cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Users have to close all IE browsers to re-login to SAP Sourcing via SSO

Former Member

on ‎11-07-2012 6:54 PM

0 Kudos

Hi,

Our particular issue is the users are closing the Internet Explorer web browser page instead of clicking the logoff button within SAP Sourcing 7.0 SP2. When they attempt to re-launch the SAP Sourcing application via SSO (i.e. SAP NetWeaver SAML ticket), they are being routed to the SAP Sourcing (CLM) logon page.

It is understood the users are successfully logged off and their session terminated if they click the logoff button.

That said in our troubleshooting efforts we discovered users are closing the IE browser while being logged on to SAP Sourcing (CLM) instead of clicking the “Log Off” button located in the upper right corner of the application screen. By just closing the IE browser instead of first clicking the “Log Off” button leaves the user application session ticket “open” and therefore does not allow them to get logged back in because the SAP Sourcing (CLM) application still thinks the user is already authenticated and does not allow to re-establish the session ticket.

With SAP Sourcing (CLM) 7.0 we took advantage of “out of the box” SSO (i.e. SAP NetWeaver SAML ticket), technical configuration provided by SAP NetWeaver components and the use of the SAP NetWeaver UME driver within the user profile “Directory” configuration. This capability allows for easier provisioning of users and user maintenance by the SAP Security team and does not involve the use of a standalone SAP Sourcing (CLM) portal. Previously in the 5.1 version of SAP E-Sourcing (CLM) we first started out with a LDAP solution before this became cumbersome to manage from an SAP Security standpoint as we continued to have issues with user logon certificates. To address this issue we had to develop a “customized” SSO solution that involved hiding the “Log Off” button and using a standalone SAP E-Sourcing NetWeaver “portal”. This allowed the user to just close the IE browser and be logged out of the application. Now, in 7.0 hiding log off button is also not a possibility.

So our questions are the following:

1) Are there any system properties within SAP Sourcing 7.0 that we can leverage to control user sessions?

(2) Is there a way we can re-route the user to a particular web page that signifies they have logged off when they close Internet Explorer browser?

3) Are there any configuration settings within SAP NetWeaver that could be leveraged?

Your help is appreciated. Business has been pretty annoyed with closing all IE browsers since there are other important windows that are simultaneously open which they are working on.

Thanks,

Vikram

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

amish_shah2
Explorer
‎11-07-2012 7:44 PM
0 Kudos

Hi Vikram

You are right on the disabling of the "Logoff" button display option. There are multiple reasons for that, and in general it is to reduce the deterioration of the performance of the application, due to open Sourcing sessions.

To come to the setup that you have defined above. I am not sure how that completely works for you, since SAML 2 support for Sourcing was officially introduced in Sourcing 9, which would mean a lot of the SAML 2 spec such as Single Logout, etc. probably doesn't work.

But now to your questions:

1. Sessions, and to simplify the discussion, I will divide into 2 types, Sourcing session, as controlled by the Sourcing application, and user authenticated session (the period of time a user remains authenticated) which is controlled in your set up by NW UME. Sourcing sessions are controlled by the application, and for security reasons cannot be allowed to be managed externally. User authenticated sessions, as in your case are managed by NW UME, and again, I don't think can be managed externally.

2. The 2 properties that I would recommend you set in Directory Configuration (Properties tab) in Sourcing are:

a. bypass_error_block=TRUE - Setting this property will ensure the Sourcing login page is not displayed, since in your case the login page that should be displayed is the NW login page

b. ext_logout_page This is the property you were looking for, and the url can be set to the appropriate page, that you would like to display after the user logs out.

I think by setting these 2 properties, you should be able to get past your issues.

If not feel free to ping me.

Thanks

Amish

Show replies
Show replies
Ask a Question