Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO with BEX report - URL (No Portal) - is it possible ?

Go to solution
former_member221093
Explorer

‎08-29-2012 12:36 PM

0 Kudos

Hello,

We configures SSO for our BW system (SNC Kerberos)  for SAPGUI. Works fine.

We have  URLs  for BEX reports that  our developers created .

We want to give these URLs to end-users to run.  We do NOT want to be asked for user+password when we double -click on the URL.

Example of such URL : 

http://servername.yy.xxx.co.il:8020/sap/bw/bex?sap-language=EN&CMD=LDOC&infocube=ZSALESSUM&query=ZAO...

Is it possible ? How?

Hope my question is clear.

Thanks

Moshe Yerushalmy

1 ACCEPTED SOLUTION

Go to solution
mvoros
Active Contributor

‎08-30-2012 5:00 AM

0 Kudos

Hi,

it's not supported out of the box. That URL corresponds to a service defined in SICF. So you have only standard options for authentication provided by ABAP AS. For SSO we are talking only about certificates and logon tickets. ABAP AS does not support Kerberos for services accessed over HTTP. Usually, a workaround is to put something in front of it that generates logon ticket for authenticated user and then redirect to original service.

Cheers

3 REPLIES 3

Go to solution
mvoros
Active Contributor

‎08-30-2012 5:00 AM

0 Kudos

Hi,

it's not supported out of the box. That URL corresponds to a service defined in SICF. So you have only standard options for authentication provided by ABAP AS. For SSO we are talking only about certificates and logon tickets. ABAP AS does not support Kerberos for services accessed over HTTP. Usually, a workaround is to put something in front of it that generates logon ticket for authenticated user and then redirect to original service.

Cheers

Go to solution
former_member221093
Explorer
In response to mvoros

‎08-30-2012 7:25 AM

0 Kudos

Hello,

Thank you vey much for your answer.

Could you please elaborate on the workaround.

Usually, a workaround is to put something in front of it that generates logon ticket for authenticated user and then redirect to original service.

Is there a way in SICF to tell it to use the user from the AD login?

Regards,

Moshe

Go to solution
mvoros
Active Contributor
In response to mvoros

‎08-30-2012 7:52 AM

0 Kudos

Hi,

no, SICF service can not authenticate against AD.

What I meant is that you put some other system in front of your BW system. This system must be able to authenticate user against AD and map it to a valid SAP user. A good example is SAP Portal. You can configure portal to authenticate against AD. After successful logon the portal issues a logon ticket (browser cookie). This cookie is trusted by backend systems and is used for authentication. So when you navigate to a report within portal you get a report served from BW. There is no need to enter username and password again because cookie is used for authentication.

I assume that you don't have portal in your landscape. So you could use just simple SAP Java AS. You would need to implement a simple redirection service. A user would go to Java that would authenticate against AD, issue a cookie trusted by BW system and redirect her to BW system. Now I am not sure if Java AS can authenticate against AD out of the box or you need a 3rd party solution. Also introducing new system will have some cost associated with it (hardware + license). This solution also introduces some complexity into your landscape.

Theoretically you can use other products to generate a cookie. As far as I know SAP does not provide a library  for generating these cookies. It provides one that allows you to validate cookie but that one is useless for you.

Cheers