cancel
Showing results for 
Search instead for 
Did you mean: 

Single Sign on to Integrated ITS (to WAS ECC6.0)

0 Kudos

Dear Experts,

I need some advices. We run ECC 6.0 R/3, which I guess it should be WAS 6.40, where ITS is already integrated there. We already had set up single sign on using Windows Authentication to access Outlook mail, EP, and also R/3. Meaning, after logging on to Windows, we do not need to enter password to open outlook mail, EP, and also R/3. Accessing r/3 using SAPGui, we use SNC.

Recently develop a workflow which send work item to specific users. The requirement is that the users want to execute the work item from their outlook mail. So we use the Extended Notifications, where in the mail a hyperlink is added to enable user to execute the work item directly. The hyperlink looks like this :

http://<host>:<port>/sap/bc/gui/sap/its/webgui/?sap-client=<client>&sap-language=EN/webgui/!&;transaction=SWNWIEX&P_WI_ID=<work item ID>&P_ACTION=EXECUTE&OKCODE=ONLI

The problem is now, when the user click that link, a web browser is opened, but the users are asked to enter user ID and Password. So single sign on does not work on this environment.

On R/3, we already set up the profile parameter :

login/accept_sso2_ticket 1

login/create_sso2_ticket 1

Please advice on this situation, what further setting should I make?

Thanks.

Yulianto

Accepted Solutions (0)

Answers (3)

Answers (3)

former_member912992
Participant
0 Kudos

Hi Yulianto,

Just an input for you. ECC 6.0 is on Web AS 7.00 (NW04S), the ITS is for sure integrated. ITS is already integrated since Web AS 6.40 (NW04).

Regards,

Agoes

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

That topic has been discussed previously (multiple times, e.g. in thread <a href="https://forums.sdn.sap.com/click.jspa?searchID=321426&messageID=2135747">SPNEGO for ABAP WebAS</a>).

You actually have two choices (for SSO out of an mail message):

- use X.509 client certificates

- use SPNEGO capabilities of NWAS Java in conjunction with an ICF redirect mechanism (of NWAS ABAP)

Sorry, but there is no out-of-the-box SPNEGO support for NWAS ABAP.

Regards, Wolfgang

tim_alsop
Active Contributor
0 Kudos

Yulianto,

The webgui and other apps running in Integrated ITS are configured using transaction SICF, where you need to configure a URL redirect to a servlet in the J2EE engine. The J2EE engine can then authenticate the user (same as it does when you logon to EP), then redirect back to the ABAP engine after the SSO2 logon ticket has been issued by the J2EE engine login module.

Thanks,

Tim

0 Kudos

Dear Tim,

Your quick answer really surprises me. Thanks, I really appreciate it.

To tell you the truth, I am not a Basis guy, so I know nothing about the ITS configuration, moreover the J2EE engine. Instead, I am a workflow developer. But I need to explain this situation to my Basis Friend.

Now my qustion is, in transaction SICF, where can I configure the URL to redirect to a servlet in the J2EE Engine? Is there any standard servlet that we can use?

The redirect back to ABAP engine, is it automatically or I need to make further configuration.

Thanks,

Yulianto

tim_alsop
Active Contributor
0 Kudos

Yulianto,

I will try and help, but I may need further info from you to give you exact details.

Firstly, as far as I am aware, to provide Integrated Windows Authentication for SAP EP, and any other app which runs in SAP J2EE Engine requires a login module, and there are 2 known login modules which provide this functionality. Firstly, the product known as TrustBroker Adapter, from CyberSafe provides this, and is shipped with a servlet designed to allow Integrated ITS applications to be configured as you require. The second option is to use the SAP SPNEGO login module, which I am less familiar with, other than knowing the security issues which are aparent when comparing both products. Since I work for CyberSafe, and I don't know which company you represent, I have no way to know if you are using the CyberSafe product, or the SAP SPNEGO login module. If you can provide me with this information, then I can be more specific about the servlet you need to use.

The configuration in SICF requires editing the "Redirect to URL" on the "Logon Errors" tab within the "Error Pages" tab.

Regarding redirecting back, the CyberSafe servlet has a parameter which you pass to the servlet to specify where to redirect back to after authenticating, but I am not sure how the SAP SPNEGO module can be used with apps such as webgui.

I hope this helps ?

Thanks,

Tim

0 Kudos

Dear Tim,

I am very sorry, something emergency happened so that I have to take day leaves, and just get back to the office today.

Thank you for your last reply, I really appreciate it.

The information I received from Basis is that our company uses SAP SPNEGO login module for EP SSO. Both EP and the backend ERP have the SSO enabled.

Can you recall our discussion and give me some advices, here?

Thank you...

Yulianto

tim_alsop
Active Contributor
0 Kudos

Yulianto,

Thankyou for your update. I am a little confused. You are telling me that you are using SPNEGO login module, and it is working for you, giving you SSO. However, your initial post suggests that when you enter a URL you are getting a signon screen, which suggests it is not working when you access webgui.

Have you configured webgui in SICF for redirection to J2EE engine ?

If SSO is working normally with web browser, what URLs are working for you ? e.g. are you already accessing Integrated ITS services ?

I am trying to establish how much of your SSO implementation is working, and how much needs changing/configuring. Thankyou in advance for the extra information.

Thanks,

Tim

tim_alsop
Active Contributor
0 Kudos

Yulianto,

I just re-read your initial post, and this is my understanding :

1. You are able to access EP only using the SPNEGO login module.

2. You need to be able to access apps such as webgui running in ABAP engine, and also make use of SPNEGO login module for SSO.

If the above is correct, then as I have already described you need to run transaction SICF and configure redirection to the servlet which handles authentication in J2EE engine, and pass parameters to this servlet so that it redirects back to your original app in ABAP engine after authenticating and obtaining an SSO2 logon ticket.

Thanks,

Tim

0 Kudos

Dear Tim,

Many thanks for your answer. I do understand it, but my basis friend seems do not.

When I asked him how does he perform the authentication in EP (the servlet), he became confused. Maybe because he just uses the standard SPNEGO configuration?

Anyway, I just give it a try by configuring the logon redirect when error in SICF configuration, by entering the URL of our EP (http://<host>:<port>/irj/index.html).

Then I clicked the hyperlink in our email to open our BSP application page. First, it would redirect to the EP home (SSO works, no user id and password required), and of course it would just stay there (no redirect back to BSP screen).

Then without closing the EP screen, I re-clicked again the hyperlink to open the BSP in another web browser session, it was successful to open the BSP, without having to enter any user id and password, and no redirect to EP again. So it means the SSO logon ticket is already available after opening the EP.

So I think you are right, this must be successful if I could create a servlet in J2EE server for authentication.

But the problem is, I know nothing about this servlet, and I think neither does my Basis friend.

So Tim, could you please give me a sample of the servlet, a very simplest one, how to get authenticated and to redirect back to our BSP pages. And how could I publish it in J2EE engine.

This will be very helpful for us. Thanks a lot.

Regards,

Yulianto

tim_alsop
Active Contributor
0 Kudos

Yulianto,

I am sorry, but I cannot provide you with any servlet code. The reason is given below :

We are a software vendor, and our product is commercially available, not open source. If you want a servlet for redirection, then you need to (a) code one yourself, (b) ask somebody from SAP if they can provide you with one, (c) purchase our product, and use it instead of the SAP SPNEGO login module for web based authentication using Kerberos.

Sorry I cannot be more helpful.

Take care,

Tim

0 Kudos

Dear All,

We have solved this authentication problem. Thanks to all of you who had helped me to solve my problem.

I would like to share with you, how did I solve my problem.

When I gave the hyperlink inside the html mail to open the BSP application, I did not give the URL directly to open the BSP application, instead I was using the default logon servlet that is provided in the J2EE server (I think this is standard logon servlet).

The standard login servlet is "http://<host_name>:<port_name>/logon/logonServlet?redirectURL=<the URL for opening BSP application>"

So the logonServlet has one parameter, which is "redirectURL", where you could put any URL to redirect to after you get authenticated. If the single sign on is properly configured, no user id and password is required, because the logon ticket has been issued by J2EE engine. Without single sign on, you need to enter the user id and password in J2EE server environment.

Best Regards,

Yulianto

Former Member
0 Kudos

Hi Yulianto,

I was trying to redirect to the same what you did. In our case the default logonServlet will authentication using our custom JAAS authentication and after that it just sit there it doesn't forward to any where kind off in some loop. do I have to change or set anything on ABAP stack. like to accept SSO tickets. Since the create tickets is happening on the Java stack do I have to set that property also in ABAP stack. Any help is appreciated.

thanks,

Joe.P

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Yes, it is mandatory that the ABAP system is able to accept the SAP logon tickets which have been issued by the Java system:

(1) the ABAP system needs to accept SAP logon tickets generally

(2) the ABAP system needs to trust the J2EE system (ticket issuer)

(3) the J2EE system needs to be able to determine the ABAP userID (since that information needs to be written into the SAP logon ticket)

<a href="https://service.sap.com/sap/support/notes/495911">SAP Note 495911</a> will help you to analyse problems (accepting the SAP logon tickets) on the ABAP side.

Regards, Wolfgang

Former Member
0 Kudos

Hi,

I still had the same problem followed the step mentioned in that note and here is the security trace. I'm not seeing any errors or problems that point me in the trace.

1_100_7457C00DAAA9E2421A4501A6C4B0BAC14D61C12E'

M SntIHashBlob: UcnToUtf8CP(in=460, out=460)

M ICTSYS: GetFormFieldCS 'SAMLart' -> '-'

M ICTSYS: GetHeaderField 'sap-user' -> '-'

M ICTSYS: GetFormField 'sap-user' -> '-'

M ICTSYS: GetHeaderField 'sap-alias' -> '-'

M ICTSYS: GetFormField 'sap-alias' -> '-'

M ICTSYS: GetHeaderField 'sap-password' -> '-'

M ICTSYS: GetFormField 'sap-password' -> '-'

M ICTSYS: GetHeaderField 'SAP-R3Auth' -> '-'

M ICTSYS: GetHeaderField 'authorization' -> '-'

M ICTSYS: GetHeaderField 'sap-language' -> '-'

M ICTSYS: GetFormField 'sap-language' -> '-'

M ICTSYS: RemoveFormFieldSecure 'sap-password' -> 20

M ICTSYS: RemoveFormFieldSecure '~password' -> 20

M ICTSYS: RemoveHeaderFieldSecure 'sap-password' -> 20

M ICTSYS: RemoveHeaderFieldSecure 'SAP-R3Auth' -> 20

M ICTSYS: RemoveHeaderFieldSecure 'authorization' -> 20

M ICTSYS: RemoveHeaderFieldSecure 'proxy-authorization' -> 20 M ICTSYS: RemoveCookieSecure name='MYSAPSSO2' path='' -> 0 M ICTSYS: RemoveHeaderFieldSecure 'MYSAPSSO2' -> 20 M ICTSYS: SetStatus 301 Moved permantentlyICTSYS: AddHeaderField 'Location' -> 'http://elxis00.internal.earthlink.net:50100/logon/logonServlet?redirectURL=http://elxis00.internal.earthlink.net:8001/sap(bD1lbiZjPTEwMA==)/bc/bsp/sap/tutorial_1/default.htm'

M ICTSYS: AddHeaderField 'Content-Type' -> 'text/html'

M ICTSYS: AppendCData data=0xfffffffe76d5c1e8 off=0 len=18/18 M ICTSYS: AddHeaderField 'server' -> 'SAP Web Application Server (1.0;700)' M ThPlgGetOutbuf (plugin_hdl=0, flags=0, accept_roll_out=1, client_timeout=0, ..) M ThPlgSetMpiHdr: ti=-1 M ThPlgGetOutbuf: return outbuf (0xfffffffe66dfeb18/65464) for <276> M ThPlgIFlush (plugin_hdl=0, nBytes=344, end_of_data=1, reject_commit=0, discard_response = 0) M ThPlgIFlush: free old mpi inbuf(s) (no=1)

M Adresse Offset HTTP response to net

M -


M 0xfffffffe66dfead0 000000 44504d50 49455945 00000002 ffffffff |DPMPIEYE........| M 0xfffffffe66dfeae0 000016 00000001 00002d3d 00000000 00000000 |......-=........| M 0xfffffffe66dfeaf0 000032 00000000 00000000 00000000 00000000 |................| M 0xfffffffe66dfeb00 000048 0000ffff 0a0a7014 00000000 00000000 |......p.........| M 0xfffffffe66dfeb10 000064 44504d50 49455945 48545450 2f312e31 |DPMPIEYEHTTP/1.1| M 0xfffffffe66dfeb20 000080 20333031 204d6f76 65642070 65726d61 | 301 Moved perma| M 0xfffffffe66dfeb30 000096 6e74656e 746c790d 0a436f6e 74656e74 |ntently..Content| M 0xfffffffe66dfeb40 000112 2d547970 653a2074 6578742f 68746d6c |-Type: text/html| M 0xfffffffe66dfeb50 000128 3b206368 61727365 743d7574 662d380d |; charset=utf-8.| M 0xfffffffe66dfeb60 000144 0a436f6e 74656e74 2d4c656e 6774683a |.Content-Length:| M 0xfffffffe66dfeb70 000160 2031380d 0a6c6f63 6174696f 6e3a2068 | 18..location: h| M 0xfffffffe66dfeb80 000176 7474703a 2f2f656c 78697330 302e696e |ttp://elxis00.in| M 0xfffffffe66dfeb90 000192 7465726e 616c2e65 61727468 6c696e6b |ternal.earthlink| M 0xfffffffe66dfeba0 000208 2e6e6574 3a353031 30302f6c 6f676f6e |.net:50100/logon| M 0xfffffffe66dfebb0 000224 2f6c6f67 6f6e5365 72766c65 743f7265 |/logonServlet?re| M 0xfffffffe66dfebc0 000240 64697265 63745552 4c3d6874 74703a2f |directURL=http:/| M -


M ThPlgIFlush: flush mpi <276>

M ThPlgIFlush: new state is DP_PLUGIN_START_READ

M PfAddOutputLen: add 344 bytes to output len, sum=344

M ICTSYS: DeleteMessage 0xfffffffe76d0d388 -> 0

M ICTSYS: DeleteMessage 0xfffffffe76d03c28 -> 0

M ThPlgCleanClients: clean all client plugins of T27/M0

M ThPlgReleaseWp2 (0, 1)

M ThPlgRollOut: roll out (reason=4, strategy=1)

M ThPlgSendOOB: send oob (type=1, seqno=1) to icm (mpi <275> <276>) M ThPlgRollOut: new state is DP_PLUGIN_START_READ_IOOB M ThPlgIReleaseWp: release wp (strategy=1) M ThIEndBg: end background processing of T27 (type=0x4000043, logoff=1, freeResources=1) M ThIEndBg: act runtime is DP_RT_ABAP M ThIEndBg: delete T27 M ThIEndBg: reset spa state for user T27/U13642/M0 M ThResFree: free resources of U13642 M0 I0 (normal mode, complete free) at level 3, errno=0, db_action=TH_DB_COMMIT, pooling=1 M ThResFree: reset spa state for user T27/U13642/M0 M ThCheckMemoryState (0, 0, 1) M ThCallHooks: call hook >ITSP: EndOfSession< for event BEFORE_SESSION_END M ThCallHooks: call hook >abTpdaThHook_EModeEnded< for event BEFORE_SESSION_END M ThCallHooks: call hook >abRtmClearSession< for event BEFORE_SESSION_END M ThCallHooks: call hook >HttpClearSession< for event BEFORE_SESSION_END M ThCallHooks: call hook >DbgBeforeSessionEnd< for event BEFORE_SESSION_END M ThCallHooks: call hook >SpoolHandleHook< for event BEFORE_SESSION_END M ThICommit3: full commit, free resources, keep running M ThICommit3: commit and free resources M ThCheckComOrRb (event=1, full_commit=1) M ThCallHooks: call hook >ab_SosShmBeforeCommit< for event BEFORE_COMMIT M ThCallHooks: call hook >ASTAT-collect commit handling< for event BEFORE_COMMIT M ThCallHooks: call hook >rsts_before_commit< for event BEFORE_COMMIT M ThCheckComOrRb (event=3, full_commit=1) M ThCallHooks: call hook >ThVBICmRbHook< for event AFTER_COMMIT M ThVBICmRbHook: called for commit M ThCallHooks: call hook >ThNoClearPrevErr< for event AFTER_COMMIT M ThNoClearPrevErr: clear prev no err M ThCallHooks: call hook >dyKeyTableReset< for event AFTER_COMMIT M ThCallHooks: call hook >rsts_after_commit< for event AFTER_COMMIT M ThCallHooks: call hook >SpoolHandleHook< for event AFTER_COMMIT M ThrClearMemory o.k. M ThCallHooks: call hook >db_x_short_mem_sync_point< for event AFTER_STORAGE_FREE M ThCallHooks: call hook >rsts_storage_free< for event AFTER_STORAGE_FREE M ThICommit3 o.k. M ThGetTransId2: got trans id (spa) >45E39851296B6318E10000000A0A7014< (32) M resptime of act sub step: 0 ms M resptime of all sub step: 0 ms (old/new=0/0) M PfStatWrite: no more access to user context M set cpu stamp 12237920000 M new cpu time = 10000 us M PfRecClose: close record (0) M PfCopyAllRec: write 1 PF_NORMAL_STAT recs (len=896) M PfCopyAllRec: hook >hook for normal statistical records< o.k. M PfStatIndUpd: New Index-Record, starttime= 1172515678 M PfCopyAllRec: write 1 PF_DBCON_STAT recs (len=224) M PfCopyAllRec: hook >hook for normal statistical records< o.k. M PfCopyAllRec: write 1 PF_HTTP_SERVER_STAT recs (len=1328) M PfCopyAllRec: hook >hook for normal statistical records< o.k. M PfCopyAllRec: write 1 PF_HTTP_SERVER_DEST_STAT recs (len=1240) M PfCopyAllRec: hook >hook for normal statistical records< o.k. M PfCopyAllRec: copied 4 recs M PfStatWrite: copy rec (1070 bytes) to shared buf M PfStatIndMergeInSharedInd: updated shared index: M from 26:2:2007 18:47:52(1172515672) to 26:2:2007 18:47:58(1172515678) M PfStatWrite: 291216 bytes (1082 recs) in shared buf M PfStatIndInit: Initializing Index-Record

M PfStatDisconnect: disconnect statistics

M ThDealComm: T27/U13642/M0 has no cpic conns

M ThCheckEmMagic: check em magic at 0xfffffffe76cb1c28 for T27/M0/I0 M ThCheckEmMagic: em magic at 0xfffffffe76cb1c28 for T27/M0/I0 o.k. M clean up all internal modes of T27/U13642/M0 M call ab_endmode (END_MODE_CLEAR_ALL) M ThVmcCleanMode (deleteOfMainMode=1, AoS=0) M ThSesGetSessionType: no associated entry M ThSesIsJavaSessionId: no associated entry M ThVmcCleanMode o.k. M ThGetEnqInfo: no enq info found M ThRmLocQueue: no async request found M ThPlgCleanAll: clean all plugins of T27/M0/I0 (th_errno=0, level=3) M ThPlgClean: clean plugin 0 of T27/M0 (th_errno=0) M ThPlgClean: call cleanup handler M ThPlgClean: clean server plugin M DpSetContextCounter: num_used_contexts[1] = 0 M ThPageFree: free (13642,0,0, mode = 3) M ThRollFree: free (13642,0,0, mode = 3) M ThRmFree: cleanup resources for T27 M0 M RmCleanUpResources3: hdr/tbl/ext_tbl/free/keep = 0xffffffff6ecbab80/0xfffffffe6da10630/0/1/0

M RmCleanUpResources3: call resource handler 0x100a61cf0 for key/entry 10/0 M RmInitResourceTblEntry: free resource description at 0xfffffffe6d97f690 (ext_tbl=0) M RmIFreeTable: free resource table at 0xfffffffe6da10630 (ext_tbl=0) M ThRmFree: reset eg state of T27 M0 M ThRmFree cleanup resources for T27 M RmCleanUpResources3: hdr/tbl/ext_tbl/free/keep = 0xffffffff6ecc0dd8/(nil)/1/1/0 M RmCleanUpResources3: no resources registered M ThRmFree: reset eg state of T27 M ThIEmFree: delete hyper context (hyperHdl=0xfffffffe6c5220f8) M ThIEmFree: call EmContextDelete (em_hdl=6) M ThResetEmMagic: reset em magic for T27/M0/I0 M ThResFree: save spa pointer 0x106496ec0 and install dummy spa

M ThISend: (tm/user/type/info = 27/SAPSYS /0x4000041/0x0, mode_deleted=1)

M TASK_SWITCH

M DISP

M SET_MPI_SOURCE

M ThCheckAbapDebugging: abap check returned FALSE

M ThCheckAbapDebugging: message for dispatcher, debugging ok

M DpDebuggingActive: check T27/M0

M ThCheckAbapDebugging: return 0

M ThJCheckJavaDebugging: return 0

M abap strategy ROLL / O.K.

M ThISend: set TH_LOGOFF for T27 (user=SAPSYS ) in state TM_NEND

M ThRqOutCheck: o.k.

M ThISend: allowed rq_type of T27/M0 = TH_ALL_RQ

M ThNewWpStat (type=0x14000041, task_switch=1, inline_hold=0, hand_shake=0, debug=0, ..) M ThNewWpStat: new MODE_REC = 0x80 M ThNewWpStat: set mode wait M ThNewWpStat: new state of T27/M0 = 0x81 M ThISend: new wp stat: 0x2 M ThDtWpBlk: detach WP ca_blk 24 M ThISend: complete stat record M ThISend: stat_state = TH_STAT_WRITE M ThISend: th_wp_waits_for_rq = TH_WP_WAITS_FOR_RQ M make DISP owner of wp_ca_blk 24 M DpRqPutIntoQueue: put request into queue (reqtype 0, prio LOW, rq_id 14920)

M -OUT- sender_id WORK_PROCESS tid 27 wp_ca_blk 24 wp_id 0

M -OUT- action SEND_TO_DP uid 13642 appc_ca_blk -1 type NOWP

M -OUT- new_stat WP_WAIT mode 0 len 8 rq_id 14920

M -OUT- req_info LOGOFF

M invalidate act fields from T27/M0

M REL APPC ca_blk 8

Any help is really appreciated.

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

I'm sorry, but I cannot read anything out of that lengthy trace excerpt.

It contains lot of information but unfortenately not the relevant one (trace component "Security (N)"). I assume that you have simply raised the trace level from 1 to 2 - but you did not select the trace components which should be effected.

Please just follow the detailed instructions provided in <a href="https://service.sap.com/sap/support/notes/495911">SAP Note 495911</a>. Then you'll obtain useful trace information.

Cheers, Wolfgang

(local time: 8:37pm ... - do not expect an instant reply ...)