06-04-2010 9:43 AM
Hi to all,
I 'm trying to use Windows Integrated Authentication for HTTP Abap applications (BSP or abap web dynpro).
For this I use a SAP portal (EP 7.01) where Kerberos SPNEGO IWA has been successfully setup.
I just want to do a transparent redirect from the ABAP system to the portal, get the saplogon ticket from the portal and redirect back to the abap system.
My difficulty is that the Portal system is in a different windows domain from the ABAP systems.
I could make it work successfully by using the trick of installing a SAP Web dispatcher for the abap system on the portal server.
Therefore, the abap system seems to be in the same domain as the portal system ans the saplogon ticket cookie genrated from the portal is valid for the abap system.
Even if this solution works perfectly, I don't want to use it because we have several abap systems (ECC, R/3, SRM, CRM) and it would be too complicated to maintain by the externalised support team.
The right solution (in my opinion) is to use domain relaxing because there is a common part (company.country) at the end of both domains.
Therefore I have setup the UME property ume.logon.security.relax_domain_level = 4 with configtool on the portal.
It works fine : the saplogon ticket is now generated for the "company.country" part of both windows domains.
The problem now : a classical redirect application does not take in account this UME configuration.
It seems that we have to use the standard SAP logon servlet with the redirect syntax.
Something like
I get an error from the logon servlet telling that :
"cannot redirect to the requested application, the redirect parameter is invalid"
When looking at the source code, the logon servlet is not able to decrypt the redirect URL.
For this to work, I need to find out how to encrypt correctly the redirectURL and to setup the UME property
ume.logon.security.local_redirect_only = false
My problem is that I am not able to find any SAP documentation on the /logon/logonServlet application and neither on the ume.logon.security.local_redirect_only UME property.
I have checked with no success help.sap.com and OSS notes.
Does anyone know where to find documentation on these 2 subjects ?
Regards,
Olivier
06-08-2010 9:25 AM
Hi Olivier,
Just to see if I understand you question, users arrive at the AS ABAP directly without authenticating first on the portal. You want to redirect them to the portal, authenticate with kerberos, pick up their logon ticket and then redirect back to the ABAP application. Is this correct?
The only description I have of the property you name is "Enable only local redirects at logon (starting with "/")." You should be able to find this text when you view the property in the config tool.
-Michael
06-07-2010 2:55 PM
Hi
Following link may of helpful to you.
1)http://www.realtech.com/winternational/pdf/consulting/whitepaper/sap_single_sign-on_und_secure_connections_via_snc_adapter_basierend_auf_kerberosv5_en.pdf
2) http://help.sap.com/saphelp_nw04/helpdata/en/5e/6c85c3edf942f39349a1e337434d29/content.htm
Regards
Shan
06-07-2010 3:01 PM
Hi,
Thank you but I know these 2 documentations and they are not about my request.
Regards,
Olivier
06-08-2010 9:25 AM
Hi Olivier,
Just to see if I understand you question, users arrive at the AS ABAP directly without authenticating first on the portal. You want to redirect them to the portal, authenticate with kerberos, pick up their logon ticket and then redirect back to the ABAP application. Is this correct?
The only description I have of the property you name is "Enable only local redirects at logon (starting with "/")." You should be able to find this text when you view the property in the config tool.
-Michael
06-08-2010 10:03 AM
Hi Michael,
>You want to redirect them to the portal, authenticate with kerberos, pick up their logon ticket and then redirect back to the ABAP application. Is this correct?
Yes, exactly and this works perfectly if the portal server and the ABAP server are in the same DNS domain (which is also the windows domain).
When the servers are in different domains but there is a common part in the different domains, the solution is to use domain relaxing.
The problem as I understand it now is that domain relaxing is an UME property and most redirection application don't use UME authentication but web container authentication. Web container authenticated applications don't manage domain relaxing.
Tht is why I try to use the SAP standard logon servlet but it now (since SP level ??) needs that the redirection URL is encrypted by an unknown to me algorithm.
I have changed the value for local redirect only in config tool and finally it seems that the problem does not come from it.
My current conclusion is that I need to find a redirection application using UME authentication.
Thanks anyway.
Olivier
06-08-2010 1:21 PM
Let me ask around a little bit and see what I can find out. I spoke to a colleague of mine and he was expecting that the redirect URL is simply URL encoded. Let me see if I can get him to look closer at your problem.
To be provocative, why do you direct users directly to the AS ABAP? Wouldn't it be simpler if you ensured that your users started at the portal and then went to the application on the AS ABAP?
-Michael
06-08-2010 2:50 PM
Hi again,
>why do you direct users directly to the AS ABAP? Wouldn't it be simpler if you ensured that your users started at the portal and then went to the application on the AS ABAP?
Our case is for ABAP applications (BSP or web dynpros) which are NOT integrated as iviews in the portal. The portal is just used as a J2EE engine for Kerberos authentication and MYSAPSSO2 cookie generation. because SAP did not implement IWA for the abap stack. (I don't see why it would not have been technically possible...)
These applications are not integrated in the SAP portal because it has no functional meaning. Some other abap applications will of course be integrated as iviews and we dont have any problems for them because, in that case, domain relaxing works correctly.
Regards,
Olivier
06-10-2010 10:01 AM
Well, I close the question because I think there is no official documentation on these very specific items and it seems that my problem comes from a bug : I get 2 domains in my MYSAPSSO2 cookie (domain and Domain !), one domain OK with domain relaxing and one KO with domain relaxing. I may open a message with SAP support...
Regards,
Olivier
02-15-2011 8:27 AM
Hi Oliver,
I don't know exactly how you use or reach the portal when you access the applications on the ABAP-System directly,
but maybe the following trick is helpful for you. I have also the fact that the portal is running under an different domain as the ABAP-Systems, but in my case the ABAP-Applications are insert in the portal over iViews.
I solved it in the following way:
1.
create an DNS alias for the Portal-System in the same domain as the ABAP-Systems
2.
follow the steps under: http://help.sap.com/saphelp_nw70/helpdata/en/e0/fa984050a13354e10000000a1550b0/frameset.htm
and put the new created DNS alias of the portal in the "ume.login.mdc.hosts"
After that you can open the portal in the "old" domain and in the background it will connect itself (under the second domain) and generates also an sso ticket for the second domain. And now the ABAP-Systems should be able to find this second ticket.
I hope this helps
Jens