SSO with ITS & Webenabling WEBGui

Hello,
We have configured SSO with R/3 system. It works fine.
The requirement is, we have to webenable R/3 system thru SAP GUI For Windows and SAP GUI For HTML.
We are able to do both on developement environment where both R/3 and portal has got the same host names.
But in the qa environment, we are able to webenable R/3 with SAP GUI For Windows and the SSO also works fine. But when we try to using SAP GUI For Html, it asks for the username and pwd again. Here the portal and R/3 has different host names.
Otherwise the settings in dev and test are exactly the same. Has anybody got a clue why is it not working?
Regards,
Rukmani

Hi all,
it is always good to start with a good checklist. Here is probably the best one: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sso checklist.html
My suggestion is: do not skip even simple steps, sometimes problem appears there
Regards,
Pavol

Similar Messages

SSO with KRB/ADS on Enterprise Portal 7

Dear All
while i am trying to configure SSO with KRB/ADS on Enterprise Portal 7 i am getting this on the trace file..completed the configuration through SpNego and when i try to log in its promting for user name password..
i have attched the trace file extract for your advice..
Regards
Buddhike
#1.5 #001CC45E6DA0008000000004000054FC00044F76844D9013#1213270351029#com.sap.engine.services.security.authentication.logincontext#
sap.com/com.sap.security.core.admin
#com.sap.engine.services.security.authentication.logincontext#Guest#0####3e642d50387311ddc2a0001cc45e6da0#Thread[Thread-110,5,SAPEngine_Application_Thread[impl:3]_Group]#
#0#0#Error#1#/System/Security/Authentication#Plain###
LOGIN.FAILED User:N/A Authentication Stack:com.sun.security.jgss.accept
*Login Module                                                               Flag        Initialize Login      Commit     Abort      Details*1. com.sun.security.auth.module.Krb5LoginModule                            OPTIONAL    ok          exception             false      null#
#1.5 #001CC45E6DA0006E00000029000054FC00044F76844D95C5#1213270351029#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0####3e669e50387311dda053001cc45e6da0#SAPEngine_Application_Thread[impl:3]_2##0#0#Error##Java###Acquiring credentials for realm KEELLS.INT failed
[EXCEPTION]
#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
     at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
     at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
     at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
     at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
     at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
     at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
     at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:236)
     at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
     at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:337)
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied.     at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:297)
     at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
     at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
     at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
     ... 9 more
Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [001CC45E6DA0008000000001000054FC00044F76844D8A3F] is created. For more information contact your system administrator.
     at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
     ... 23 more

Hi,
please check if the options defined in the KRB5LoginModule are correct.
First of all check for the option prinicpal. Did you provide this option and also provided the correct value?
This error often occurs if you provided a wrong value for option prinicpal
Cheers

SSO and ITS

Hello,
We are trying to setup SSO for SAP System. Our architecture looks like this:
3rd party logon mechanism(via web) --> ITS --> Web Dispatcher --> WAS (BSP's)
We did extensive research and found that ITS might enable us to do that. But we are not clear if SNC is a must (Which we don't want to do). The documenation is not clear. The current URL without SSO points to Web Dispatcher which get us the bsp pages from the WAS.
Following is what we want to achieve:
1. Users will logon to the 3rd party logon mechanism via web(software is installed with APACHE 2.0)
2. once users are authenticated we need to pass the ID via HTTP header or any other method available to logon to SAP BSP Pages.
Currently users can logon to 3rd party software which redirects to the BSP application and requests user id and password.
We are wondering if anyone has done this sort of setup.
Thanks,

Hi
For SSO concept visit (You can also find usage in EP)
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/90277dbd-0401-0010-33a1-ac2c7e3a5659
<b>Usage across portal:</b>
Normally Portal provides you a page which has content from different backend applications. Portal actually provides single point of entry to these applications which reside outside Portal. Now with Single SingOn feature user does not have to logon to backend application again. That means when he clicks a link on Portal which points to Backend application, he does not have to enter user and password again for that application.
for more info
sso
Some fundas related to SSO with portal
What is meant by "SSO across multiple domains"
some usefull blog
Step-By-Step Guide to implement Application Integrator
Hope that helps

SSO between ITS 620 R/3 and EP

Hi,
I need to use ITS 620 for R/3 4.7 and EP 6.0 for ess/mss implementation
I have to configure SSO between R/3 and EP.
Do I also need to configure SSO between ITS and R/3 , ITS and EP also for this?
If yes can any one tell me the steps in configuring SSO between ITS and R/3, ITS and EP ?
advance thanks,
PK

UPDATE:
I have installed a portal (SAp netweaver 7.0 Java stack) and have connected it to a ECC6.0 SR3 backend and I needed only to configure the SSO between portal and backend abap instance, and all worked fine. There was no need to configure the SSO between the integrated ITS and abap instance.
About the error message mentioned in my previous forum entry:
I did not only do the steps for SSO between portal and backend as described in the blog "Configuring the Business Package for Employee Self-Service (ESS)", but I also did all the additional steps as mentioned in "10 golden rules of SSO".
After that the error message "SSO logon not possible; logon tickets not activated on the server" did not appear anymore. (Instead a screen that asks for username and password always appears with the warning "No switch to HTTPS occurred, so it is not secure to send a password". But I think that's ok.)

SSO with EP 6.0 and R/3 as backened not working

Hi ,
I am implementing ESS in EP 6.0 and r/3 4.7c as backend. SSO is working with UIPWD. but when I try with LogonTickets it does not work.
I tried with ordinary SAP transaction SSO with logon tickets works. But through ITS if I call a ESS transaction service It asks me for login user and password.
What are the setting to be done in ITS for SSO towork. I have set the parameter
msapcomusesso2cookie = 1 in the global.svrc file.
I do not know what is wrong. Please help.
Regards,
Ramesh

Hi,
I am using a standalone ITS for a R/3 4.7 system.
How should I maintain a FQDN for ITS?
You are right,
now it is not of the format hostname.domain.com:port format. It is of the format hostname:port.
But where should I change this format. The host name of the system where the ITS is setup is <hostname> only.
can you please tell me as to where should I maintain the FQDN as the specific format you suggested.
Regards,
Ramesh

How to configure sso with SSL step by step

Purpose
In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
Overview
In this document we will demonstrate:
1.     How to configure OHS support SSL
2.     How to Register SSO with SSL
3.     Configure SSO for certificates
Prerequisites
Before start this document, you should have:
1.     Oracle AS 10g infrastructure installed (10.1.2)
2.     OCA installed
Note:
1.     “When you install Oracle infrastructure, please make sure you have select OCA.
2.     How Certificate-Enabled Authentication Works:
a.     The user tries to access a partner application.
b.     The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
c.     The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
Enable SSL on the Single Sign-On Middle Tier
The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
l     You must configure SSL on the computer where the single sign-on middle tier is running.
l     You are configuring one-way SSL.
l     You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
1.     Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
2.     In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
<ias-component id="HTTP_Server">
<process-type id="HTTP_Server" module-id="OHS">
<module-data>
<category id="start-parameters">
<data id="start-mode" value="ssl-enabled"/>
</category>
</module-data>
<process-set id="HTTP_Server" numprocs="1"/>
</process-type>
</ias-component>
3.     Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
4.     Reload the modified opmn configuration file:
ORACLE_HOME/opmn/bin/opmnctl reload
5.     Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
6.     Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
<VirtualHost ssl_host:port>
RewriteEngine on
RewriteOptions inherit
</VirtualHost>
Save and close the file.
7.     Update the distributed cluster management database with the changes:
ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
8.     Restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
9.     Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
Reconfigure the Identity Management Infrastructure Database
Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
1.     Change Single Sign-On URLs
Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
UNIX:
$ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
Windows:
%ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
Here is an example:
ssocfg.sh https login.acme.com 4443
2. Restart OC4J_SECURITY instance and verify the configuration
To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Then try logging in to the single sign-on server at its SSL address:
https://host:ssl_port/pls/orasso/
     3. Back up the file targets.xml:
cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
·     HTTPMachine—the server host name
·     HTTPPort—the server port number
·     HTTPProtocol—the server protocol
If, for example, you run ssocfg like this:
ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
Update the three attributes this way:
<Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
<Property NAME="HTTPPort" VALUE="4443"/>
<Property NAME="HTTPProtocol" VALUE="HTTPS"/>
5.Save and close the file.
6.     Reload the OracleAS console:
     ORACLE_HOME/bin/emctl reload
7. Issue these two commands:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Registering mod_osso
1.     This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
$ORACLE_HOME/sso/bin/ssoreg.sh
     -oracle_home_path $ORACLE_HOME
     -config_mod_osso TRUE
     -mod_osso_url https://myhost.mydomain.com:4443
2.     Restarting the Oracle HTTP Server
After running ssoreg, restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
Configuring the Single Sign-On System for Certificates
1.     Configure policy.properties with the Default Authentication Plugin
Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
DefaultAuthLevel = MediumHighSecurity
Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
2.     Restart the Single Sign-On Middle Tier
After configuring the server, restart the middle tier:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Bringing the SSO Users to OCA User Certificate Request URL
The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
The URL for the SSO certificate Request is:
https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
To link the OCA server to OracleAS SSO server, use the following command:
ocactl linksso
opmnctl stoproc type=oc4j instancename=oca
opmnctl startproc type=oc4j instancename=oca
You also can use ocactl unlinksso to unlink the OCA to SSO.

I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
on a URL that looks like this :
http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
and gives the error :
( Forbidden
You don't have permisission to access /sso/auth on this server at port 7777)
when I manually change the URL to :
https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
the SSO works correctly.
The question is :
How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
Any ideas ?
Thanks in advance

Configure SSO for ITS to R/3 using SNC/Kerberos

Our R/3 systems had been configured for SSO using SNC and Kerberos for awhile now. We now have a requirement to configure SSO between ITS and R/3. Since our R/3 env. has been using kerberos library, we won't be able to use SAP Cryptographic library. I had modified the registry, environment and services in itsadmin to point to the kerberos library and principal names for agate and r/3 servers as described in SNC User Guide; also, I updated table SNCSYSACL with the Agate SNC name. That seems to work fine. From the trace file, it recognized GSS-API library for Kerberos and the SNC name for Agate. However, when I tried to logon to R/3 from ITS, I still am being prompted with the logon screen to enter my SAP account/password.
I found several whitepapers and documentations stating that ITS does support Kerberos for SSO but I couldn't find any procedure on how to implement it. Following is the error I'm getting from the sapbasis.trc file but I can't find any document on this error:
=====================================================
[Thr 5284] SncInit(): Initializing Secure Network Communication (SNC)
[Thr 5284]       PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)
[Thr 5284] SncInit(): Trying environment variable SNC_LIB as a
      gssapi library name: "C:\WINNT\system32\gsskrb5.dll".
[Thr 5284]   File "C:\WINNT\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.
[Thr 5284]   The internal Adapter for the loaded GSS-API mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
[Thr 2888] Sun Jan 15 22:44:59 2006
[Thr 2888] <<- ERROR: SncSetParam()==SNCERR_PARAM_DENIED
[Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]
[Thr 2888] Sun Jan 15 22:45:29 2006
[Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]
=====================================================
Does anyone know what am I missing? Any help is greatly appreciated.
Thank you!
Diem

Hi Markus,
I also just installed/configured PAS for LDAP authentication using the "PAS for External Authentication Mechanisms" documentation. I think the domain problem probably due to not having the external authentication mechanism install (in this case - PAS). Does that sound right to you?
I tried both options for ~extid_type parameter = "LD" and "UN". I added the DN information to table USREXTID when ~extid_type="LD" but both options gave me error of "LDAP authentication failed". I increased the trace level for sapextaut.trc but I don't see enough detail information. Following are the errors/data from the trace file. Can you please let me know how I can tell what string is being passed for authentication?
I'm quite sure the LDAP host and port data is correct since we've been using the same information for the SAP LDAP connector and we've been using our LDAP connector between MS AD and R/3 for a long time without any problem.
To logon to R/3 through ITS, I entered the AD account (CN attribute in AD) when I got the errors.
Thank you very much for all your help.
Diem Tran
Trace:
=====================================================
2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth, 437]: W sapextauth: PAS session begins...
2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth, 456]:     sapextauth: SncNameR3 is:    "p:na1adm/[email protected]"
2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth, 462]:     sapextauth: SncNameAGate is: "p:[email protected]"
2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 468]:     sapextauth: SNC_LIB is:      "C:\WINNT\system32\gsskrb5.dll"
2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 568]:     sapextauth: XGatConnectSession leaving....
2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 616]:     sapextauth: XGatHandleLogin called....
2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 976]:     sapextauth: Entering XGatHandleLogin with LDAP...
2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 993]: W Either ~login or ~password missing, returning XGDKRCloginrequired.
2006-01-18T01:39:50.281 p001688 t4992 s00000000 [sapextauth, 398]:     sapextauth: XGatEventOpenSession called...
2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth, 616]:     sapextauth: XGatHandleLogin called....
2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth, 976]:     sapextauth: Entering XGatHandleLogin with LDAP...
2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1059]:     sapextauth: LDAP port ist 389
2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.
2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem
2006-01-18T01:39:59.140 p001688 t4992 s00000000 [sapextauth, 398]:     sapextauth: XGatEventOpenSession called...
2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 616]:     sapextauth: XGatHandleLogin called....
2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 976]:     sapextauth: Entering XGatHandleLogin with LDAP...
2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1059]:     sapextauth: LDAP port ist 389
2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.
2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem
=======================================================

Configuration of SAML SSO with EP 7.31 and ARIBA

Hello Experts,
We are trying to build up SAML SSO with EP 7.31 and ARIBA with Below Scenario.
1. ARIBA Portal is Service Provider
2. EP 7.31 is Identity Provider
3. End user will try to access ARIBA Portal, Due to SAML Switch On, request will be redirected to EP 7.31 URL
4. End User will ask to enter EP credentials
5. Post successful login , Ticket will be passed to ARIBA with Ticket
6. Once Validating Ticket, end user should directly get home page of ARIBA
Please let us know if there is any help available for above mentioned configuration.
Regards,
Prashant

Hi Khushboo,
On the Help Portal, you can start with Using SAML 2.0. The first page identifies the primary reason to use SAML 2.0 and provides a list of scenarios for its use. From there you will find explicit configuration instructions.
On SCN there is a good list of resources here: Single Sign-On with SAML 2.0. In case you use ADFS, there is at least one step-by-step guide integrating SSO using ADFS 2.0.
Best regards,
Jill

NW04 EP60 SSO with Tivoli

Hi there,
Is there any how-to guide or technical documentation on how to setup and configure NW04 EP6.0 on Web AS 6.40 for SSO with Tivoli Access Manager? I was only able to get IBM information but its based on EP5.0.
Thanks.

Hi Torsten,
From the document - In 2.c, what web appliation or template you use to add logon module HeaderVariableLoginModule?
2. Adjust the J2EE web applicationu2019s login module stack by adding in the HeaderVariableLoginModule:
a. In the Visual Administrator, choose Server (name) - Services - Security Provider.
b. Select Policy Configurations - Authentication.
c. Select the J2EE web application that is to be configured to support header variable authentication. Alternatively, an authentication template used by the J2EE Web application may be selected (for example, SAP NetWeaver EP Core uses the ticket authentication template). Modifying an authentication template will affect every application configured to use the template.
d. Add the login module HeaderVariableLoginModule to the login module stack by clicking on Add New and selecting HeaderVariableLoginModule.
Thanks.
Ed

10g - how to configure sso with iis-

hi, experts, I have followed Oracle® Business Intelligence Enterprise Edition Deployment Guide to configure SSO with IIS.
but I always meet this message.
Not Logged In
You are not currently logged in to the Oracle BI Server.
If you have already logged in, your connection might have timed out, or a communications or server error may have occurred
what steps are missing?
how to check?

hi, experts,
I checked C:\OracleBIData\web\log\sawlog0.log on the obi server (windows server 2003 standard).
at Thu Feb 17 14:48:46 2011 , I logined OBI on another machine (not via the browser on the obi server).
however, the log shows the login user is the administrator of the obiserver (obiserver\administrator ).
any setup on IIS are wrong? thank you very much!
=========================================================================================
Running job 'MinutelyMonitor' took 7422 milliseconds, 12.3% of job's frequency (60 seconds).
Type: Error
Severity: 40
Time: Thu Feb 17 14:48:46 2011
File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
Properties: ConnId-1,1;ThreadID-1796
Location:
     saw.odbc.connection.open
     saw.connectionPool.getConnection
     saw.subsystem.security.checkAuthenticationImpl
     saw.threadPool
     saw.threads
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43001] Authentication failed for obiserver\administrator in repository Star: invalid user/password. (08004)
Type: Error
Severity: 42
Time: Thu Feb 17 14:48:46 2011
File: project/webconnect/connection.cpp Line: 276
Properties: ThreadID-1796
Location:
     saw.connectionPool.getConnection
     saw.subsystem.security.checkAuthenticationImpl
     saw.threadPool
     saw.threads
Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
---------------------------------------

SSO with Logon Ticket to non-SAP Unix based application

Hi all,
Anyone has implemented SSO with Logon Ticket to a Unix box ?
We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
-> Are there any Java libraries that are available to both:
. verify the logon ticket with the deployed Portal public key
. decrypt/extract the authenticated username from this ticket ??
I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
Any hint is very much appreciated.
Thanks a lot
Olivier

Check these links for reference regarding AIX and Apache using X.509 certificates:
http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
And just using cookies -
http://forums.devshed.com/archive/t-105611 (perl based)
You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
Nick
Nick

User assgined to a group, SSO to ITS is not working

We had our security group add a ESS-User group. We imported 500 users and assigned them to that group. When logging into EP, we are getting access to the correct tabs, but ITS is requiring us to login.
But when logging in as a user that is not assigned to this group, the SSo to ITS is working.
What setup step are we missing? Are we supposed to configure something in Visual Administrator.

Hi Dena,
A logon trace might provide the cause of the problem. See SAP note 495911 for starting.
Thanks and regards,
Dieter

SSO with SAP logon tickets to non-SAP web app

I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work. I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal. Anyone tried similar?
Cindy

Hi Cindy,
If it is EP6 SP2 probably you can checkout the following document.
http://service.sap.com/ep60
Go to Documentation Help>How-To-Guides>Current How To Guides section.
checkout the following how to guide.
Perform Cross Domain SSO with SAP Logon tickets zip file.
If you want the zip file please send an e-mail to
[email protected]
Regards
-Venkat Malempati

SSO with XI 3.1

I have BO XI 3.1 SP3 installed on a Windows 2008 4 bit server. I enabled SSO with Tomcat, it is working but not all the times.
I configured SSO, when users go to Infoview it dosen't prompt them for user credentials but this is not happening all the time. I would say 50% it doesn't, 50% it does prompt, it is not consistent. Any one has seen this problem.
Thanks.

What documentatin are you using, also what are the desktop OS's? SSO occurs on the client workstation and when intermittent issues occur usually it's the client however their are some best practices that are in the current documentation. KB 1483762 should be used if possible.
Regards,
Tim

Working in Logic 9, how do I use a drum loop WITH ITS PRESET EFFECTS? I can drag and drop the loop but it plays dry in timeline. thanks

Working in Logic 9, how do I use a drum loop WITH ITS PRESET EFFECTS? I can drag and drop the loop but it plays dry in timeline. thanks

Here's the short-cut solution:
Green Apple tracks are MIDI files (so to speak). If you drag one from the loop browser (Capitol C Orchestral hit, as you mentioned in this exable) directly into the arrange page it creates the MIDI file and the instrument to play it back on.
HOWEVER.If you create and audio track first, THEN drag the green Apple loop onto that track, the loop will get "bounced" with the reverb in tact and you'll have the exact sound that you heard in the preview.
Make sense?

SSO with ITS & Webenabling WEBGui

Similar Messages

Maybe you are looking for