Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Where to find documentation on SSO issues ?

Former Member
0 Kudos

Hi to all,

I 'm trying to use Windows Integrated Authentication for HTTP Abap applications (BSP or abap web dynpro).

For this I use a SAP portal (EP 7.01) where Kerberos SPNEGO IWA has been successfully setup.

I just want to do a transparent redirect from the ABAP system to the portal, get the saplogon ticket from the portal and redirect back to the abap system.

My difficulty is that the Portal system is in a different windows domain from the ABAP systems.

I could make it work successfully by using the trick of installing a SAP Web dispatcher for the abap system on the portal server.

Therefore, the abap system seems to be in the same domain as the portal system ans the saplogon ticket cookie genrated from the portal is valid for the abap system.

Even if this solution works perfectly, I don't want to use it because we have several abap systems (ECC, R/3, SRM, CRM) and it would be too complicated to maintain by the externalised support team.

The right solution (in my opinion) is to use domain relaxing because there is a common part (company.country) at the end of both domains.

Therefore I have setup the UME property ume.logon.security.relax_domain_level = 4 with configtool on the portal.

It works fine : the saplogon ticket is now generated for the "company.country" part of both windows domains.

The problem now : a classical redirect application does not take in account this UME configuration.

It seems that we have to use the standard SAP logon servlet with the redirect syntax.

Something like

http://portalserver.xxx.xxx.company.country:50000/logon/logonServlet?redirectURL=xxxxxxxxxxxxxxxxxxx...

I get an error from the logon servlet telling that :

"cannot redirect to the requested application, the redirect parameter is invalid"

When looking at the source code, the logon servlet is not able to decrypt the redirect URL.

For this to work, I need to find out how to encrypt correctly the redirectURL and to setup the UME property

ume.logon.security.local_redirect_only = false

My problem is that I am not able to find any SAP documentation on the /logon/logonServlet application and neither on the ume.logon.security.local_redirect_only UME property.

I have checked with no success help.sap.com and OSS notes.

Does anyone know where to find documentation on these 2 subjects ?

Regards,

Olivier

1 ACCEPTED SOLUTION

MichaelShea
Advisor
Advisor
0 Kudos

Hi Olivier,

Just to see if I understand you question, users arrive at the AS ABAP directly without authenticating first on the portal. You want to redirect them to the portal, authenticate with kerberos, pick up their logon ticket and then redirect back to the ABAP application. Is this correct?

The only description I have of the property you name is "Enable only local redirects at logon (starting with "/")." You should be able to find this text when you view the property in the config tool.

-Michael

8 REPLIES 8

Former Member
0 Kudos

Hi

Following link may of helpful to you.

1)http://www.realtech.com/winternational/pdf/consulting/whitepaper/sap_single_sign-on_und_secure_connections_via_snc_adapter_basierend_auf_kerberosv5_en.pdf

2) http://help.sap.com/saphelp_nw04/helpdata/en/5e/6c85c3edf942f39349a1e337434d29/content.htm

Regards

Shan

0 Kudos

Hi,

Thank you but I know these 2 documentations and they are not about my request.

Regards,

Olivier

MichaelShea
Advisor
Advisor
0 Kudos

Hi Olivier,

Just to see if I understand you question, users arrive at the AS ABAP directly without authenticating first on the portal. You want to redirect them to the portal, authenticate with kerberos, pick up their logon ticket and then redirect back to the ABAP application. Is this correct?

The only description I have of the property you name is "Enable only local redirects at logon (starting with "/")." You should be able to find this text when you view the property in the config tool.

-Michael

0 Kudos

Hi Michael,

>You want to redirect them to the portal, authenticate with kerberos, pick up their logon ticket and then redirect back to the ABAP application. Is this correct?

Yes, exactly and this works perfectly if the portal server and the ABAP server are in the same DNS domain (which is also the windows domain).

When the servers are in different domains but there is a common part in the different domains, the solution is to use domain relaxing.

The problem as I understand it now is that domain relaxing is an UME property and most redirection application don't use UME authentication but web container authentication. Web container authenticated applications don't manage domain relaxing.

Tht is why I try to use the SAP standard logon servlet but it now (since SP level ??) needs that the redirection URL is encrypted by an unknown to me algorithm.

I have changed the value for local redirect only in config tool and finally it seems that the problem does not come from it.

My current conclusion is that I need to find a redirection application using UME authentication.

Thanks anyway.

Olivier

0 Kudos

Let me ask around a little bit and see what I can find out. I spoke to a colleague of mine and he was expecting that the redirect URL is simply URL encoded. Let me see if I can get him to look closer at your problem.

To be provocative, why do you direct users directly to the AS ABAP? Wouldn't it be simpler if you ensured that your users started at the portal and then went to the application on the AS ABAP?

-Michael

0 Kudos

Hi again,

>why do you direct users directly to the AS ABAP? Wouldn't it be simpler if you ensured that your users started at the portal and then went to the application on the AS ABAP?

Our case is for ABAP applications (BSP or web dynpros) which are NOT integrated as iviews in the portal. The portal is just used as a J2EE engine for Kerberos authentication and MYSAPSSO2 cookie generation. because SAP did not implement IWA for the abap stack. (I don't see why it would not have been technically possible...)

These applications are not integrated in the SAP portal because it has no functional meaning. Some other abap applications will of course be integrated as iviews and we dont have any problems for them because, in that case, domain relaxing works correctly.

Regards,

Olivier

0 Kudos

Well, I close the question because I think there is no official documentation on these very specific items and it seems that my problem comes from a bug : I get 2 domains in my MYSAPSSO2 cookie (domain and Domain !), one domain OK with domain relaxing and one KO with domain relaxing. I may open a message with SAP support...

Regards,

Olivier

0 Kudos

Hi Oliver,

I don't know exactly how you use or reach the portal when you access the applications on the ABAP-System directly,

but maybe the following trick is helpful for you. I have also the fact that the portal is running under an different domain as the ABAP-Systems, but in my case the ABAP-Applications are insert in the portal over iViews.

I solved it in the following way:

1.

create an DNS alias for the Portal-System in the same domain as the ABAP-Systems

2.

follow the steps under: http://help.sap.com/saphelp_nw70/helpdata/en/e0/fa984050a13354e10000000a1550b0/frameset.htm

and put the new created DNS alias of the portal in the "ume.login.mdc.hosts"

After that you can open the portal in the "old" domain and in the background it will connect itself (under the second domain) and generates also an sso ticket for the second domain. And now the ABAP-Systems should be able to find this second ticket.

I hope this helps

Jens