cancel
Showing results for 
Search instead for 
Did you mean: 

SSO configuration between ITS->EP

Former Member
0 Kudos

Dear all,

we should configuring the SSO between the ITS to portal

The developer, show us the steps:

They use the url, which is the SICF service of ABAP

http://hostname_abap:port/sap/bc/gui/sap/its/wosm?sap-client=100&sa-language=IT

Then, there is a menu on the dynpro that link to

http://hostname_portal:port/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fcom.sap.pct!2fplat...

At this point, those needs are to allow authentication to the portal without entering credentials!

But, as far as i know, the SSO is possible if the connection can be started from a service on abap.

In this case, they use a SICF service, so how can i permit this SSO?

The users on the portal and on abap are the same.

Thanks and regards.

Cristian

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi,

If I have understood correctly your need, you need to get SSO authentication from ITS on the abap system to SAP Portal.

It means that the saplogon ticket from the abap system needs to be sent and accepted by SAP EP

I think that you have to export the system PSE certificate and import it in the Portal keystore. You also need both systems in the same DNS domain because the saplogon ticket is a cookie which is valid for the domain of the system creating the ticket.

Regards,

Olivier

Former Member
0 Kudos

Hi Olivier,

i have imported the certificate into NWA, and the systems are on the same DNS.

But the SSO, still no works

REgards

Cristian

Answers (3)

Answers (3)

Former Member
0 Kudos

Dear Olivier and Doa,

i'll try to explain you the situation better.

The developer's request is to create an SSO from ITS (ECC1) to BI Java (BJ1)

They user a sicf service (ECC1).

Inside this iview, there is a hyperlink to the java system (BJ1)

http://hostname_portal:port/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fcom.sap.pct!2fplat...

Clicking on it infact, i go on the Bi Java portal page, but i have to put the credential.

I know that is a strange request, because is the first time that i see a request to permit an sso in this way....

A work around, could be make the iview (on the BI java) anonymous, so no credential is required.

But before to implement (and test) this workaround), i would like to know if there is a method to permit this SSO in a standard way.

thanks and regards,

Cristian

dao_ha
Active Contributor
0 Kudos

Hi Cristian,

Sorry, it's still not clear to me (about the developer's needs). Do you have another EP system for the ECC1 or this ECC1 connect to the BI Java (BJ1) directly? How many systems are involved in this case and do you have the same userID in all of them?

Do you have an FPN environment? I guess we're trying to understand your landscape; like Olivier mentioned, normally, users would log onto the portal first (single point of entry), from there, the system will access other backend systems (ECC, BW, ...). Also, it sounds like the ITS service is just a menu program to access other programs; if that's the case, wouldn't it be easier (and make more senses) if the menu is created in the BI java? Or, alternatively, provide the menu program (ABAP) from the ITS service of the BW system (in this case, the iView from the BJ1 would call the ITS service and the menu program call the other ABAP programs in the same system). Why is there a need to call an ITS service in ECC1 which will then point to BJ1? Am I missing something here?

Regards,

Dao

dao_ha
Active Contributor
0 Kudos

Hi Cristian,

I'm a bit confused. Is this ITS system the same as the backend BW system? It seems to me that the developer wants to activate an ITS service (in ABAP) to access a BI iView (in EP) which, in turn, access another BW program (in ABAP). Is that correct?

Do you have the backend systems defined in the portal system landscape and the connections tested? Which type of Authentication Ticket used in the system landscape (Logon or Assertion Ticket)?

Regards,

Dao

Edited by: Dao Ha on Oct 7, 2011 10:35 AM

Former Member
0 Kudos

Yes, Cristian's need is very uncommon because usually the user goes first to the portal where he authenticates and then goes thru SSO to ITS (or BSP or abap webdynpro).

Olivier

dao_ha
Active Contributor
0 Kudos

Hi,

Please also check the ABAP system profile to make sure that the parameters

login/accept_sso2_ticket

login/create_sso2_ticket

are set accordingly.

Hope it helps,

Dao

Edited by: Dao Ha on Oct 6, 2011 3:33 PM

Former Member
0 Kudos

Hi DAO,

the profile parameters are already setup correctly

login/create_sso2_ticket =2

login/accept_sso2_ticket=1

Thanks,

Cristian