06-29-2011 6:51 PM
Hi,
We are not beeing able to configure Single Sign-On between our NetWeaver portals, and we are in need of some help to figure out what we are missing.
Our goal
We need to configure single user authentication between a NetWeaver Portal 7.0 and the WebDynpro applications executing in a CE 7.2. In other words, if the user is already logged in the Portal, his authentication on the CE/WebDynpro will be handled by configuration.
Scenario
We have a Portal 7.0 and CE 7.2. Both portals are already configured in a FPN within the same domain. The FPN is working well, and we are able to acess WebDynpro provided by the producer, if we are logged into both portals. But if we are only logged on the Portal 7.0, the consumed WebDynpro from the producer fails with the following error:
Failed to load the object: pcd:consumer_content/com.sap.portal.fpnGuestUserIview with user Guest
[EXCEPTION]
com.sapportals.portal.pcd.gl.PermissionControlException: Access denied (Object(s): consumer_content/com.sap.portal.fpnGuestUserIview)
Configuration
After we configured the FPN between the portals, we followed SAP documentation to configure SSO:
1. We exchanged the portal 7.0 certificate with success to the 7.2 environment (We tested it on the option "Check against issuing system" within the "Trusted Systems" service)
[http://help.sap.com/saphelp_nw70/helpdata/en/43/2235260b413fe1e10000000a11466f/content.htm]
2. We also made the configurations in the stack to accept logon tickets
[http://help.sap.com/saphelp_nw70/helpdata/en/aa/bf503e1dac5b46e10000000a114084/content.htm]
All our applications have the "ticket" configuration to authenticate, which is also a subject of the link above.
After that configuration the single sign-on did not work. As we are doing a review on the documentation, we would like to ask some help if anyone have already configured single sign-on between netweaver portals. We are going to keep this thread updated if we make any kind of progress, and also ask me if I missed some information in the post.
Any help will be very appreciated!
06-30-2011 7:24 PM
We found out that the MYSAPSSO2 cookie is beeing generated after the login into the Portal, but when we try to open a WebDynpro copied from a producer, it is not beeing send in the request message that is received by the producer.
We also checked the following procedure:
[http://help.sap.com/saphelp_nw70/helpdata/en/89/6eb8e7af2f11d5993700508b6b8b11/content.htm]
The application still not authenticating, falling on the same exception reported on the opening post.
07-04-2011 8:07 PM
We found out the problem. The configuration was correct but we wasnt calling the machines from the same domain, and it seems that tickets are not send to destinations that are not in the domain of the origin (issuing) system.
07-05-2011 12:21 AM
Hi,
FYI, that's a security feature of your browser. For example you don't want expose a cookie from one domain to another (e.g. Google to Yahoo).
Cheers