on 06-11-2015 10:33 AM
could any one share some knowledge about configuring logon tickets. I have attempted to configure logon tickets on abap stack. after run tr. sso2 to check status of issuing logon tickets, it indicates everything is going perfect with green light. Unfortunately I observe the MYSAPSSO2 from fiddler. there is no MYSAPSSO2 show up on cookie on header. could anyone shed somelight on this issue I encoutered.
Have you got the following in your SAP profile ?
login/accept_sso2_ticket = 1
login/create_sso2_ticket = 2
Thanks
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tim, hi Nick
Thank you for your replies.
The profile parameter has been set in default profile.
The trust between two systems has been setup.
As I have said that by running tr. sso2, it indicated that there is not problem to issue an logon tickets.
I just wondered if there is anything I could do to see what's the problem
Thanks and best regards,
Jenny
Maybe you can make your use case clearer. If you start Fiddler on your desktop and logon to one system using a web browser, before you do anything else are you seeing in Fiddler that a MYSAPSSO2 ticket was issued and stored as a cookie ? I am asking for this to be clarified because you just said "The trust between two systems has been setup" so I want to make sure that the ticket is issued when you just logon to one system from a browser on your desktop.
Hi Tim,
Actually I am attempting to set up single sign on between ABAP stack and BPM. BPM is java based. I am trying to enable logon tickets and assertion tickets at the same time. Currently the assertion tickets is working well. While Logon ticket won't show up.
I am observing from fiddler again and this time two sessions are logged in fiddler. on response panel of first session which say HTTP 1.1 401 Unauthorized. Does it mean that some authorization issue for my user in abap stack?
Attached is the screenshot.
Thanks and best regards,
Jenny
Please explain the flow involved. I assume a user logs onto ABAP system first using web browser. During this logon the ABAP system is issuing an assertion ticket which you can see in fiddler. Is this correct ? What happens next ? Is user redirected to Java stack in same browser session ?
The HTTP 401 is normal when using SPNEGO on Java (or on ABAP if a product that supports this is installed). The browser is supposed to respond to the HTTP 401 with a HTTP message containing an Authorization header.
Thanks
Tim
Hi, there is a rather good scn thread covering the differences between assertion tickets and logon tickets, you might want to check:
SAP Assertion Tickets and SAP logon tickets
They have different use cases and also the transport is different.
Kind regards,
Patrick
hi Tim & Nick,
Our use case is:
Fiori My Inbox app get "tasks general info" from BPM system via task gateway service, assertion ticket is used between gateway and BPM.
During the My Inbox app extension, we also need the "task detail info" from BPM but current task gateway dosen't provide this service, so we call the BPM odata service directly, suppose to use logon ticket (which should be set in the cookie as "MYSAPSSO2" after broswer get response from task gateway service after user logon Fiori launchpad).
Do you have any idea for this issue?
Is the DNS domain of the host where you odata service is running on same DNS domain as the host where Fiori launchpad is running ? This is required because the cookie is a domain session cookie and will be sent by browser to the host based on cookie domain. If you check in fiddler trace you will see what domain the cookie was issued with and can then check if the odata service is being sent the cookie.
Thanks
Tim
Hi Jenny,
please check 1257108 - Collective Note: Analyzing issues with Single Sign On (SSO).
There should be all the pointers you need to diagnose the problem and wether the ticket is the way it is required to be on the receiveing system.
Kind regards,
Patrick
Hey Jenny,
what version of NW are you running and do you mind telling me exactly what you are trying to do with the ticket?
To me, "logon tickets" have to do with allowing one SAP system to talk to another in terms of exchanging data. I think you are talking about a browser cookie.
Still, that being said, it would help if we knew what you were really trying to do at the end of the day.
Thanks
NICK
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Nick,
The login ticket is not used for system to talk to another. The login ticket is created when a user has authenticated and it if HTTP authentication was used, the ticket is 'baked' into a cookie so that the browser can send the cookie when another page is accessed, to confirm that the user has already authenticated. If this didn't happen then the user would have to authenticate every time the browser accesses a page.
Thanks
Tim
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.