be setup? Do we need a redirect html? What are the other configurations needed?
  Thank you,
  Jeremy

  SSO is a commonly requested 'issue' with multiple solutions, which mostly depends on the third party systems abilities.
  I would say start by reading thid doc
  E-SEC: PT 8.x How to Setup External Single Signon Solutions with PeopleSoft [ID 617999.1]
  https://support.oracle.com/epmos/faces/DocContentDisplay?id=617999.1
  Also pay attention the to links provided at the bottom of this doc with muliple solutions.
  Hakan

• SSO :  SAPEP and third party system Web logic

  Any one implemented sso with sapEP and weblogic. Any hints will be helpful.
  Secondly In the following link (   ) I have come across different implementation procedures. I am interested in the below  said one which I am unable to access (open the link)  by any  chance if you have any documentations  related to it please forward me.
  If your backend is a Java application running on a non-SAP application server, you can insert some code into your application so it can accept the SAP logon ticket, retrieve the user id from the ticket, and grant access basing on the user id.   Tim Mullé and Stephan Boecker have discussed how to do so here.
  Thanks,
  kumar

  *"which they said violated the warranty."*
  What they told you there is a load of crap. Installing RAM does not void the warranty. Even the RAM that Apple installs is from a third party.
  *"can I use third party ram and not have to worry about it causing damage to my system?"*
  Yes

• Can we achieve SSO in the SAP Portal without a third party tool

  Can we achieve SSO in the SAP Portal without a third party such as Netegrity?

  Kirk,
  Sorry I misunderstood what you were trying to setup. 
  If you want to connect the Portal to a Non-SAP Application then I believe that you would need to use a third party tool like Netegrity Siteminder.
  We have a portal that is protected by Siteminder and then we have a .NET application that is also protected by Siteminder and SSO is setup between the two since Siteminder is used.
  Hope that helps,
  Keith

• Third Party Integration and OID Accounts

  I'm planning on using OID with a sync with another LDAP such as AD or Novell. I am also going to integrate SSO with a third party SSO engine.
  How do I log into Oracle SSO with a user neither defined in AD or my third party SSO engine? I am basically worried about accounts like PORTAL and ORCLADMIN. Is it possible to bypass the third party integration for these accounts or am I forced to create these accounts in AD and my third party SSO engine?

  Jon,
  you can either authenticate locally e.g. cn=orcladmin or externally.
  You have various option s (depending on the OID version) and how you organize the user base in OID. On a high level the authentication is based on objectclasses for an entry.
  E.g. user being synchronized from AD to OID (using the Directory Integration Plaform) contain an objectclass "aduser" to distinguish them as external AD users within OID. So the external authentication plugin will "know" who is an AD user and try to authenticate this user externally with AD not OID. You can also configure the external authentication plugin to filter user who should not be externally authenticated.
  If you store all external users in a dedictated subtree e.g. cn=AD_USERS or cn=EDIR_USER you can configure the external authentication plugin to authenticate those user to the respective external directories.
  with OID 10.1.4.0.1 you could also make use of the server chaining authentication.
  So there are a couple of options you have. See the documentation
  Oracle Identity Management Integration Guide
  http://download-west.oracle.com/docs/cd/B28196_01/idmanage.1014/b15995/toc.htm
  Oracle Internet Directory Administrator's Guide
  http://download-west.oracle.com/docs/cd/B28196_01/idmanage.1014/b15991/toc.htm
  regards,
  --Olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

• How to hide url of third party external/partner application

  I have a third party external oracle application arcims by the esri corporation that I have on a test portal.
  It has it's own password authentication. In order to have sso work i have to turn off its password request.
  The problem is that the URL address shows in the portal. Anyone could simply type in the URL and access the application directly and bypass the portal login. Can One hide or wrap the URL in portal? If so HOW is that done?

  Since you'va already made Java non-portable by using Runtime, you're probably bbest off using the OS's capabilities to find the program's path.
  If the 3rd party program was always contained in Java's classpath list, you could use Class.getResource().