cancel
Showing results for 
Search instead for 
Did you mean: 

SSO Problem when access portal with SAP webdispatcher

Former Member
0 Kudos

dear Gurus,

we are SAP Parnert certified in Indonesia, we face problem SSO ticket when setup SAP webdispatcher integrated with SAP EP together LDAP as UME for User autthentication.

currently,

1 . we already setup SSO Logon Ticket between SAP EP and our backend (SAP ECC 6)

2. we tested with LDAP User successfully when user access BSP Application from Backend by access our SAP EP hostname (FQDN)

in our case : User directly access BSP Iview at URL Portal not access through http://portal.intra.com:50000/irj/portal, but http://portal.intra.com:50000/irj/servlet/portal/!folder.bsp_test?sap-config=true

when we access this page, we need to input our LDAP user and directly BSP Iview came up sucessfully

but,

if we access SAP EP through SAP webdispatcher (http://m.extra.com) that we alreadty setting our redirect to be

icm/HTTP/redirefct_0 = PREFIX=/, TO=/irj/servlet/portal/!folder.bsp_test?sap-config=true

after we execute http://m.extra.com

first we need to input our LDAP user, but after we push Logon button, we face Pop up to input again user at Backend, its like SSO is failed

can you give us some suggestion or simple solution

many thanks for your attention

regards,

Ghochi

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Gochi,

When you configure your system object in portal , over there instead of giving hostname of ECC 6 , try giving name of your web dispatcher ,ie m.extra.com instead of your ecc host name.

Its illogical ,but it worked when i was facing same problem.

Regards

Biren

Former Member
0 Kudos

Hi biren,

do you mean i have to change for System Alias properties especially for ITS and WebAS ?? if i change that hostname, may be i face problem when connection test with backend

currently, ITS and WEB AS hostname hava value hostname (FQDN) of backend (R/3)..

one thing, i want to confirm... is it problem when we wrong for NAT configuration between external address and internal addres (SAP webdispatcher) for SSO matter??

because, today we test with SAP webdispatcher hostame (FQDN), it works.. and no problem with SSO

thanks

ghochi

Former Member
0 Kudos

See try to test the system object using FQDN and by using http://m.extra.com . check the test connection with both things, than after change the currently, ITS and WEB AS hostname to m.extra.com instead of hava value hostname (FQDN) of backend (R/3)..

Then test the connection,,even though connection will fail but the SSO will be working if you test the real scenerio by accessing any transaction iview of ECC from portal.

Regards

Biren

former_member201257
Active Contributor
0 Kudos

The SSO cookie is domain specific.

Lets say that your backend system is backend.intra.com and when you access your portal with http://portal.intra.com, a SSO cookie that is valid for *.intra.com is issued. Thats the reason the backend accepts this ticket and SSO is successful.

However, when you access portal with http://portal.extra.com, a SSO cookie that is valid for *.extra.com is issued. The backend system will not accept this ticket and hence the SSO fails.

You can do a couple of thing here:

1. Relaxing the domain - search for ume.logon.security.relax_domain.level

2. You can use the property ume.login.mdc.hosts to achieve cross domain SSO

You could also incorporate some kind of proxy mechanism between the portal and the backend system (as suggested above). So, instead of calling the backend directly using the hostname of the backend system, you can use a proxy name of your choice that will match the domain name for your portal (some thing like backend.extra.com). You can then use this proxy name in the System Object configuration and connection tests will also pass.

Hope that helps !!

- Shanti

Former Member
0 Kudos

Hi Biren,

sorry before, do you mean i just change hostname at backend with extern address?? how about port and path for ITS/Web AS... it's necessary for change it,

for example..

as is (current)

ITS hosname = backend.intra.com:8443
ITS path = /sap/bc/gui/sap/its/webgui

WEB AS hostname = backend.intra.com:8443
WEB as path = /sap/bc/bsp/sap

to be

ITS hosname = m.extra.com:8443
ITS path = /sap/bc/gui/sap/its/webgui

WEB AS hostname = m.extra.com:8443
WEB as path = /sap/bc/bsp/sap

is is correct as your suggestion???

many thanks..

regards,

ghochi

Former Member
0 Kudos

hi shanti,

many thanks for your suggestion....

do you mean solution as Biren said, i have to change ITS/WEB AS hostname instead of backend address....??

as your suggestion

You can do a couple of thing here:

1. Relaxing the domain - search for ume.logon.security.relax_domain.level

what is value for ume.logon.security.relax_domain.level ???

2. You can use the property ume.login.mdc.hosts to achieve cross domain SSO

what is value for ume.login.mdc.hosts ?? portal address (portal.intra.com) or backend address or external address (portal.extra.com)

many thanks your help...

regards,

ghochi

former_member201257
Active Contributor
0 Kudos

Yes - the best option for you is to change the ITS and Web AS host name and IP address values in your system object.

However - just changing them will not do it. The host name which you use here should be resolved (via a proxy or DNS entry) to the real IP address of your backend system.

Other approaches

1. For ume.logon.security.relax_domain.level - default is 1 - you need to change it to 2.

http://help.sap.com/saphelp_nw04/helpdata/en/5e/473d4124b08739e10000000a1550b0/frameset.htm

2. For ume.login.mdc.hosts - you will need to have any entry some thing like - backend.intra.com:<port>

http://help.sap.com/saphelp_nw04/helpdata/en/e0/fa984050a13354e10000000a1550b0/frameset.htm

- Shanti

Former Member
0 Kudos

Hi shanti,

we still got problem, as Brian suggestion did not solve our problem..

we already set ume.login.security.relax_domain = 2 and ume.logon.mdc.hosts = <hostname_backend:port>,<hostname_sapwebdispatcher:port>

also, we try change ITS/WEB AS hostname with m.external.com (external address instead sap webdispatcher) and it's not works, still got Error.

honestly,

we want to setup Portal accessed from Internet, but we got many problem about resolve address (backend address can not resolved) or SSO Problem because different domain

anyone can give us solutionL-(, we have tight timeline for this jobs

thanks for alll

regards

ghochi

Former Member
0 Kudos

HI Biren,

as your suggestion, we are still got same problem..

can you give me detail solution what you have done before.

thanks

regards,

gochi

former_member201257
Active Contributor
0 Kudos

You don't need to necessarily use all the options I have mentioned earlier.

Please use the appropriate option according to your landscape and requirements.

For accessing BSP applications through portal from Internet, the corresponding backend system also needs to be OPEN for outside connectivity. This is usually done through some kind of proxy mechanism to avoid exposing the real host name of your backend system.

In your case, not only the portal but also the backend system should be able to connect from outside. The exact procedure will depend on what you would choose to put in front of your backend system. You may choose to use the web dispatcher to redirect the corresponding backend http requests as well.

Please go through the following presentation: (Slide 29 onwards ...)

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/24396589-0a01-0010-3c8c-ab2e3acf6...

Thanks,

Shanti

Former Member
0 Kudos

Hi Gochi,

when you change parameter of ITS and WAS ., and test the system connection,,it will throw error. but when you test the real scenerio,i.e create a iac iview or transaction iview from you back end and test using the system object, it will work. Also try what shanti is telling,,,that is also a second option.

Former Member
0 Kudos

Hi Shanti and Biren,

i solve this problem with 2 options :

1. we create DNS Alias at backend system, so SSO Issued successfully from external address to backend system

2. we create 2 SAP Webdispatcher with different port (both SSL), first SAP webdispatcher for Access (redirect) into SAP Enterprise Portal, second SAP webdispatcher for resolving backend system (directly connect to backend system/message server of backend system)

3. We change System Alias (for System Object) especially WEB AS because we run BSP Application from backend system, we change hostname and port with Reverse Proxy and port as backend port ( port sap webdispatcher = port backend ITS)

so our landscape here :

WD1(443) -------> SAP Enterprise Portal --------> Backend
                                                                                ^
                                                                                |
WD2(8443) -------------------------------------------------

set WD1/WD2 has same external name, let say : extra.domain.com

WD1 and WD2 has same Alias Name, so when we access https://extra.domain.com/

directly, client will be redirect to SAP EP and after client fill user and password at SAP EP, client will be forwarded to backend system, ITS of backend system will have same hsotname of reverse proxy and with same port, so it's like ITS running well and BSP iview works and SSO works also

regards,

Ghochi

Edited by: Ghochi Elin Kuswoyo on Jan 25, 2011 10:35 AM

Answers (0)