cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO to non SAP Application using SAP Logon Ticket

Go to solution
Former Member

on ‎09-30-2008 9:28 PM

0 Kudos

Hi Experts,

I Have EP 7 SP 15 using SPNego Wizard to SSO with Active Directory and SSO between EP and ECC using SAP Certificates.

Now I have a demand to SSO some JAVA based applications (non SAP) to my portal using the SAP Logon Ticket.

I Have followed some blogs that directed me to use SAPSSOEXT (some libs) to read the MYSAPSSO2 cookie. The problem is that I didn't found this cookie, I even executed the command javascript:document to look for this cookie but the browser just show me the JSESSIONID info.

Does anybody knows where I can find this cookie or if there's a better way to set up this SSO? It´s necessary to say that I cannot SSO these application to the kerberos protocol because some security reasons on my company.

Thanks

Armando

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-01-2008 8:21 AM
0 Kudos

Hello Armando,

If you haven't taken a look at the SAP Java Demo application yet, take a look at this first:

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/ec82ec90-0201-0010-72bc-88ef1502...

Your standard options to achieve SSO without SAP in windows are NTLM (outdated) or Kerberos. Since you mentioned neither are an option due to 'security' reasons, you are left with reading out the SSO ticket. However, this means that you will always have to redirect users over the Portal. A ticket "dispenser" so to say.

I don't know why you were unable to read the MYSAPSSO2 cookie. Have you tried downloading a 3rd party plugin for firefox or internet explorer that lets you read the cookies? You should be able to see it there after you sign into the portal. If not, then I would check your logon stack of your EP and make sure the CreateLogonTicket module is included.

We've set up the same scenario here at our company and it works really well. Let me know if you have any further questions.

Cheers,

Hermann

Show replies
Show replies
Former Member
‎10-03-2008 2:11 PM
0 Kudos

Hi Hermann,

Thanks by your reply, I checked my log on stack an on the template ticket that have been used to authenticate trough spnego is included the createticketlogin module. Do you have any Ideia if this cookie can be generated with another name?

Regards

Armando Martines Neto

Former Member
‎10-06-2008 2:59 PM
0 Kudos

Hi Experts,

To check what cookies EP is generating I installed the IE plugin IEWatch. I figured out that the cookie MYSAPSSO2 have been created but just on the server side. Does anybody knows how to bring this cookie to the client side?

Regards

Armando Martines Neto

Answers (2)

Answers (2)

Former Member
‎10-13-2008 3:03 PM
0 Kudos

Hi Experts,

Problem solved! (in fact it was a beginner mistake) , I was looking for the cookie MYSAPSSO2 on the local drives, but it is a httponly cookie that is stored only on the session.

How I was developing my system on a different windows browser, the cookie wasn't able to be read.

Thank for all the help

Armando Martines Neto

Show replies
Show replies
Former Member
‎10-01-2008 8:24 AM
0 Kudos

Hi,

I dont have much info related but i can giv u hint

refer OSS Notes 442401 and 723896.

When using SAP logon tickets for non-SAP applications, two different implementation options are available. The difference lies in where the ticket verification takes place.

In the first case, the SAP logon ticket is submitted to the web server filter located on the web server. The web server filter verifies the portal serveru2019s public key

certificate using its local Personal Security Environment (PSE) and then populates the HTTP header field with the user ID for SSO to the non-sap web application.

In the second case, the SAP logon ticket is sent to the non-SAP application, which then verifies it using the ticket verification DLL and submits the user ID to the application for SSO.

You can refer following link :-

http://help.sap.com/saphelp_nw70/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm

user authentication and SSO

http://help.sap.com/saphelp_nw70/helpdata/EN/8f/ae29411ab3db2be10000000a1550b0/frameset.htm

Authentication Using a Directory with SSO Integration Using Logon Tickets

http://help.sap.com/saphelp_nw70/helpdata/EN/f8/3b514ca29011d5bdeb006094191908/frameset.htm

SSO

http://help.sap.com/saphelp_nwce10/helpdata/en/45/b6af743753003ae10000000a11466f/frameset.htm

Show replies
Show replies
Ask a Question