SSO logon not possible; browser logon ticket

former_member198282 · ‎09-30-2008

We are running on ECC6 SP12, dual stack system. It is sitting on the

same Solaris 10 box.

I am trying to configure SSO from the Portal to the ABAP stack(on the

same system). Here's my configuration setting:

- icm/host_name_full = hostname.full_domain_name in default.pfl

- domain relaxation is set to 2(our domain name has 4 parts)

- run strustsso2 to import verify.der from portal.

- login/create_sso2_ticket = 2

- login/accept_sso2_ticket = 1

Please see the setps for reconstruction for my test case.

I have read many docs. My question is:

- how does the portal determine what the OS domain is? Is it via the parameter icm/host_name_full? I realize that the issuing and accepting servers have to be on the same domain. But they obviously are, since the abap and j2ee stack is sitting on the same server with the same domain.

- Is there any other setting I need on my IE browser. We are using IE6.

Thanks,

John.

former_member198282 · ‎09-30-2008

By the way, after you logon to an EP7 server, can you actually see the cookie from EP? I believe you should see the cookie on IE via internet options -> settings -> view files.

However, I don't see any cookie from the EP7 server.

Thanks,

Jonathan.

former_member198282 · ‎09-30-2008

Hi, Ashutosh.

To answer your question:

lE start page -> points to EP6 production(called PPP). The EP6 is pointing to the production ECC6 server(PRD).

After I start my browser which logs me into PPP. I thenlogon to another EP6 called PDP which connects to our DEV ECC6 ABAP server called DVC, SSO works.

Now I have a dual stack system called TS1. When I use the same browser session and logs on to TS1 portal. The SSO from the TS1 portal to TS1 ABAP does not work. I am baffled on why and I have already applied all the steps documented by SAP.

All of the servers above are on the same domain.

Now I am guessing the PDP is somehow able to use the same logon ticket from PPP to SSO into DVC. Is it possible?

Thanks,

John.

former_member198282 · ‎09-30-2008

Thanks for your response. I have already tried all the steps that you mentioned. The portal(TS1) is installed via j2ee add-in on the ECC ABAP stack.

What I found is the following:

- After I delete cookies from my browser and connect to the portal, the SSO to the abap stack worked!

- Our browser start page is pointing to an EP6 server(PSP). So I will get a cookie automatically when I logon to the EP6.

- So I am suspecting that the TS1 is actually using the PSP cookie and because of the internet policy, TS1 was not able to create its own cookie. I have further verified my theory my going to browser -> "internet options" -> settings -> view files. I only see one cookie.

- However, if I go to anothe EP6 server, I can initiate the single sign-on to an ECC 6.0 server without any problem.

So my question is:

Is there a way you can configure a portal's single sign-on to the abap backend and use the logon ticket of another portal server?

Thanks,

John.

frank_friedrich · ‎09-30-2008

Hi,

the ECC must accept SSO cookies.

The transaction TRUSTSSO2 is to import the portal certificate and to set the ACL's for accepting the portal. The default client of the portal is 000.

Afterwards the IE setting must accept cookies.

For example your portal is running at server1.a.b.com and your ECC is running at server2.a.b.com everything works fine when you have set the TRUSTSSO2 settings propery.

Best regards

Frank

SSO logon not possible; browser logon ticket

Accepted Solutions (0)

Answers (4)

Answers (4)

Can CrestalReports.NET be developed even if the DB...

How-to-guide for SAP GUI Scripting

Re: applying conditional formatting to the hierarc...

Re: How to quantify memory usage of an ABAP instan...

Re: How to quantify memory usage of an ABAP instan...