EDIT: Why is the formatting not conserved?? There should be spaces in between paragraphs.

Yes, another SSO thread .. sorry. I have read through about 100 SSO threads but haven't found exactly what I needed yet.

(Deep breath) Here is our situation : we currently use SAP GUI to access ABAP and this is using SSO (SNC), which works great. The SAP users in ABAP are mapped to AD users using SNC. I think this is what SAP refers to as ABAP "synchronizing" with our directory service.

Trouble is, we have now started using Web Analyzer (BI) and Adobe Forms, both of which are Java side apps (or at least are run via a browser and do authentication via Netweaver). We would like these apps to also do SSO, however, I know SSO on the Java side works differently so there are a lot of different options for doing this. Normal authentication (ie. manually entering SAP/ABAP side credentials in the browser) works, by the way (as it should since our UME points to ABAP as its data source).

Eventually, we intend to use an Enterprise Portal to tie everything together and use SAPLogonTickets, which is the SAP recommended method for complex landscapes, if I understand correctly. Right now, though, we need an interim SSO solution until EP can be setup.

Thus, I have a few specific questions for all of the SAP gurus out there.

1) The main problem at the moment is that we already point the Java side UME over to ABAP as the data source (ie. dataSourceConfiguration_abap.xml), so changing this seems to be a huge no-no (as I have read in documentation). When I change the datasource to point to our LDAP source (AD) the JAVA server0 process will not start and the error is :

[Thr 14492] Wed Aug 19 07:06:36 2009

[Thr 14492] JLaunchIExitJava: exit hook is called (rc = -11113)

• ERROR => The Java VM terminated with a non-zero exit code.

• Please see SAP Note 943602 , section 'J2EE Engine exit codes'

• for additional information and trouble shooting.

The only thing I can figure is that changing from and abap data source to anything else is just not possible, or there are other references to abap users in the java side config which is causing the server process to fail. (I've seen a few people have this same issue but each time it was a credentials problem; ie j2ee_guest password wasn't right or something like that; plus, they weren't going from an abap data source over to ads)

In order to run the SPNego Wizard (to enable SSO on the Java side using Windows credentials) the java processes obviously need to be up. Interestingly, I can still modify the "UME LDAP Data" and can successfully authentication to our backend AD servers, however, none of this really matters if the Java processes aren't running.

2) Is it possible to have the Java side reference the ABAP side users for SSO (since our UME already points to abap as the data source)? In other words, could someone running a Java side app (in a browser, for example) pass their AD credentials, Java pass them onto ABAP, ABAP does the SNC mapping and verifies credentials via AD, and then pass back this verification to Java so that the user is automatically logged in? Effectively we'd just be bypassing the need for Java to explicitly point to AD by itself.

I don't think this is even possible but just wanted to throw it out there. I mean, you can use your abap credentials to log into the java side (again, since abap is the ume data source) but that's a bit different obviously because java is sending sap credentials over to abap, not windows network credentials.

3) If we do have to end up reloading the system so that we can go back to the default UME data source (ie. dataSourceConfiguration_database_only) and then consequently on to the ldap data source (ie. dataSourceConfiguration_ads_readonly_db_with_krb5.xml), can we still reference the R3 (ABAP) roles even when doing SSO against our directory service?

For example, when we log into an Adobe Form, the authentication happens and the R3/Abap roles are checked to see what should be available on the adobe form. Once we start pointing to our directory service for java side authentication I'm afraid the role validation will no longer work. I see a java property called ume.persistence.data_source_configuration and I'm wondering if that is how you do that.

If not, how do you handle that role security once abap is no longer the UME data source? The abap side roles really have to be used because that's how the permissions for the adobe forms are handled.

Ok, that is all for now --- sorry for the seriously verbose description but I know these are complex questions and responders generally will ask for more details, so please let me know if I can provide any more input.

Thanks in advance!!

Ross

Edited by: Ross Anderson on Aug 19, 2009 1:52 PM