SSO to Web Service using SAP Logon Ticket

Similar Messages

• SSO to non SAP Application using SAP Logon Ticket

  Hi Experts,
  I Have EP 7 SP 15 using SPNego Wizard to SSO with Active Directory and SSO between EP and ECC using SAP Certificates.
  Now I have a demand to SSO some JAVA based applications (non SAP) to my portal using the SAP Logon Ticket.
  I Have followed some blogs that directed me to use SAPSSOEXT (some libs) to read the MYSAPSSO2 cookie. The problem is that I didn't found this cookie, I even executed the command javascript:document to look for this cookie but the browser just show me the JSESSIONID info.
  Does anybody knows where I can find this cookie or if there's a better way to set up this SSO? It´s necessary to say that I cannot SSO these application to the kerberos protocol because some security reasons on my company.
  Thanks
  Armando

  Hi,
  I dont have much info related but i can giv u hint
  refer OSS Notes 442401 and 723896.
  When using SAP logon tickets for non-SAP applications, two different implementation options are available. The difference lies in where the ticket verification takes place.
  In the first case,  the SAP logon ticket is submitted to the web server filter located on the web server. The web server filter verifies the portal serveru2019s public key
  certificate using its local Personal Security Environment (PSE) and then populates the HTTP header field with the user ID for SSO to the non-sap web application.
  In the second case,  the SAP logon ticket is sent to the non-SAP application, which then verifies it using the ticket verification DLL and submits the user ID to the application for SSO.
  You can refer following link :-
  http://help.sap.com/saphelp_nw70/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm
  user authentication and SSO
  http://help.sap.com/saphelp_nw70/helpdata/EN/8f/ae29411ab3db2be10000000a1550b0/frameset.htm
  Authentication Using a Directory with SSO Integration Using Logon Tickets
  http://help.sap.com/saphelp_nw70/helpdata/EN/f8/3b514ca29011d5bdeb006094191908/frameset.htm
  SSO
  SAP Logon Ticket-based Single Sign-On
  http://help.sap.com/saphelp_nwce10/helpdata/en/45/b6af743753003ae10000000a11466f/frameset.htm

• How to implement SSO to non-SAP systems using SAP logon ticket?

  Hello,
  We would like to implement Single Sign On between our SAP Netweaver system and a Siebel which is a non-SAP system using SAP logon tickets.
  Can anyone please give me some leads on this, in particular:
  1. Is there a JAVA API or an SAP plug-in that can be implemented on the Siebel machine to extract the SAP logon ticket?
  2. As the other machine might seat on a complete different domain, is it possible to implement SAP logon ticket without using cookies (perhaps through the HTTP header?
  3. In case you think using SAP logon tickets is not the best solution here I would be happy to hear any other suggestions you might have.
  Roy

  Hi,
  I'm currently using SAML as well. Unfortunately the SAP J2EE cannot work as authority (identity provider) but what you can do is using an open implementation of SAML such as opensso which is an open version of SUNs Java System access manager.
  There are a couple of other projects such as opensaml, apache's wss4j or shibboleth that might be interesting in this context.
  I just installed opensso and got it working with SAP J2EE 7.0 using SAPs JAAS SAMLLoginModule to authenticate users within SAP J2EE.
  In this scenario opensso serves as identity provider just as you need! There are a couple of Policy agents available on SUNs Download site you can use with Apache, Tomcat, JBOSS, WebSphere, Bea Web Logic etc. in order to authenticate! Otherwise you just directly authenticate against opensso. When installing opensso you can configure the type of user store you want  to use! By default it uses LDAP but you can also use different types of user store using JDBC or other mechanisms. Since you have a Directory Service you could easily connect it to your existing directory.
  There is also a way to map user ids directly in opensso by adding a uid mapping class. I created some documentation with lots of screenshots about using opensso with SAP J2EE. You can easily use opensso with any other system that supports SAML. In the case of SAP the usage is currently limited to SAML versions 1.0 and 1.1. Version 2.0 is not yet supported but should be in one of the following versions.
  Here are some links you might want to check:
  OpenSAML: https://spaces.internet2.edu/display/OpenSAML/Home
  wss4j: http://ws.apache.org/wss4j/
  shibboleth: http://shibboleth.internet2.edu/
  opensso: https://opensso.dev.java.net/
  On SDN you will find a documentation on how to connect SUN Java System Access Manager to SAP J2EE (see https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/906d9fc6-31b9-2910-1385-90edad7d7570). As I said opensso is based on the SUN Access Manager code and looks quite the same. So you can adapt this documentation in order to configure opensso or you can just ask me for the documentation.
  Hope this is helpful...
  Let me know if you need further assistance on this topic
  Cheers

• SSO with SAP logon tickets to non-SAP web app

  I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work.  I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal.  Anyone tried similar?
  Cindy

  Hi Cindy,
  If it is EP6 SP2 probably you can checkout the following document.
  http://service.sap.com/ep60
  Go to Documentation Help>How-To-Guides>Current How To Guides section.
  checkout the following how to guide.
  Perform Cross Domain SSO with SAP Logon tickets zip file.
  If you want the zip file please send an e-mail to
  [email protected]
  Regards
  -Venkat Malempati

• SAP Logon Ticket VS SAP Assertion Ticket?

  SAP Logon Ticket VS SAP Assertion Ticket in SAP Enterprise Portal?
  I want SAP Logon Ticket VS SAP Assertion Ticket.
  When use SAP Logon Ticket?
  When use SAP Assertion Ticket?
  SAP Logon Ticket advantage / disadvantatge?
  SAP Assertion Ticket Ticket advantage / disadvantatge?

  Hi James,
  Please go through the link for Integration in Single Sign-On Environments.
  http://help.sap.com/saphelp_nw04s/helpdata/en/96/a75742b6081053e10000000a155106/frameset.htm
  Thanks n Regards
  Santosh
  Reward if helpful !!!

• SSO using Kerberos with SAP Logon Tickets

  Hi,
  I am creating a Repository Manager for the Portal Knowledge Management System and I want to use SSO to a backend IIS application and I have a few questions here. 
  I have a three tiered architecture. 
  A.  The presentation tier (SAP Portal which has my Repository Manager implementation)
  B.  ASP.NET web service data layer.
  C.  Backend document management system which runs on IIS. 
  I have installed the ISAPI filter on my ASP.NET application server and have enabled this HOST account for delegation in MSAD 2003.   Server B will use Kerberos constrained delegation to access Server C, which is an IIS backend server. 
  My question is how do I pass an SAP Logon Ticket to an ASP.NET web service request from my Repository Manager implementation?  Basically how do I just make an HTTP request to an ASP.NET application from some portal iView or WebDynPro code and pass along the SAP Logon Ticket in the request so it can be interpreted by the ISAPI filter on the IIS server.  Does anyone have any sample code or an application here that does this?
  Thanks,
  Scott

  Hi Scott
  Did you managed to find out anything regarding how to pass SAP Logon ticket to ASP.NET Webservice. Can you share it with me?
  regards
  ram

• Use of JCo destinations with SAP Logon Ticket

  I would have got a precision about the use of a connection pool in a JCo destination using the SAP Logon Ticket connectivity: do i have got the same functionality around the pool connection if i use the SAP logon ticket instead of a user/password inside a JCo destination defined in the web dynpro content administrator ?
  Thank in advance,
  Regards,
  Eric.

  Hello Eric,
  There is only one difference in ticket and user/password authentification method:
  By using a ticket
  <i>For SSO specify the user to be $MYSAPSSO2$ and pass the base64 encoded ticket as as the passwd parameter.
  </i>
  and for user/password you are passing user and password.
  So, there us no difference from connection pool management or behavior perspective.
  Best regards, Maksim Rashchynski.
  P.S.
  Link to JCo javadoc, it can be useful:
  http://media.sdn.sap.com/html/submitted_docs/60_sp2_javadocs/sapjco/com/sap/mw/jco/JCO.html

• Java client application + SAP Logon Tickets (SSO)

  Java client application + SAP Logon Tickets (SSO)
  Hello
  I have the following question, it is about connection between SAP Enterprise Portal and Java Application.
  After registration in Enterprise Portal (with Internet Explorer Browser) request is passed on to SAP backend system - cFolders (SSO methode)
  With internet browser functioned everything.
  How can one get, however, this Logon tickets with Java application and then be of use later for SOAP connection
  (everything with client java application)
  Thanks for quick help
  Edo

  Hi Edo,
  look at this https://media.sdn.sap.com/javadocs/NW04/SPS15/um/com/sap/security/api/ticket/TicketVerifier.html
  Best Regards
  Oliver

• How to use and configure web services in sap

  Hi,
  Experts,
  could you please tell me, how to configure web services in sap.
  As one of my client using handheld  software for inventory, where in whatever tansaction happens in the depot  it has to update in sap.through non sap software please help me out with necessary configuration.
  Thanks
  Edited by: Ahmed quadry on Jun 9, 2009 2:25 PM

  Hi Ahmed,
  Kindly find the below link will helps you to create web  service in SAP
  http://wiki.open-esb.java.net/Wiki.jsp?page=BAPIWEBSERVICE
  Also find the below documents will helps you to create web services in SAP
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/06adbf03-0a01-0010-f386-d8e45561a3c4
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/3004a2d2-0653-2a10-779c-f5562b3fac39
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/bb0764f2-0b01-0010-bd85-c7849b40561e
  Regards
  Venkata Rao .G

• Down-/Upload files via Web Services using a NON-SAP system!?

  Hello,
  is it possible to down-/upload files via web services using a NON-SAP system!?
  Regards,
  Jens

  Hi Jens,
  I am not sure about your requirement here. What i could understand is that you want to check whether service could handle file processing?
  1) Uploading file - You can build a Webservice which has import/export parameters as the file structures and implement the proxy class in such a way that the passed data is written to application server.
  2) Downloading file - Same as uploading file, but the proxy class would have the code to extract data from the application server and pass them as output parameter.
  Functionality of Non SAP system: The system which calls these services should be able to convert the output of proxy data into file in case of downloading the file and it should be able to convert the file data into export parameters in case of uploading file.
  Hope this helps.
  Regards,
  Prasanna

• SSO Help - Portal to ABAP via logon tickets

  Hi All,
  I've done this configuration in the past but it seems that the process has changed a bit and I'm in need of some advice.
  I have a portal system which I've setup SSO. The SSO is done through Kerberos and the users are pulled from LDAP. Users login to their windows account, they hit the portal without having to login again, perfect. I used the new SPNego setup wizard to do this.
  Now the issue I'm having. Portal user ID's are not the same as ABAP ID's. I have used a blank attribute in Active Directory (specifically "extensionAttribute7") to fill in the ABAP user ID's. I have modified the data source XML file in the portal to look like this:
  <nameSpace name="$usermapping$">
  <attributes>
  <attribute name="REFERENCE_SYSTEM_USER">
  <physicalAttribute name="extensionAttribute7" />
  </attribute>
  </attributes>
  </nameSpace>
  I have changed the UME property to look like this:
  ume.usermapping.refsys.mapping.type = attribute
  When I try to access an SAP report through the portal I get the error:
  The initial exception that caused the request to fail was:
  Ticket contains no / an empty ABAP user ID (see note 1159962)
  My ABAP system is setup to create and accept logon tickets. Certificates have been exchanged on both systems (checked through NWA). It looks like the saplogonticket isn't picking up the ABAP user ID that I've stored in AD and mapped to in the XML file.
  In the Java system, my logon ticket stack looks like this:
  EvaluateTicketLoginModule SUFFICENT
  SPNegoLoginModule OPTIONAL
  CreateTicketLoginModule SUFFICENT
  BasicPasswordLoginModule REQUIRED
  CreateTicketLoginModule REQUIRED
  Can anyone see an obvious step that I'm missing? Any tips would be appreciated.
  Portal system is running 7.01 sp8
  ABAP is running 7.01 sp8
  Cheers,
  Richard

  Hi Arjun,
  No I'm not using user mapping. I want to pass my ABAP user ID from an attribute I'm using in Active Directory. For some reason the sap logon ticket isn't picking up my username from the attribute when I try to go from portal to ABAP.
  Hi Samarth,
  Not sure I understand the request. The user is coming from the portal and is attempting to run a ABAP report from the portal. The user names are not the same. I am attempting to map the ABAP user ID to an Active Directory attribute that I can pass to the sap logon ticket.
  Hi Siva Kumar,
  Yes I checked the VA as well, the entries are there.
  Thanks all for the suggestions. Keep them coming if you have more, they are greatly appreciated.
  I basically followed this from SAP to set it up
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/0b/d82c4142aef623e10000000a155106/frameset.htm
  You are using an LDAP directory as a data source for the User Management Engine (UME). The user IDs for ABAP systems are already available in the LDAP directory. You no longer need to define a user mapping for each user, as the data is already available in the LDAP directory.
  Cheers,
  Richard

• Error in the configuration for sap logon tickets

  Hi Forum,
  I use Tcode crmd_order_bp to see the BP cockpit and the error message displays as
  <b>Error in the configuration for SAP logon tickets</b>
  But if I click "Yes", system displays cockpit.
  How can I avoid this error.
  Thanks in advance
  Regards
  Shridhar

  You will still need to configure SSO (either by logon ticket or username/password). The data source access is done using the username/password configured in the UM Config dialog box.
  I can see where you're coming from with your thinking, however logon-ticket-based SSO is probably the best approach.
  Cheers,
  Darren.

• SAML SSO through web services

  I am trying to implement SAML to provide SSO between 3 web dynpro applications running on SAP Web AS 7.2 and a external non-SAP .NET SAML provider using web services instead of HTTP Post (Browser Artifacts).
  The .NET SAML provider is available in both 1.1 and 2.0. Going with the web services approach instead of Browser artifacts because of the constraints in SAP Netweaver, as seen here.
  http://help.sap.com/saphelp_nwce72/helpdata/en/94/695b3ebd564644e10000000a114084/frameset.htm
  I could not find any best practices or any detailed description of how to acheive this?
  Any help appreciated.

  Hi Faraz ,
  I just started practical work to use SAML I am not very proficient
  But I do see that  information at this link http://help.sap.com/saphelp_nw70/helpdata/EN/e5/4344b6d24a05408ca4faa94554e851/frameset.htm
  Look at topic : Using Message Level Authentication  ( This is for single sign on for Web services )
  "Use
  When you use message or SOAP document level authentication for WS access, the authentication credentials of the WS consumer are transported in the SOAP header of the SOAP envelop, using authentication token profiles. SAP NetWeaver enables you to use the following WS Security token profiles:
  ●      Username token profile
  ●      X.509 certificate token profile
  ●      SAML Token Profile
  In addition, SAP NetWeaver enables you to enable WS specific security and authentication mechanisms, such as XML encryption, XML signatures,  Message Aging and WS Secure Conversation."

• Calling a SharePoint Web Service from SAP??

  Hi Everyone,
  I have been following the below link to call a SharePoint Web Service from SAP.
  Consuming Microsoft SharePoint Web Services in SAP using Basic Authentication
  But after entering the URL this pops up :
  and I enter my SAP username and password, then I get this error:
  But I have full SAP authorization.
  Please can someone advice or help on this problem.
  Thank you.

  Hi,
  It accepts WSDL files, but only using basic authentification. I had the same problem. Probably you have NTLM authentification. Check note 1441809 - Logon fails when using IIS and NTLM authentication
  Thanks,
  Efren

• Windows Integrated Authentication & SAP Logon tickets

  1) We have configured windows authentication and the IISproxy on a SPS frontend server to our SAP portal environment.
  2)We have configured SAP logon tickets on the SAP portal (running on hp-ux).
  3) Both the IIS server and the sap portal server exist on the same domain inside our firewall (iis_server.lsv.internal_company_name.com and sap_portal_server.lsv.internal_company_name.com)
  4) A virtual URL has been created on the IIS server, http://sap_portal.external_company_name.com, using a domain alias.
  5) When an authenticated user is passed from the IIS server to the SAP portal the SAP logon ticket that is created is for external_company_name.com alias rather than lsv.internal_company_name.com. This logon ticket is not accepted by any of the backend SAP systems that have been configured to except logon tickets because they all exist in the lsv.internal_company_name.com domain.
  6) The portal security guide says:
  "The Portal Server issues a SAP logon ticket for the Internet domain or a sub-domain of the
  Portal Server only."
  Given this scenario, is there some configuration that can be added to allow the use of this alias or is there a bug in the SAP portal code that needs to be addressed?

  Hi,
  You cannot use the external alias. You can however set SSO on the portal not to look to the total url. For example it would work if you use:
  sap_portal_server.lsv.internal.company_name.com
  and
  sap_portal.external.company_name.com
  The prerequisite here is that at least the domain name should be the same i.e. the last two parts.
  Greetings,
  Vincent