SSO with Apex 4.1.1.00.23
Hello Apex community,
i want to implement a SSO solution between an apex and non-apex application. This solution worked with Apex 4.0 but seems not to work with current 4.1.1.00.23.
I've set up a test case on hosted environment.
Dev User:
Workspace: authtest
User: authtest
Pass: authtest
End User:
User: test
Pass: test1
Things i've done:
(1) Created a custom authentication scheme (marked as current) "auth_scheme" with following authentication function:
create or replace FUNCTION auth_function(
p_username IN VARCHAR2,
p_password IN VARCHAR2)
RETURN BOOLEAN
AS
v_is_authenticated BOOLEAN := false;
BEGIN
IF lower(p_username)= 'test' OR APEX_UTIL.IS_LOGIN_PASSWORD_VALID(p_username => p_username,
p_password => p_password)
THEN
v_is_authenticated := true;
ELSE
v_is_authenticated := false;
END IF;
RETURN v_is_authenticated;
END auth_function;(2) Created an "On Load - Before Header" process with sequence 5 on page 101:
DECLARE
v_user VARCHAR2(4000);
v_pass VARCHAR2(4000);
v_fsp_after_login_url VARCHAR2(4000) := :FSP_AFTER_LOGIN_URL;
BEGIN
SELECT SUBSTR(v_fsp_after_login_url, instr(v_fsp_after_login_url, 'P101_UNAME') + LENGTH('P101_UNAME') + 1)
INTO v_user
FROM dual;
wwv_flow_custom_auth_std.login(
P_UNAME => v_user,
P_PASSWORD => v_pass,
P_SESSION_ID => v('APP_SESSION'),
P_FLOW_PAGE => :APP_ID||':1'
END;Process condition: request = AUTOLOGON:
(3) Created a hidden item "P101_UNAME" on page 101.
(4) Expected behaviour: user loads following URL:
http://apex.oracle.com/pls/apex/f?p=30964:1::AUTOLOGON:YES::P101_UNAME:testuser schould be logged in without typing in his credentials.
What happens: user faces login page. What I don't understand: setting process condition to "none", autologon works. But if you have a look into debug report, apex recognizes the request "AUTOLOGON" even if autologon doesn't work. On my dev environment with Apex 4.1.1.00.23 changing process condition doesn't help.
I can't figure out what I'm doing wrong. With the patchset 4.1.1 there were certain changes concerning FSP_AFTER_LOGIN_URL Re: Deep Link (FSP_AFTER_LOGIN_URL) Not Working in APEX 4.1 I would appreciate any hint.
Thank you very much for your answers.
Kind regards,
Anton
Edit: Any ideas? I would appreciate any hint.
Edit2: Any hints maybe? Explicitly setting the FSP_AFTER_LOGIN_URL in the Url doesn't help either...
Edited by: anton on 20.08.2012 01:26
Hi Anton,
that's why I added the IF statement around the code block, to guarantee that it only runs if the URL contains auto-login data (i.e. P101_UNAME). Setting FSP_AFTER_LOGIN_URL to null avoids a loop when the login fails. If we keep FSP_AFTER_LOGIN_URL, the wwv_flow_custom_auth_std.login procedure will redirect to page 101 and the before header process will run again, re-executing wwv_flow_custom_auth_std.login , etc.
It might be clearer to put the before header code into the authentication itself. The invalid session procedure is the right place for that, but it's use is very sparsely documented yet.
I created a 2nd copy of your original application (22274), where I removed the before header process and added this invalid session procedure:
procedure autologon_on_invalid_session
is
v_user VARCHAR2(4000);
v_pass VARCHAR2(4000);
v_fsp_after_login_url VARCHAR2(4000) := :FSP_AFTER_LOGIN_URL;
v_user_pos pls_integer := instr(v_fsp_after_login_url, 'P101_UNAME:');
BEGIN
if apex_application.g_flow_step_id != 101 and v_user_pos > 0 then
v_user := substr(v_fsp_after_login_url, v_user_pos+11);
wwv_flow_custom_auth_std.login(
P_UNAME => v_user,
P_PASSWORD => v_pass,
P_SESSION_ID => v('APP_SESSION'),
P_FLOW_PAGE => :APP_ID||':1' );
apex_application.stop_apex_engine;
end if;
END;If the current page is not 101 (the login page) and the URL (which was copied into the deep link item) contains the autologin credentials, call login. The finall call to apex_application.stop_apex_engine stops Apex from continuing it's default invalid session handling, which is to redirect to the login page.
Regards,
Christian
Similar Messages
-
SSO with APEX anyone seen this before?
Hi,
I have followed the instructions from Metalink on
"Configuring an APEX Application to Use SSO With SDK in Separate Schema"
and have followed all the instructions but when I try and access application with SSO
turned on I am seeing this page
Thu, 3 Feb 2011 01:21:53 GMT
Bad parameter name: none specified
DAD name: apexwamsx
PROCEDURE : f
URL : http://lv700.light.ci.seattle.wa.us:7961/pls/apexwamsx/f?=
PARAMETERS :
===========
ENVIRONMENT:
============
PLSQL_GATEWAY=WebDb
GATEWAY_IVERSION=2
SERVER_SOFTWARE=Oracle-Application-Server-10g/10.1.2.2.0 Oracle-HTTP-Server
GATEWAY_INTERFACE=CGI/1.1
SERVER_PORT=7961
SERVER_NAME=lv700.light.ci.seattle.wa.us
REQUEST_METHOD=GET
QUERY_STRING==
PATH_INFO=/f
SCRIPT_NAME=/pls/apexwamsx
REMOTE_HOST=
REMOTE_ADDR=156.74.12.139
SERVER_PROTOCOL=HTTP/1.1
REQUEST_PROTOCOL=HTTP
REMOTE_USER=APEX_PUBLIC_USER
ORACLE_SSO_USER=
OSSO_IDLE_TIMEOUT_EXCEEDED=
OSSO_USER_GUID=
HTTP_CONTENT_LENGTH=
HTTP_CONTENT_TYPE=
HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 (.NET CLR 3.5.30729)
HTTP_HOST=lv700:7961
HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_ENCODING=gzip,deflate
HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5
HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_COOKIE=ORA_WWV_REMEMBER_UN=ALBAM:commonws; ORA_WWV_USER=AC8796116B48095E; orasso=9.0.3+en-us+us+AMERICA+9B51BFB45D462A72E04400144FFABD7C+376A4AC4D470C5123650D53D83C6BF30A23BB27BB0F175D642AB7583249FBFF0B6AB6DAA9A2455BA6ACDA4CF36AD1646846B6E8310D16BDC569B61C08864631839C257F2EA1DD635005F1B4DE8B641FF755CFD4DAF89DA85
HTTP_IF_MODIFIED_SINCE=
HTTP_REFERER=http://lv700:7961/pls/apexwamsx/f?p=140:500:872061270446623:::::
HTTP_SOAPACTION=
HTTP_ORACLE_ECID=1296696113:156.74.21.244:28393:0:16,0
HTTP_ORACLE_CACHE_VERSION=
HTTP_AUTHORIZATION=
WEB_AUTHENT_PREFIX=
DAD_NAME=apexwamsx
DOC_ACCESS_PATH=docs
DOCUMENT_TABLE=wwv_flow_file_objects$
PATH_ALIAS=
REQUEST_CHARSET=WE8ISO8859P1
REQUEST_IANA_CHARSET=ISO-8859-1
SCRIPT_PREFIX=/pls
HTTP_IF_MATCH=
HTTP_CACHE_CONTROL=
SOAP_BODY=
HTTP_X_ORACLE_DEVICE_CLASS=
HTTP_X_ORACLE_DEVICE_ORIENTATION=
HTTP_X_ORACLE_DEVICE_MAXDOCSIZE=
HTTP_X_ORACLE_DEVICE=
HTTP_X_ORACLE_ORIG_ACCEPT=
HTTP_X_ORACLE_ORIG_USER_AGENT=
HTTP_X_ORACLE_USER_LOCALE=
HTTP_X_ORACLE_USER_NAME=
HTTP_X_ORACLE_USER_DISPLAYNAME=
HTTP_X_ORACLE_USER_USERKIND=
HTTP_X_ORACLE_USER_AUTHKIND=
HTTP_X_ORACLE_USER_DEVICEID=
HTTP_X_ORACLE_USER_LOCATION_ADDRESSLINE1=
HTTP_X_ORACLE_USER_LOCATION_ADDRESSLINE2=
HTTP_X_ORACLE_USER_LOCATION_ADDRESSLASTLINE=
HTTP_X_ORACLE_USER_LOCATION_BLOCK=
HTTP_X_ORACLE_USER_LOCATION_CITY=
HTTP_X_ORACLE_USER_LOCATION_COMPANYNAME=
HTTP_X_ORACLE_USER_LOCATION_COUNTY=
HTTP_X_ORACLE_USER_LOCATION_STATE=
HTTP_X_ORACLE_USER_LOCATION_POSTALCODE=
HTTP_X_ORACLE_USER_LOCATION_POSTALCODEEXT=
HTTP_X_ORACLE_USER_LOCATION_COUNTRY=
HTTP_X_ORACLE_USER_LOCATION_TYPE=
HTTP_X_ORACLE_USER_LOCATION_X=
HTTP_X_ORACLE_USER_LOCATION_Y=
HTTP_X_ORACLE_SERVICE_HOME_URL=
HTTP_X_ORACLE_SERVICE_PARENT_URL=
HTTP_X_ORACLE_HOME_URL=
HTTP_X_ORACLE_MODULE_CALLBACK_URL=
HTTP_X_ORACLE_MODULE_CALLBACK_LABEL=
HTTP_X_ORACLE_CACHE_USER=
HTTP_X_ORACLE_CACHE_SUBID=
HTTP_X_ORACLE_CACHE_AUTH=
HTTP_X_ORACLE_CACHE_DEVICE=
HTTP_X_ORACLE_CACHE_LANG=
HTTP_X_ORACLE_CACHE_ENCRYPT=
HTTP_X_ORACLE_ASSERT_USER=Thanks so much for any insight!Jonnycake please see AAM doesn't update to Creative Cloud desktop Application for information on how to enable the AAM Detect Plug-in within Safari.
-
Problem during configuring SSO with APEX 4.1
Hello everybody,
I'm trying to configure my APEX application to use SSO, but I have big problems with ssosdk902.zip file.
During execution of the loadsdk.sql script it creates package "wwsec_sso_enabler" but APEX 4.1 wants to have "wwsec_sso_enabler_private". For me it a clear sign, that I'm using some old SSOSDK.
Can somebody tell me where to find the current "ssosdk"?
I'm using OAS10gR2 and the interesting thing is that in the DB schema ORASSO package "wwsec_sso_enabler_private" exists, but it doesn't helps me. It is at the other machine. I must have it on the same instance, where APEX is running.
It looks like packaging error by Oracle. Can somebody help me?
Thanks,
IankoHi Anton,
that's why I added the IF statement around the code block, to guarantee that it only runs if the URL contains auto-login data (i.e. P101_UNAME). Setting FSP_AFTER_LOGIN_URL to null avoids a loop when the login fails. If we keep FSP_AFTER_LOGIN_URL, the wwv_flow_custom_auth_std.login procedure will redirect to page 101 and the before header process will run again, re-executing wwv_flow_custom_auth_std.login , etc.
It might be clearer to put the before header code into the authentication itself. The invalid session procedure is the right place for that, but it's use is very sparsely documented yet.
I created a 2nd copy of your original application (22274), where I removed the before header process and added this invalid session procedure:
procedure autologon_on_invalid_session
is
v_user VARCHAR2(4000);
v_pass VARCHAR2(4000);
v_fsp_after_login_url VARCHAR2(4000) := :FSP_AFTER_LOGIN_URL;
v_user_pos pls_integer := instr(v_fsp_after_login_url, 'P101_UNAME:');
BEGIN
if apex_application.g_flow_step_id != 101 and v_user_pos > 0 then
v_user := substr(v_fsp_after_login_url, v_user_pos+11);
wwv_flow_custom_auth_std.login(
P_UNAME => v_user,
P_PASSWORD => v_pass,
P_SESSION_ID => v('APP_SESSION'),
P_FLOW_PAGE => :APP_ID||':1' );
apex_application.stop_apex_engine;
end if;
END;If the current page is not 101 (the login page) and the URL (which was copied into the deep link item) contains the autologin credentials, call login. The finall call to apex_application.stop_apex_engine stops Apex from continuing it's default invalid session handling, which is to redirect to the login page.
Regards,
Christian -
Integrating SSO in APEX 3.0
Hi,
We're trying to integrate Oracle SSO with APEX follwing this how-to:
http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
We have two major issues:
1) We're following the instructions to create an authentication schema like "Oracle Application Server Single Sign On (My Application as Partner App)".
After completing all the steps with no apparent error, we created our custom procedure:
procedure process_success(urlc in varchar2) as
begin
wwv_flow_custom_auth_sso.process_success(urlc => urlc,
p_partner_app_name => 'MY_PARTNER_NAME');
end process_success;
But when we access the application we get the following error:
ORA-04067: not executed, package body "PROVES.WWV_FLOW_CUSTOM_AUTH_SSO" does not exist ORA-06508: PL/SQL: could not find program unit being called
Error ERR-10560 Error executing wwv_flow_custom_auth_sso.portal_sso_redirect.
It seems it is searching WWV_FLOW_CUSTOM_AUTH_SSO inside our custom schema PROVES, when it should call the PUBLIC SYNONYM. We've checked and the synonym exists and we've granted acces to it from our custom schema.
Any ideas?
2) It's not clear for us which URL we should use when registering the app via SSO. If we have application number 104 (in APEX), should we call this URL?
http://educacio-pc.es.oracle.com:7778/pls/apex/f?p=104
instead of this one:
http://educacio-pc.es.oracle.com:7778/pls/apex
Many thanks.Hi Scott,
First of all many thanks for your reply!
I'd like to understand better what's the difference between "My Application as Partner App" and "Oracle Application Express Engine as Partner App" because the documentation is not clear to me. I think I misunderstood its meaning, I though that using "Oracle Application Express Engine as Partner App" was for integrating the whole APEX with SSO and not just one application; Therefore, I thought that the other one was for integrating just one APEX application. Isn't that true? As a I read from your post I can see it's more than this but it's not clearly enough for me, could you, please, provide me a link with further information? By now, we just need to integrate one APEX application with a previous Portal & SSO environment, should we use "Oracle Application Express Engine as Partner App" instead of "My Application as Partner App"?
I finally managed to solve that error and my schema now recognizes WWV_FLOW_CUSTOM_AUTH_SSO perfectly. By now I'm having the following error: Error Unable to run portal_sso_redirect procedure as schema:
PROVES with partner app name: MY_PARTNER_NAME
Many thanks for your time & help!
Josep
Message was edited by:
[email protected] -
Hi all,
I installed Oracle 11g, apex is 2.0
then i updraded to apex 3.1.
I want to enable sso for apex applications,
for that i followed the below steps:
step 1) Created authentication scheme for the application
step 2) in flows_030100 schema i ran loadsdk.sql script.
After that i ran regapp.sql script, but it is giving error : "numeric or value error; character buffer too small"
can you pls tell me how to fix this problem.regards
K M
Edited by: [email protected] on Apr 17, 2009 10:53 PMHi,
See also at metalink note
Note 562807.1
Configuring an APEX Application to Use SSO With SDK in
Kind regards,
Iloon -
Oracle Apex - SSO with IBM Tivoli Access Manager WebSeal - filters out Files with Server Error 500
Hi,
We are using IBM Tivoli Access Manager for SSO to authenticate users to access our APEX application. The authentication works but...
When the application is being accessed with the WebSeal JS/CSS files are randomly not loaded and show up with either HTTP 400 or HTTP 500 error in the FF Toolbar Console. Of course without certain CSS / JS files the application can't be used by the user.
If the application is accessed without WebSeal all files are loaded successful.
Our set up:
There are two APEX Applications using the WebSeal - the first one apparently works
Apex Listener on Tomcat7.0
Apex 4.2.6
We tried all kind of different WebSeal configurations but nothing worked so far.
I found the following:
interactive report problem with SSO
==> Does anyone know how to use mapping tables and does it help?
Interactive report javascript error due to proxy
==> The solution is for EPG but we use Tomcat as Listener so the solution does not apply
Does anyone know how to configure the WebSeal ?
ThanksI have same issue with Apex 4.2.6 and Webseal, but only on Mobile Application. Desktop Application is ok.
I have raise a SR on supportweb, but SR engineer tell me it's may be the Webseal issue, they can't reproduce it with Oracle Access Manger.
It's really a tough issue. -
Hi!
Can anybody tell me if there any difference in configuring SSO for APEX 4.1 depending on which HTTP Server it is using (Embedded PL/SQL Gateway or Oracle HTTP Server).
And also, if I have several applications in the same domain and I have created a custom authentication scheme that checks user credentials against LDAP, would that allow me to have a true SSO experience, whem user doesn't have to re-enter his credentials after having signed-in to the first application?
Or I will have to add some procedure that creates and stores user cookies and deletes them on logout?After upgrading to APEX release 4.1.0.00.32 we received the following errors when attempt to authenticate to an application setup to use "Oracle Application Server Single Sign-On" as the Scheme Type.
Error message:
Error processing SSO authentication.
ORA-06550: line 2, column 1: PLS-00201: identifier 'WWSEC_SSO_ENABLER_PRIVATE' must be declared ORA-06550: line 1, column 45: PL/SQL: Statement ignored
ORA-06550: line 2, column 1: PLS-00201: identifier 'WWSEC_SSO_ENABLER_PRIVATE.GENERATE_REDIRECT' must be declared ORA-06550: line 1, column 45: PL/SQL: Statement ignored
This has been identified as BUG 12973090 - SSO WITH SPECIFIED PARTNER APPLICATION NAME FAILS WITH PLS-00201
Workaround:
The work around is to leave the “Partner Application Name” field blank in your authentication scheme. To do this go to: Application Builder > Your Application > Shared Components > Authentication Schemes > Click the Edit Icon on your authentication scheme that uses Single Sign-On > set the “Partner Application Name blank as follows > Apply Changes.
Oracle support says development is currently working the issue and the bug will not be fixed until APEX release 4.1.1.
Sean
Edited by: Sean Harris on Nov 2, 2011 7:59 AM -
10g - how to configure sso with iis-
hi, experts, I have followed Oracle® Business Intelligence Enterprise Edition Deployment Guide to configure SSO with IIS.
but I always meet this message.
Not Logged In
You are not currently logged in to the Oracle BI Server.
If you have already logged in, your connection might have timed out, or a communications or server error may have occurred
what steps are missing?
how to check?hi, experts,
I checked C:\OracleBIData\web\log\sawlog0.log on the obi server (windows server 2003 standard).
at Thu Feb 17 14:48:46 2011 , I logined OBI on another machine (not via the browser on the obi server).
however, the log shows the login user is the administrator of the obiserver (obiserver\administrator ).
any setup on IIS are wrong? thank you very much!
=========================================================================================
Running job 'MinutelyMonitor' took 7422 milliseconds, 12.3% of job's frequency (60 seconds).
Type: Error
Severity: 40
Time: Thu Feb 17 14:48:46 2011
File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
Properties: ConnId-1,1;ThreadID-1796
Location:
saw.odbc.connection.open
saw.connectionPool.getConnection
saw.subsystem.security.checkAuthenticationImpl
saw.threadPool
saw.threads
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43001] Authentication failed for obiserver\administrator in repository Star: invalid user/password. (08004)
Type: Error
Severity: 42
Time: Thu Feb 17 14:48:46 2011
File: project/webconnect/connection.cpp Line: 276
Properties: ThreadID-1796
Location:
saw.connectionPool.getConnection
saw.subsystem.security.checkAuthenticationImpl
saw.threadPool
saw.threads
Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
--------------------------------------- -
SSO with Logon Ticket to non-SAP Unix based application
Hi all,
Anyone has implemented SSO with Logon Ticket to a Unix box ?
We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
-> Are there any Java libraries that are available to both:
. verify the logon ticket with the deployed Portal public key
. decrypt/extract the authenticated username from this ticket ??
I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
Any hint is very much appreciated.
Thanks a lot
OlivierCheck these links for reference regarding AIX and Apache using X.509 certificates:
http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
And just using cookies -
http://forums.devshed.com/archive/t-105611 (perl based)
You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
Nick
Nick -
SSO with KRB/ADS on Enterprise Portal 7
Dear All
while i am trying to configure SSO with KRB/ADS on Enterprise Portal 7 i am getting this on the trace file..completed the configuration through SpNego and when i try to log in its promting for user name password..
i have attched the trace file extract for your advice..
Regards
Buddhike
#1.5 #001CC45E6DA0008000000004000054FC00044F76844D9013#1213270351029#com.sap.engine.services.security.authentication.logincontext#
sap.com/com.sap.security.core.admin
#com.sap.engine.services.security.authentication.logincontext#Guest#0####3e642d50387311ddc2a0001cc45e6da0#Thread[Thread-110,5,SAPEngine_Application_Thread[impl:3]_Group]#
#0#0#Error#1#/System/Security/Authentication#Plain###
LOGIN.FAILED User:N/A Authentication Stack:com.sun.security.jgss.accept
*Login Module Flag Initialize Login Commit Abort Details*1. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok exception false null#
#1.5 #001CC45E6DA0006E00000029000054FC00044F76844D95C5#1213270351029#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0####3e669e50387311dda053001cc45e6da0#SAPEngine_Application_Thread[impl:3]_2##0#0#Error##Java###Acquiring credentials for realm KEELLS.INT failed
[EXCEPTION]
#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!) at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:236)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:337)
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied. at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:297)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
... 9 more
Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [001CC45E6DA0008000000001000054FC00044F76844D8A3F] is created. For more information contact your system administrator.
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
... 23 moreHi,
please check if the options defined in the KRB5LoginModule are correct.
First of all check for the option prinicpal. Did you provide this option and also provided the correct value?
This error often occurs if you provided a wrong value for option prinicpal
Cheers -
SSO with ITS & Webenabling WEBGui
Hello,
We have configured SSO with R/3 system. It works fine.
The requirement is, we have to webenable R/3 system thru SAP GUI For Windows and SAP GUI For HTML.
We are able to do both on developement environment where both R/3 and portal has got the same host names.
But in the qa environment, we are able to webenable R/3 with SAP GUI For Windows and the SSO also works fine. But when we try to using SAP GUI For Html, it asks for the username and pwd again. Here the portal and R/3 has different host names.
Otherwise the settings in dev and test are exactly the same. Has anybody got a clue why is it not working?
Regards,
RukmaniHi all,
it is always good to start with a good checklist. Here is probably the best one: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sso checklist.html
My suggestion is: do not skip even simple steps, sometimes problem appears there
Regards,
Pavol -
SSO with EP 6.0 and R/3 as backened not working
Hi ,
I am implementing ESS in EP 6.0 and r/3 4.7c as backend. SSO is working with UIPWD. but when I try with LogonTickets it does not work.
I tried with ordinary SAP transaction SSO with logon tickets works. But through ITS if I call a ESS transaction service It asks me for login user and password.
What are the setting to be done in ITS for SSO towork. I have set the parameter
msapcomusesso2cookie = 1 in the global.svrc file.
I do not know what is wrong. Please help.
Regards,
RameshHi,
I am using a standalone ITS for a R/3 4.7 system.
How should I maintain a FQDN for ITS?
You are right,
now it is not of the format hostname.domain.com:port format. It is of the format hostname:port.
But where should I change this format. The host name of the system where the ITS is setup is <hostname> only.
can you please tell me as to where should I maintain the FQDN as the specific format you suggested.
Regards,
Ramesh -
SSO with SAP logon tickets to non-SAP web app
I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work. I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal. Anyone tried similar?
CindyHi Cindy,
If it is EP6 SP2 probably you can checkout the following document.
http://service.sap.com/ep60
Go to Documentation Help>How-To-Guides>Current How To Guides section.
checkout the following how to guide.
Perform Cross Domain SSO with SAP Logon tickets zip file.
If you want the zip file please send an e-mail to
[email protected]
Regards
-Venkat Malempati -
APEX Listener with APEX 3.0 on 11gR2
Yes, I am crazy.
We have many many APEX applications in APEX 3.0 running on a 10.2.0.4 database that needs desperately to be upgraded. As a test, I've set up a clean 11gR2 database and copied the production APEX database into it via datapump. I set up APEX Listener, as I don't have any OAS sitting around and the EPG doesn't seem to be supported for APEX 3.0... the Listener doesn't say one way or the other.
When trying to log in, I get the login page, but it tries to reference files such as apex_get_3_1.js while I only have files such as htmldb_get.js in my images directory in production. I noticed it is looking for what appears to be 3.1 files instead of 3.0 files... which concerns me.
The APEX listener appears to be more than just a Java PL/SQL gateway.
Is there a minimum version of APEX the APEX Listener supports?
Interested in pointers!
RobHi Rob,
Yes, I am crazy.Why would that be? ;)
We have many many APEX applications in APEX 3.0 running on a 10.2.0.4 database that needs desperately to be upgraded. As a test, I've set up a clean 11gR2 database and copied the production APEX database into it via datapump. I set up APEX Listener, as I don't have any OAS sitting around and the EPG doesn't seem to be supported for APEX 3.0... the Listener doesn't say one way or the other.APEX 3.0 is supprted by EPG. See the [url http://docs.oracle.com/cd/B32472_01/doc/install.300/b32468/post_inst.htm#CHDBEJDA]APEX 3.0 Installation Guide for details.
APEX Listener is capable of hosting APEX 3.0 as well, though APEX 3.0 wasn't supported anymore when APEX Listener was initially released. The current APEX release at that time was 4.0, so this would be the first version to be known as really stable, whereas you won't get any support for older releases anymore. From personal experience I know that there are now issues with APEX 3.1 and APEX Listener, so it'll probably also work with 3.0.
Concerning your database release, the minimum for APEX Listener is 10.2.0.3, so you're definetly safe on that part, though I'd recommend to upgrade as regular support for 10.2 databases ended.
When trying to log in, I get the login page, but it tries to reference files such as apex_get_3_1.js while I only have files such as htmldb_get.js in my images directory in production. I noticed it is looking for what appears to be 3.1 files instead of 3.0 files... which concerns me.This indicates that your APEX would actually be a 3.1 and you should update you images directory.
The APEX listener appears to be more than just a Java PL/SQL gateway.It is, but this has nothing to do with your 3.1 JS files, if this is why you stated this.
Is there a minimum version of APEX the APEX Listener supports?As mentioned above, 4.0 would be a safe approach, but 3.1 will definetly work, 3.0 probably will as well. I'd recommend you find out which APEX version is actually installed on your database before you consider any upgrade operations. Run the following query as privileged user:
SELECT comp_name, version, status
FROM dba_registry
WHERE comp_id = 'APEX';-Udo -
I have BO XI 3.1 SP3 installed on a Windows 2008 4 bit server. I enabled SSO with Tomcat, it is working but not all the times.
I configured SSO, when users go to Infoview it dosen't prompt them for user credentials but this is not happening all the time. I would say 50% it doesn't, 50% it does prompt, it is not consistent. Any one has seen this problem.
Thanks.What documentatin are you using, also what are the desktop OS's? SSO occurs on the client workstation and when intermittent issues occur usually it's the client however their are some best practices that are in the current documentation. KB 1483762 should be used if possible.
Regards,
Tim
Maybe you are looking for
-
Pages v4.0 (727) can't open or save .doc files
Hello everyone, for a while now I haven't been able to open or save .doc files with Pages. When trying to open a .doc file I get the following message: "The document "example.doc" couldn't be opened." I have tried the following to solve the problem:
-
When i send tex messagets, my Name is not showing up on the reciepient's phone
Even if these people are in my contacts - how do I set up my phone so that calls and texts show the recipent who is calling/texting
-
Why does Pages 5 want to download again in the App store?
Pages 5, Keynote 6 and Numbers 3 keep showing up in the App store as new downloads. I have downloaded them five times, but the reappear as new downloads. Is this a bug in the App store?
-
Envy 17-j020us, cannot cut/copy and paste within file explorer
I can cut/copy and paste url's and text from word, etc, but I am unable to cut/copy and paste files within file explorer windows. I have tried running malwarebytes and virus programs. HP support has tried remote access to find the problem unsuccessfu
-
Safari claiming I am not connected to the internet....
This could possibly be a wireless internet issue, but I'm leaning more toward it being something wrong with Safari: Usually, late at night when I am browsing the internet, the website I'd been using successfully already will stop loading and the "you