cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO Help - Portal to ABAP via logon tickets

Former Member

on ‎11-15-2011 7:54 PM

0 Kudos

Hi All,

I've done this configuration in the past but it seems that the process has changed a bit and I'm in need of some advice.

I have a portal system which I've setup SSO. The SSO is done through Kerberos and the users are pulled from LDAP. Users login to their windows account, they hit the portal without having to login again, perfect. I used the new SPNego setup wizard to do this.

Now the issue I'm having. Portal user ID's are not the same as ABAP ID's. I have used a blank attribute in Active Directory (specifically "extensionAttribute7") to fill in the ABAP user ID's. I have modified the data source XML file in the portal to look like this:

<nameSpace name="$usermapping$">

<attributes>

<attribute name="REFERENCE_SYSTEM_USER">

<physicalAttribute name="extensionAttribute7" />

</attribute>

</attributes>

</nameSpace>

I have changed the UME property to look like this:

ume.usermapping.refsys.mapping.type = attribute

When I try to access an SAP report through the portal I get the error:

The initial exception that caused the request to fail was:

Ticket contains no / an empty ABAP user ID (see note 1159962)

My ABAP system is setup to create and accept logon tickets. Certificates have been exchanged on both systems (checked through NWA). It looks like the saplogonticket isn't picking up the ABAP user ID that I've stored in AD and mapped to in the XML file.

In the Java system, my logon ticket stack looks like this:

EvaluateTicketLoginModule SUFFICENT

SPNegoLoginModule OPTIONAL

CreateTicketLoginModule SUFFICENT

BasicPasswordLoginModule REQUIRED

CreateTicketLoginModule REQUIRED

Can anyone see an obvious step that I'm missing? Any tips would be appreciated.

Portal system is running 7.01 sp8

ABAP is running 7.01 sp8

Cheers,

Richard

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (7)

Answers (7)

Former Member
‎11-17-2011 8:48 PM
0 Kudos

Just a quick follow up that I thought might be of good information. This is on the SAP help pages...

If the attribute for the ABAP user ID is in an additional object class, declare this object class in the data source configuration.

Would anyone know if extensionAttribute7 in AD would have an addition object class that I need to define? If so, would they know what it is? I've tried looking in several places but I'm unable to find an answer.

Show replies
Show replies
Former Member
‎11-17-2011 1:47 PM
0 Kudos

Hi Mike,

Those are some very good points. I have since created a user in the UME with the same account name in ABAP. When I log into the UME user and try to run any report it works fine, which signals to me the SSO between Portal and ABAP is working.

So at this point I think you are right that it is one of two things, either the attribute isn't being passed, it it's passing potential garbage. I'll have to do some research to see if there are tools to see what values it is passing to the ticket.

Thanks,

Richard

Show replies
Show replies
Former Member
‎11-16-2011 4:17 PM
0 Kudos

Yes the configuration is there for the ABAP system and the parameter is set to true. Just double checked now.

Edited by: Richard DeGonzague on Nov 16, 2011 5:17 PM

Show replies
Show replies
former_member367277
Explorer
‎11-17-2011 12:55 AM
0 Kudos

Hi Richard,

Do you have evidence that DS is not filling up custom attribute with ABAP id you expect ? If you are able to login to portal, means your SPNego/ADS (SSO between ADS and Java) works fine (though it would not mean that the attribute is getting passed correctly ). So I'd check on the attribute (can you add it manually somehow and validate that it's working if the attribute is there ?). Else thing to check is SSO between Java and ABAP (STRUSTSSO2/ Keystore and so on). For that you might need to create the same user in ABAP and Java and then simulate SSO (open Java/portal page first and then go to ABAP WAS). For that test your mapping has to be reset though.

Regards,

Mike

Former Member
‎11-16-2011 1:40 PM
0 Kudos

Hi Arjun,

No I'm not using user mapping. I want to pass my ABAP user ID from an attribute I'm using in Active Directory. For some reason the sap logon ticket isn't picking up my username from the attribute when I try to go from portal to ABAP.

Hi Samarth,

Not sure I understand the request. The user is coming from the portal and is attempting to run a ABAP report from the portal. The user names are not the same. I am attempting to map the ABAP user ID to an Active Directory attribute that I can pass to the sap logon ticket.

Hi Siva Kumar,

Yes I checked the VA as well, the entries are there.

Thanks all for the suggestions. Keep them coming if you have more, they are greatly appreciated.

I basically followed this from SAP to set it up

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/0b/d82c4142aef623e10000000a155106/frameset.htm

You are using an LDAP directory as a data source for the User Management Engine (UME). The user IDs for ABAP systems are already available in the LDAP directory. You no longer need to define a user mapping for each user, as the data is already available in the LDAP directory.

Cheers,

Richard

Show replies
Show replies
Former Member
‎11-16-2011 2:50 PM
0 Kudos

Hi Richard,

Please make sure Visual Administrator has the following entries for each ABAP client.

Server --> Services --> Security Provider --> Ticket --> com.sap.security.core.server.jaas.EvaluateTicketLoginModule

trustedsys<n>= <ABAP SID>, <Prod. Client>

trustediss<n>= CN=<ABAP SID>

trusteddn<n>= CN=<ABAP SID>

I hope parameter ume.configuration.active = true exist in VA.

Thanks,

Siva Kumar

former_member266287
Explorer
‎11-16-2011 4:54 AM
0 Kudos

Hi,

Check the "Trust status" of your system in portal,status should be "trusted"

and also try delete the your user in su01 and recreate,and try login again.

with regards,

samarth.

Show replies
Show replies
Former Member
‎11-15-2011 8:46 PM
0 Kudos

Hi Siva Kumar,

It was not added in client 000. I have now added it but it did not solve the issue. Still getting the error:

The initial exception that caused the request to fail was:

Ticket contains no / an empty ABAP user ID (see note 1159962)

Thanks for the suggestion though.

Edited by: Richard DeGonzague on Nov 15, 2011 9:47 PM

Show replies
Show replies
Former Member
‎11-15-2011 10:43 PM
0 Kudos

Hi,

Are you using Super user id for user mapping like DDIC or SAP*, if so, you can try changing it to AD user.

Thanks,

Arjun

Former Member
‎11-16-2011 9:58 AM
0 Kudos

Hi Richard,

How about adding ABAP SIDs and clients in Java ACL in Visual Admin? Did you verify that?

Thanks,

Siva Kumar

Former Member
‎11-15-2011 8:30 PM
0 Kudos

Hi Richard,

Did you add java certificate to ACL from both client 000 and production client in ABAP?

Thanks,

Siva Kumar

Show replies
Show replies
Ask a Question