11-10-2009 9:19 PM
Hello Everyone,
We are planning to implement SSO to all SAP systems in our landscape which include BW, BI, EP, R/3, SRM etc from enterprise portal. One of the biggest challenges that we foresee in implementing SSO is to overcome the eSignature functionality that is required in many of the SAP applications on R/3 like in QM, Batch management, Plant maintenance etc. We would want the authentication to the EP for SSO to be done with the windows password. Authentication to all other systems would be based on login tickets issued by the EP. Due to very stringent password policies we cannot allow the parameters for password expiration to be changed. Neither can we change the user types.
Is it possible to activate the authentication for eSignatures to be based on the windows password. If so how?
Thanks everyone for your inputs in advance.
Regards,
Subbu
11-10-2009 11:11 PM
Subbu,
Hi. I am familiar with this problem, when ABAP applications are involved and I am aware of some solutions (short and long term). From your message it is not clear to me if you are referring to applications running on Java stack or ABAP stack - can you confirm ?
Basically, when Windows user authentication is used for SSO the SAP password is not used and normally deactivated so eSignature code in SAP apps will not work - they assume you have a SAP password. I understand this will be changed in future release of SAP software, but short term you might have to modify the SAP application code to use LDAP auth when checking the password of user entered during the eSignature check.
Thanks,
Tim
11-10-2009 11:11 PM
Subbu,
Hi. I am familiar with this problem, when ABAP applications are involved and I am aware of some solutions (short and long term). From your message it is not clear to me if you are referring to applications running on Java stack or ABAP stack - can you confirm ?
Basically, when Windows user authentication is used for SSO the SAP password is not used and normally deactivated so eSignature code in SAP apps will not work - they assume you have a SAP password. I understand this will be changed in future release of SAP software, but short term you might have to modify the SAP application code to use LDAP auth when checking the password of user entered during the eSignature check.
Thanks,
Tim
11-11-2009 10:02 AM
Hi. I am familiar with this problem, when ABAP applications are involved and I am aware of some solutions (short and long term). From your message it is not clear to me if you are referring to applications running on Java stack or ABAP stack - can you confirm ?
Yes, I am referring to SSO from Enterprise portal to ABAP applications using eSignature. Please can you suggest one of the solutions that you are familiar with for this problem. I have searched the forums on SDN and the internet, but was not able to find a concrete solution.
Basically, when Windows user authentication is used for SSO the SAP password is not used and normally deactivated so eSignature code in SAP apps will not work - they assume you have a SAP password
We would use windows password to authenticate to the enterprise portal, but we do not intend to deactivate the SAP password, It will continue to remain active but maybe expired.
Regards,
Subbu
11-11-2009 10:17 AM
Subbu,
I am aware of many companies who are waiting for SAP to improve the product so that it is possible to configure LDAP authenticaiton (so that Active Directory can be used to check password when eSignature is required) in the ABAP code. Some customers who have not been able to wait for SAP to improve the product have modified the ABAP code to call LDAP SIMPLE BIND when checking the password - this might be acceptable to you. Anyway, I suggest you open a message with SAP and make them aware that you are also interested in this enhancement - it will help the busienss case if you do. I beleive so far about 20 companies have asked for same enhancement, but there must be more that need it.
I suggest you visit the security wishlist wiki page in SDN which is specific to this issue. You can find it at http://wiki.sdn.sap.com/wiki/display/Security/ElectronicSignatureextendedtoLDAPforSSO
Please visit this wiki and add comments, mentioning that you need this functionality - it will help.
Thanks again,
Tim
Edited by: Tim Alsop on Nov 11, 2009 10:29 AM
11-11-2009 11:06 AM
Hello Tim,
Thanks for the inputs. I shall check this with our development team if this works.
I have also posted on WIKI.
Thanks again.
Regards,
Subbu.
PS : Also, if possible can you also propose any other feasible solutions. It would be nice to have more than one choice. We are also thinking in terms of using third party solutions.
11-11-2009 12:22 PM
We had the same problem.
Given the choice of creating our own function and changing all the SAP transactions, or, modifying the SAP function for all transactions which use it... we went for the second option and gave the code to SAP as something to start with in the development request (which resulted in the above wiki which Tim has mentioned).
If you search for "SSFT_PPPI_SIGN" (the name of the function) here and in the ABAP forums, then you will find more infos on this.
Cheers and thanks for supporting the request,
Julius
11-11-2009 3:04 PM
Thank you Julius..Your suggestion did lead me to a thread where the OP has confirmed that the solution has worked. I could not study it in detail but will do during the weekend.
If we are able to devise a fool proof solution , I shall post it as a WIKI or maybe close the thread with it.
Thanks Julius and Tim..
Regards,
Subbu
01-02-2010 4:56 PM
Hello All,
Thanks for all your valuable inputs. We have finally been able to find a solution to the problem by connecting the SAP system to LDAP and by modfying the program for eSignature to call the function module LDAP_SIMPLEBIND. However this change requires a modification to the standard program.
Thanks once again to all of you especially Tim and Julius.
Regards,
Subbu
01-02-2010 10:14 PM
A little tip: Check the persistence of the cookie if someone is to approve more than one document...
Cheers,
Julius