Solved: Single Sign on from Portal (Web) to SAP GUI for Wi...

Former Member · ‎04-29-2009

Hi Experts,

I am not sure if this really belongs into this section but lets give it a try. The following description shows the situation where SSO should be put in place:

-The User logs on to Enterprise Portal and receives a SAPLogonTicket

-A static page in the Portal (preferably built with the Web Page Composer) contains links to all ABAP systems in the environment

-When the user hits one of these Links the SAP GUI (for Windows) that is installed on the client should be loaded and the user should access the SAP GUI without further authentication

Is this possible to be setup using only the SAPLogonTicket or will there be a requirement for a third party tool. Please let me know if anyone has implemented something similar.

Thanks a lot,

Jan

Former Member · ‎04-30-2009

Hi Jan,

do I understand you correctly that you do not want to open the SAP GUI in an iView but rather start the locally installed exe-file with a shortcut or something?

Thanks for clarification,

R.

fredrik_borlie · ‎04-30-2009

Yes,

this should work.

Once I did try to use this myself, but we got the Trustbroker tool before I was finished =D

As long as you set up single sign on between the portal and the SAP-systems you should be able to "misuse" the portal to host a page to act as SSO-SAPlogon.

You should also consider connecting the portal to your AD to recieve the same password for the portal logon.

(and of course consider real SSO, but that I am sure you are aware of ;-D )

Regards Fredrik

Former Member · ‎04-30-2009

This would be SAP's preferred way of implementing SSO. The configuration steps should be documented quite well on help.sap.com. Have a look first and come back if you still have questions.

The ABAP systems are usually accessed via an iView. There is no need to program anything.

BTW. SAPLogonTickets are not very secure and should only be exchanged over encrypted connections!

Edited by: Sietze Roorda on Apr 30, 2009 4:21 PM

Former Member · ‎04-30-2009

Hi Jan,

do I understand you correctly that you do not want to open the SAP GUI in an iView but rather start the locally installed exe-file with a shortcut or something?

Thanks for clarification,

R.

Former Member · ‎05-04-2009

Hi all,

and thanks for your answers.

R.H., it is correct, I do not want to have the ABAP included in form of an iView but open the locally installed SAP GUI and directly logon without further authentication.

Do you have an idea on how to achieve this?

Thanks a lot for help,

Jan

tim_alsop · ‎05-04-2009

Jan,

As also mentioned by Sietze earlier, using sap logon ticket is not secure for SAP GUI connections. Instead, you should use SNC to authenticate the user when SAP GUI is run. This also means that the user can logon using SAP Logon and SAP GUI without logging into portal - this is what I have seen other companies use, and this method is very secure and fully supported by SAP and the partner ecosystem. if you use logon ticket to authenticate user running SAP GUI, then there is no guarantee that SAP will continue to allow this in future products.

Thanks,

Tim

Former Member · ‎05-04-2009

Hi Tim,

Thanks for your input. But the customers requirement is to use the Portal as single point of entry for each user. The Portal logon (which is matched against the customers corporate directory) should be used as the only authentication. This is already in place and uses the header authentication from the J2EE stack and grants the SAPLogonTicket upon success.

What they want now, is a static "link page" within the Portal that opens the SAP GUI for the particular system (BI, SRM, HR, etc) w/o further authentication.

I still have not found out if there is a way to achieve this (preferred without the requirement for a 3rd party tool). Also the procedure with SNC might not be feasable as it would require a specific certificate for each user, which (afaik) is not in place currently.

Thanks,

Jan

tim_alsop · ‎05-04-2009

Jan,

In order to send a sap logon ticket over the SAP GUI session so that the server can accept it and determine who the user is who is logged on at workstation, there needs to be a secure session between workstation and ABAP system - this secure session is acheived using SNC when SAP GUI is used. If you don't secure this session then the SSO2 ticket could be captured and used to logon as the user by an attacker. If you want to implement an insecure solution then I wish you best of luck, but beware !!!

Since SNC is used to secure SAP GUI session, and it also includes authentication it makes sense to use SNC for authentication of users when they logon using SAP GUI and this will work if SAP GUI is launched from portal or if the user is logged onto workstation and runs SAP GUI without logging onto portal.

For SNC there is no need for certificates. Many companies are using Active Directory authentication (e.g. Kerberos) with SNC libraries to give SAP GUI SSO. If the portal logon method is also using Active Directory authentication, then the user is authenticated to SAP using same user if they access via portal or using GUI.

What method of authentication are you using to get the HTTP header variable set and issue an SSO2 ticket ?

Thanks,

Tim

Former Member · ‎05-04-2009

Hi Tim,

The authentication is made on a SSO proxy server (Apache) that is in front of the Portal. After a successfull match against the corp. directory the proxy passes the SAP UID within the header of the http request to the portal. On the Portal side the ticket stack has been extended by a HeaderVariableLoginModule which checks for the SAP UID and then grants the SSO2. You can see the exact setup on the following link:

[Link to SAP Help documentation|http://help.sap.com/saphelp_nw70/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm]

Thanks for your input.

Jan

Former Member · ‎05-15-2009

Hi Jan,

did you implement it that way now?

Would you please let me know about it, Iam very interested in it. Post any documentation or way you configured it.

This would be very kind,

Chris

Former Member · ‎05-15-2009

Hi Christian,

Unfortunately we have not yet identified the correct technology/technique to get this in place as desired.

I will keep this post updated once a solution has been found.

Cheers,

Jan

Former Member · ‎05-15-2009

This way exists definitely, I already have it with SAP Gui HTML, actually working on it for windows gui ...

Regards,

Chris

Former Member · ‎05-18-2009

Working for me now, had the wrong port

Former Member · ‎08-31-2009

Hi Jan,

Referring your below response. I am currently working on exact below requirement , Do you have any document which can talk about how to set up header request parameters in Apache which can pass to portal for HTTP Header authentication . Please suggest.

Thanks

Aravind

The authentication is made on a SSO proxy server (Apache) that is in front of the Portal. After a successfull match against the corp. directory the proxy passes the SAP UID within the header of the http request to the portal. On the Portal side the ticket stack has been extended by a HeaderVariableLoginModule which checks for the SAP UID and then grants the SSO2. You can see the exact setup on the following link:

Link to SAP Help documentation

Thanks for your input.

Jan

Single Sign on from Portal (Web) to SAP GUI for Windows