cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC CUP AE Authentication and Redirection

Former Member

on ‎05-17-2010 9:11 AM

0 Kudos

I have a scenario where i need to navigate directly to a link on the left navigation page of the AE app launched via index_apr.jsp.

Link is called: scrLeftNav.roleReaffirm.do

Issue that i have is that it appears that i need to first go to the index_apr.jsp page for authentication to kick in.

given we have SSO turned on, it works nicely and the user goes straight into the AE application, however then you have to manually click on the link on the left navigation to go to the intended target jsp.

I was wondering if the index_apr.jsp does support some redirection after it's done the authentication.

eg: something like .../AE/index_apr.jsp?Redirect=scrLeftNav.do

If i try and go directly to .../AE/scrLeftNav.roleReaffirm.do then it terminates as it appears it cant authenticate the user.

Am i missing something or is there no way to do this.

Only way i can think of for now is to write a custom component that would authenticate to /AE/ app and then redirect to scrLeftNav.roleReaffirm.do link.

Any help is greatly appreciated.

Regards

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎06-30-2010 11:50 AM
0 Kudos

Hi all,

After some really good hints from harleen, i have gone down the track of writing a custom redirector to be able to SSO into any AE application link.

Approach i have taken is..

1. Have a simple JSP on a standalone Web App, configured for SPNEGO/SSOLogonTickets

2. Try to make a connection to the .../AE/index_apr.jsp application using HttpURLConnection

3. Then do a resonse.sendredirect to the .../AE/scrLeftNav.roleReaffirm.do app link

End Result is that the navigation to .../AE/scrLeftNav.roleReaffirm.do still fails.

Things that i have tried...

2. Try to make a connection to the .../AE/index_apr.jsp application using HttpURLConnection

I have set the cookies to include the MYSAPSSO2 cookie, making sure that the SSO happens to .../AE/index_apr.jsp

HttpURLConnection ResponseCode returned by HttpURLConnection is 200 and it appears that the connection should have worked.

HttpURLConnection Response also returns new JSESSIONID so a session did get created anyway.

3. Then do a resonse.sendredirect to the .../AE/scrLeftNav.roleReaffirm.do app link

Now, i set cookies on the response within the jsp request.

I have tried setting the cookies to include the original JSESSIONID or JSESSIONID returned from the HttpURLConnection Response as well as MYSAPSSO2 cookie.

I would have thought that this should have worked but it hasn't so far.

Any thoughts from anyone on this will be lovely.

Show replies
Show replies
hkaur
Advisor
Advisor
‎05-18-2010 9:49 AM
0 Kudos

Hi Sumant,

Single Sign on with CUP will work only for the ..../AE/index_apr.jsp . You will need to write a custom component for SSO to work for the .../AE/scrLeftNav.roleReaffirm.do. By default with SSO redirect method you can only configure SSO only with the index.jsp page.

Thanks

Harleen

Show replies
Show replies
Former Member
‎05-18-2010 12:10 PM
0 Kudos

Hi harleen,

Many thanks for confirming that. That's what i was thinking i might have to do. I presume that you work on GRC for SAP itself so you would have better understanding of how it's been developed in the first place. Now, given this is a SAP delivered application, i would think that we as a customer probably dont make any changes to the standard functionality but am happy to be guided by you for possible options and how to go about making this happen.

I shall have more detailed look into the application now. Is there any technical documentation on the CUP application itself that would be quite helpful. Any of your thoughts would be highly appreciable.

Just to throw some more light on how we are currently using GRC....

We have GRC running on its own producer portal and is consumed on our main portal via federation.

Requirement is now to start to expose certain/specific services/components of the GRC application to the Portal Users, hence the requirement.

It sounds like we can't do that out of the box.

Regards

Sumant

Former Member
‎05-18-2010 3:48 PM
0 Kudos

Hi Sumant,

Following is a link to the Accelerator on "Single Sign-On with SAP BusinessObjects Access Control 5.3".

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/a010ef38-7be4-2b10-66a5-85d58b2be...

Best Regards,

Sirish Gullapalli.

sumant_gupta2
Discoverer
‎05-18-2010 10:00 PM
0 Kudos

Hi Sirish,

I have been to this lovely document by harleen and it confirms the mechanism for SSO to CUP, which seems to be the JAAS ticket module implemenation, much the same as what /IRJ/ has. So that's more a J2EE standard and not specific to the AE app.

I am not sure of what are the AE specific authentication elements involved in this case as generally if i write a custom J2EE app and apply the JAAS ticket module to it then SSO kicks in automatically and the user credentials are established on the request for the app to use.

I guess, the issue is not so much SSO to CUP, because that is currently setup and working just fine except the issue that it appears, and has been confirmed by harleen, that the functionality for SSO authentication only kicks in if you call the .../AE/index_apr.jsp not if you call some other jsp page directly, which is a subcomponent of the ../AE/ app........ I am not a 100% sure on certain things as it currently stands but now armed with this information, i need to spend a bit more time on this app and its authentication first before i can come back with any more questions or feedback. many thanks for all the help from you all. I will be back very soon.

I may be missing the point completely so please feel free to correct me.

Former Member
‎05-18-2010 10:14 PM
0 Kudos

Hi Sumant,

I think you are on target and not missing any point. I also want to send just the role reaffirm link to approvers. Even if they need to login again, I am fine with it. As long as they can directly open role reaffirm link. I have not been able to implement this and they still to go through CUP link and click on role reaffirm link from the left hand menu. If you figure this out, please let us know.

Alpesh

sunny_pahuja2
Active Contributor
‎05-17-2010 10:36 AM
0 Kudos

Hi,

You can create iview page of this link and assign to user. Then try.

Thanks

Sunny

Show replies
Show replies
Former Member
‎05-18-2010 2:12 AM
0 Kudos

Hi Sunny,

Thanks for the info however i am not quite sure what you mean.

I would have thought that iView is just a container to a URL, in this instance anyway, so it's not going to do any auto redirection unless the application supports a rediretion anyway.

I guess, to throw a bit more light...

The way i see it...

1. You have to go to the .../AE/index_apr.jsp for authentication to kick in.

2. Once you have authenticated yourself via /AE/index_apr.jsp then i can change the URL in that very session to navigate to any other navigation jsp. In otherwords, once i am authenticated onto the AE applicaiton via ../AE/index_apr.jsp, then i could change the URL, manually, to .../AE/scrLeftNav.roleReaffirm.do and it takes me to the correct location, which is my inteneded location from start.

3. If i don't go to .../AE/index_apr.jsp instead try going to .../AE/scrLeftNav.roleReaffirm.do directly then it appears that i can't authenticate to the application and throws me to an exception page.

Essentially, the GRC CUP app is configured for SSO, hence when i create an iView pointing to the .../AE/index_apr.jsp then it works perfectly fine but for me in want to SSO into .../AE/scrLeftNav.roleReaffirm.do without any user intervention and from what i can see for this to happen, there has to be a redirection somehow.

Any thoughts or clarifications are most welcome.

Ask a Question