on 10-22-2004 2:41 PM
hello,
i tried to implement SSO for R/3 System via ITS but it doesn't work ?? can you hlep me ??
my Config:
global srcv on the ITS System:
~routestring
~messageserver
~logingroup
~systemname DIA
~appserver bilbo.it-motive.de
~systemnumber 00
~client
~login
~password
~mysapcomusesso2cookie 1
~language
~timeout 60
~usertimeout 24
~theme 99
~runtimemode dm
~cookies 1
~multiinstanceservices 1
~urlarchive /scripts/sapawl.dll
~urlimage /sap/its/graphics
~urlmime /sap/its/mimes
~exiturl http://itmportal:50000/irj
~clientcert 1
~hostunsecure bilbo.it-motive.de
~portunsecure 8080
~hostsecure bilbo.it-motive.de
~portsecure 443
~xgateways sapdiag,sapxgwfc,sapxginet,sapxgbc,sapxgadm,sapextauth
~xgateway sapdiag
##################################################
SSO2 Transaction (R/3 System ) output:
Workplace
R/3-System DIA Mandant 026
Workplace-Zertifikat
Inhaber CN=C11
Aussteller CN=C11
Seriennummer 00
Pru00FCfsumme
Profilparameter login/create_sso2_ticket = 0
Der Workplace DIA erzeugt keine SSO-Tickets.
Das Workplace-Zertifikat von DIA ist in der Zertifikatsliste des Systemes DIA enthalten.
SSO-Tickets des Workplace DIA werden vom System DIA akzeptiert.
-
Eigene Systemdaten
R/3-System DIA Mandant 026
Profilparameter login/accept_sso2_ticket = 1
SSO-Tickets werden akzeptiert
Zertifikatsliste
Mit der Zertifikatsliste wird die Digitale Signatur des SSO-Tickets auf Gu00FCltigkeit gepru00FCft.
D:\usr\sap\DIA\DVEBMGS00\sec\SAPSYS.pse
Inhaber CN=C11
Aussteller CN=C11
Seriennummer 00
Dies ist das Workplace-Zertifikat
Inhaber CN=Portal EP 5.0
Aussteller CN=Portal EP 5.0
Seriennummer 00
Inhaber CN=EP6, OU=ITM, OU=EnterprisePortal, O=SAP Trust Community, C=DE
Aussteller CN=EP6, OU=ITM, OU=EnterprisePortal, O=SAP Trust Community, C=DE
Seriennummer 00
Systeme deren SSO-Tickets von DIA akzeptiert werden.
Die Access-Control-Liste definiert, von welchen Workplace Systemen SSO-Tickets zur Anmeldung akzeptiert werden.
Tabelle TWPSSO2ACL
R/3-System DIA Mandant 026
Inhaber CN=C11
Aussteller CN=C11
Seriennummer 00
Dies ist das Workplace-Zertifikat
R/3-System EP5 Mandant 026
Inhaber CN=Portal EP 5.0
Aussteller CN=Portal EP 5.0
Seriennummer 00
R/3-System EP6 Mandant 000
Inhaber CN=EP6, OU=ITM, OU=EnterprisePortal, O=SAP Trust Community, C=DE
Aussteller CN=EP6, OU=ITM, OU=EnterprisePortal, O=SAP Trust Community, C=DE
Seriennummer 00
##################################################
Trace from TRNSACTION SM50:
Y *** ERROR => multiple DiagSetGuiConnectData call [diagext.c 570]
Y *** ERROR => multiple DiagSetGuiConnectData call [diagext.c 570]
M SsfParseCertificate(SUMMARY): Buffer too short (512 - 1443)Y *** ERROR => multiple DiagSetGuiConnectData call [diagext.c 570]
#######################################################
MYSAPSSO2 session cookie will be craeted
#######################################################
User mapping data for R/3 System are correctly saved
#######################################################
SSO doesn't work , i get always the logon seite of the ITS ??
Hi Hafedh,
Do you have the solution to your problem. I am also having the same problem.
I have change my full domain on my portal server A (nw2004s) that connect to my ITS that connect to our server B 4.6C.
My SSO is working while testing using transaction iview. Only the through ITS it is not working.
Anyone have ideas? Thanks in advance.
Steven
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Hafedh Ghamgui
Make sure you use the FULL domain name when accessing the portal to ITS. For example, if you use "http://myportal:50300/irj/" instead of "http://myportal.mycompany.com:50300/irj/", SSO will fail between ITS and the portal. Also within the portal, the ITS instance must be configured by the full domain name. Lastly, the ITS instances must reside on the same domain as the portal otherwise an additional WAS will be needed to accept the Logon Tickets from the portal and then pass them to ITS (*see docs on this site for info on this)
@Uttam
That is the whole point of using SSO...so you do not have to worry or manage passwords between systems (that was a HUGE problem in the early days of Workplace...haha). Basically by using the SAP Logon Ticket, you are saying "this system trusts this system". They ignore the passwords after initial login and authentication. From that point, the user is authenticated. The Logon Ticket then passes the user name to the other system. Since the other system is set up to "trust" the portal, it merely looks up the user based on the user name passed. As you might guess, keeping user names in synch is needed...else you will need to use User Mapping. Hope this helps.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Hafedh,
I believe this to be a wrong setup of the certificates.
I cannot understand all the information, but the error would make me check STRUSTSSO2 to see whether I have imported the portals certificate and added it to the ACL.
Regards,
Thomas Mouritsen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Thomas,
I had a query regarding SSO. Suppose i have EP 6.0 and R/3 system. Let us suppose i have done the SSO between the 2 systems, but after say 15 days someone changes the password of the SAP R/3. Then do we have to take any other care for it in the EP 6.0. or for the Single Sign On. Please advice.
Regards,
Uttam
User | Count |
---|---|
85 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.