Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO to ESS via Portal

martin_eberle
Explorer

‎11-30-2010 2:56 PM

0 Kudos

Hi

Our szenario is:

  • kerberos from client to Portal

  • Reference System to map SAP User

  • Trust between Portal and HR

  • ESS Backendsystem with auth method SAPLOGONTICKET

-> Works all fine.

Now the problem is ...

We would like to "reduce" the TRUST to enable SSO only for ESS & MSS, and not allow SSO to use it eg. with an trunsaction iVIEW to HR. Simply said, a higher security.

We don't know how to do this. Anybody with ideas?

Am I right, that with SNC I cannot tansport the user to build SSO between Portal and HR?

The idea was, to use SNC, because with SNC you can specify on the HR side who is mapped and allowed to enter with SSO.

But it seems, that between JAVA and ABAP Systems SNC can only be used to encrypt transport messages ???

What I'm wondering is:

With SAP Business Object (BOE) you can setup a SNC connection from BOE => BW to do SSO, or not?

Regards Martin

4 REPLIES 4

martin_voros
Active Contributor

‎11-30-2010 11:13 PM

0 Kudos

Hi,

I am not sure if I understand you scenario but in transaction SICF you can set up allowed authentication methods for each service provided by application server. So if there are two different services in your case then you can exclude SSO to restrict some services.

Cheers

martin_eberle
Explorer
In response to martin_voros

‎12-06-2010 11:25 AM

0 Kudos

Hi Martin

The restriction on the ABAP side sounds interessting.

Will we be able to restrict SSO only for ESS & MSS services?

Am I right, that ESS & MSS uses direct RFC and http based interfaces between Portal and HR?

Using SICF means, no trust is required based on exchange of Certificates?

Regards

Martin

thunder_feng
Active Participant

‎12-01-2010 6:51 AM

0 Kudos

Hello Martin

how about this:

1. create 2 'system' in your portal, one is for ESS/MSS only and this system can use the SSO.

2. create another system and use UIDPW as the logon method in your protal -> system landscape.

except the ESS/MSS, let all the other transaction iView use the second system.

Regards,

Thunder

martin_eberle
Explorer
In response to thunder_feng

‎12-06-2010 11:21 AM

0 Kudos

Hi

That's not a solution for us, since we want to suppress the technical option to access HR transactions from the portal.

The SSO mechanism should only be available for ESS & MSS szenarios.

Regards Martin