cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC AC 10.0 SSO using the End User Login Page via the Portal

Former Member

on ‎04-11-2012 4:50 PM

0 Kudos

SAP Gurus,

Wondering if anyone has tried to use Single Sign-on (SS0) through the portal.  We have configured the End User Login page to avoid having to load all of our end users in the GRC system.  The Guest ID works and has the basic access role assigned.  I am able to launch Access Control from the portal but I get a User ID login field.  Any ID in the SAP system is acceptable and then passes on to our EU Submission page.

SSO is configured for GRC just like any other ABAP system, so why isn't the User ID screen bypassed?

Thanks,

Ryan

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
‎05-23-2013 2:12 PM
0 Kudos

Hi Ryan,

We have the same requirement.

Did you solve your problem.

Can you please help me.

Thanks,

Twisha

Show replies
Show replies
Former Member
‎07-24-2013 7:15 PM
0 Kudos

Tisha,

Unfortunately, I had to go down the route of adding all of the users into the GRC system. Not IDEAL.

I am in the process of implementing GRC AC 10.0 again, and due to license restrictions, I am reinvestigating using the End User Login page. I believe I can just point the field to the MS Active Directory repository, but would still like to know if there have been any improvements (up to SP12) that will allow SSO functionality through the end user login page.

Thanks,

Ryan

Former Member
‎07-25-2013 7:45 AM
0 Kudos

Hi Ryan,Tisha,

SSO is not supported by End user login even in SP13 .

Best Regards,

Aman

Former Member
‎07-25-2013 8:25 PM
0 Kudos

Hi Amanjit,

Thanks for the information.

Ryan,

I could not actually bypass the userid,but what I did is ,I made the field updated with the portal logon

id and made the field read-only by enhancing the WDABAP application,so that user can't change the userid.

So,the end result is a screen with already populated userid(which is read-only,not editable)

My GRC end user logon is AppIntegrator iview,so in the url you can actually pass the portal logon-id.

We had checked the WD ABAP application,but found there are many authentication checks in the initial screen and would be very hard(I'm not saying impossible) to bypass to the next screen with userid as parameter.

I know this is bad way,but it's better than allowing user to enter any other userid .

Thanks,

Twisha

Former Member
‎07-30-2013 8:36 PM
0 Kudos

Hi Ryan

We also have the same requirement.Also we integrated the EP with GRC but 1 of the workset Access Management is not working giving dump.Can you check the Application name and Application Parameter and let me know the same.Also if you can guide how to activate End User Logon for Portal.

Regards

Pradeep

Former Member
‎02-24-2015 8:21 AM
0 Kudos

This message was moderated.

neerajmanocha
Product and Topic Expert
Product and Topic Expert
‎06-22-2012 11:02 AM
0 Kudos

Hi Ryan,

To enable SSO for all the end users, users should be available in GRC box. End user screen does not support SSO. So synchronizing all the end users into GRC box would be the only solution.

I seen this in past for one of the customer. That customer synchronized all the end users into GRC box to enable SSO.

Thanks & Regards

Neeraj

Show replies
Show replies
Former Member
‎06-22-2012 10:50 AM
0 Kudos

Hi Ryan,

KIndly refer to the SAP notes -1613084  and 1628387 and maintain the user logon details for all the applications used in the End User Logon application in SICF as mentioned in the note.

Also check with your Basis Team if there is any issue with the login tickets-

login/accept_sso2_ticket

login/create_sso2_ticket.

Refer to the SSO note-1378659.

Best Regards,

Nandita Varshney

Show replies
Show replies
Former Member
‎06-22-2012 9:57 AM
0 Kudos

Hi All,

We have exactly the same problem.

Has anybody got solution for this problem?

Thanks:

P!

Show replies
Show replies
former_member225453
Active Participant
‎06-23-2012 9:44 PM
0 Kudos

Hi Peter,

Please refer SAP Note. 1257108, which is a collective Note for analyzing issues with Single Sign On.

In addition to this, to assert the authenticity of a user, SAP logon tickets make use of digital signatures based on the DSA algorithms. (These functions fall under the SAP component for Secure Store and Forward BC-SEC-SSF.) As a consequence, Secure Store and Forward (SSF) needs to be configured correctly to be able to verify the logon tickets. This includes the configuration for trusting the SAP logon ticket issuer (in terms of SSF), which is done by storing the logon ticket issuer's public key (certificate) in the target system's certificate store. (The target system is the system that verifies the incoming logon ticket.)

Additionally, the logon ticket issuer needs to be entered into an access control list (ACL).

Please make sure you have done all this.

Hope this information helps!

Regards,

Shreya Gupta

Former Member
‎04-16-2012 8:59 AM
0 Kudos

Hello Ryan / Experts,

We have also configured End User Login page in portal. We are able to launch Access Control form. But, when we click on any of the links ( Access Requests / Model User...) it throws below error please help.

Error while processing your query

What has happened?

The URL call http://vddgrc.cscdd.com:8000/sap/bc/webdynpro/sap/grac_oif_request_submission_eu was terminated because of an error.

  

Note

The following error text was processed in system DGR : The ASSERT condition was violated.

The error occurred on the application server vddgrc_DGR_00 and in the work process 4 .

The termination type was: RABAX_STATE

The ABAP call stack was:

Method: CHECK_END_USER_APPLICATION of program CL_GRAC_ACCESS_REQUEST_UTIL===CP

Method: WDDOINIT of program /1BCWDY/NILCLRBN2KXLJNLL366J==CP

Method: IF_WDR_COMPONENT_DELEGATE~WD_DO_INIT of program /1BCWDY/NILCLRBN2KXLJNLL366J==CP

Method: DO_INIT of program CL_WDR_DELEGATING_COMPONENT===CP

Method: INIT_CONTROLLER of program CL_WDR_CONTROLLER=============CP

Method: INIT_CONTROLLER of program CL_WDR_COMPONENT==============CP

Method: INIT of program CL_WDR_CONTROLLER=============CP

Method: INIT of program CL_WDR_CLIENT_COMPONENT=======CP

Method: IF_WDR_COMPONENT_FACTORY~CREATE_COMPONENT of program CL_WDR_CLIENT_COMPONENT=======CP

Method: IF_WD_COMPONENT_USAGE~CREATE_COMPONENT of program CL_WDR_COMPONENT_USAGE========CP

  

 

What can I do?

If the termination type is RABAX_STATE, you will find more information on the cause of termination in system DGR in transaction ST22.

If the termination type is ABORT_MESSAGE_STATE, you will find more information on the cause of termination on the application server vddgrc_DGR_00 in transaction SM21.

If the termination type is ERROR_MESSAGE_STATE, you cansearch for further information in the trace file for the work process 4 in transaction ST11 on the application server. vddgrc_DGR_00 . You may also need to analyze the trace files of other work processes.

If you do not yet have a user ID, contact your system adminmistrator.

Error Code: ICF-IE-http -c: 200 -u: E0023063 -l: E -s: DGR -i: vddgrc_DGR_00 -w: 4 -d: 20120416 -t: 115414 -v: RABAX_STATE -e: ASSERTION_FAILED -X: 4F8B69F7A5050990E10080000A02CD8E_4EDCAB664C3408F0E10080000A02CD8E_1 -x: 4F8B69FDA5050990E10080000A02CD8E

HTTP 500 - Internal Server Error

Your SAP Internet Communication Framework Team

Show replies
Show replies
kevin_tucholke1
Contributor
‎04-16-2012 9:41 AM
0 Kudos

Syed:  I believe that your issue is different than Ryan's.  When you Activated the End User Logon Page, did you also enter the User ID you used into each of the services that are attached to the End User Logon Page.  Please review SAP Notes below:

Note 1628387 - UAM: End User Logon application requires re-logon

Note 1599247 - Hide Fields from the End User Logon Page

Note 1604983 - Add a custom message on the End user Login Screen

Ryan is trying to use SSO to 'bypass' the entry part of the End User Logon page as they have SSO enabled in their environment.  The Login is required so that Access Control understand who the requestor is.  I belive your error is due to the fact that you don't have the services with the suffix _EU configured with the guest user that you have used for the End User Logon service.

Thanks

Kevin Tucholke

Former Member
‎04-16-2012 10:44 AM
0 Kudos

Hello Kevin,

Thank you. We did configure the services as per the Note 1628387 and maintained the guest user login details. The below services have been maintained with guest user. Still i have the same issue while accessing this from portal.

User type : Communication

Roles: ACCESS_REQUESTER, BASE,END_USER & NWBC

Services:

1.)GRAC_OIF_MY_PROFILE_EU

2.)GRAC_GAF_NAME_CHANGE_SERV_EU

3.)GRAC_POWL_REQUEST_STATUS_EU

4.)GRAC_GAF_PWD_SELFSERVICE_EU

5.)GRAC_OIF_USER_REGISTER_EU

6.)GRAC_GAF_ACCREQ_WITH_REQREF_EU

7.)GRAC_OIF_REQUEST_SUBMISSION_EU

8.)GRAC_GAF_ACCREQ_WITH_TEMPL_EU

9.)GRAC_GAF_ACCREQ_WITH_USEREF_EU

10.)GRAC_UIBB_END_USER_LOGIN

When we test GRAC_UIBB_END_USER_LOGIN ( from sicf and test) it works fine, we are able submit the request without any issue. The problem is when we call the same service(GRAC_UIBB_END_USER_LOGIN) from portal and clicks on the any of the links it throws the error as ASSERT condition was violated....

Please help. Thank you.

Colleen
Advisor
Advisor
‎07-25-2013 7:58 AM
0 Kudos

Hi Syed

For each link you also need to maintain the SICF service for User Id and Login. Search this forum for the End User Login service and you will find the full list

Ask a Question