Solved: issuing MYSAPSSO2 from ABAP stack

could any one share some knowledge about configuring logon tickets. I have attempted to configure logon tickets on abap stack. after run tr. sso2 to check status of issuing logon tickets, it indicates everything is going perfect with green light. Unfortunately I observe the MYSAPSSO2 from fiddler. there is no MYSAPSSO2 show up on cookie on header. could anyone shed somelight on this issue I encoutered.

SAP Managed Tags:
SAP Single Sign-On

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Accepted Solutions (1)

Have you got the following in your SAP profile ?

Thanks

Tim

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Tim, hi Nick

Thank you for your replies.

The profile parameter has been set in default profile.

The trust between two systems has been setup.

As I have said that by running tr. sso2, it indicated that there is not problem to issue an logon tickets.

I just wondered if there is anything I could do to see what's the problem

Thanks and best regards,

Jenny

Maybe you can make your use case clearer. If you start Fiddler on your desktop and logon to one system using a web browser, before you do anything else are you seeing in Fiddler that a MYSAPSSO2 ticket was issued and stored as a cookie ? I am asking for this to be clarified because you just said "The trust between two systems has been setup" so I want to make sure that the ticket is issued when you just logon to one system from a browser on your desktop.

Hi Tim,

Actually I am attempting to set up single sign on between ABAP stack and BPM. BPM is java based. I am trying to enable logon tickets and assertion tickets at the same time. Currently the assertion tickets is working well. While Logon ticket won't show up.

I am observing from fiddler again and this time two sessions are logged in fiddler. on response panel of first session which say HTTP 1.1 401 Unauthorized. Does it mean that some authorization issue for my user in abap stack?

Attached is the screenshot.

Thanks and best regards,

Jenny

Please explain the flow involved. I assume a user logs onto ABAP system first using web browser. During this logon the ABAP system is issuing an assertion ticket which you can see in fiddler. Is this correct ? What happens next ? Is user redirected to Java stack in same browser session ?

The HTTP 401 is normal when using SPNEGO on Java (or on ABAP if a product that supports this is installed). The browser is supposed to respond to the HTTP 401 with a HTTP message containing an Authorization header.

Thanks

Tim

An assertion ticket is a logon ticket that can only be accepted by the system it was issued on. I don't think it is possible to have a system issue both types of tickets at the same time. I'm not sure why you would want to anyway. Your use case is not very clear.

Hi Tim,

is there any document which talking about logon tickets and assertion tickets. I am quite new to this area and seems to confuse about them quite a lot time.

Thanks and best regards,

Jenny

I'm not aware of a single document, but you can use google or look on help.sap.com

I work on SAP SSO every day of the week, for last 15-20 years. This is how I know about this subject 🙂

Hi, there is a rather good scn thread covering the differences between assertion tickets and logon tickets, you might want to check:

SAP Assertion Tickets and SAP logon tickets

They have different use cases and also the transport is different.

Kind regards,

Patrick

hi Tim & Nick,

Our use case is:

Fiori My Inbox app get "tasks general info" from BPM system via task gateway service, assertion ticket is used between gateway and BPM.

During the My Inbox app extension, we also need the "task detail info" from BPM but current task gateway dosen't provide this service, so we call the BPM odata service directly, suppose to use logon ticket (which should be set in the cookie as "MYSAPSSO2" after broswer get response from task gateway service after user logon Fiori launchpad).

Do you have any idea for this issue?

Hi Oris,

did you check, whether the ODATA service is able to consume a logon ticket?
Especially is the ticket trusted in the destination system? Can you launch an other web app on the target and do you get a login page or directly to the app after using you fiori app?

Regards,

Patrick

hi Patrick,

Yes, the BPM ODATA service is able to consume logon ticket.

We have only this My inbox app need to connect to BPM odata. Currently this app gets an BPM logon page instead of the correct response.

Hi Oris,

have you tried to call the ODATA url directly in the same browser window you have the fiori app running? Will you get a response or a logon screen?

Regards,

Patrick

hi Patrick,

I get the logon screen..

Is the DNS domain of the host where you odata service is running on same DNS domain as the host where Fiori launchpad is running ? This is required because the cookie is a domain session cookie and will be sent by browser to the host based on cookie domain. If you check in fiddler trace you will see what domain the cookie was issued with and can then check if the odata service is being sent the cookie.

Thanks

Tim

Fiori launchpad has been deployed to the same server as Gateway.

BPM is deployed on another server which have different domain assume.

does web dispatch will resolve this cross domain issue as we have deployed web dispatcher in this scenario.

Hi Oris,

then you have a problem with the logon ticket not being accepted by the system. Please check the ODATA service configuration (tx SICF) and the logon ticket configuration (tx STRUSTSSO2).

Kind regards,

Patrick

attached please find the strutsso2 screenshot and sicf screenshot

I also run tr. sso2 to check if the configuration is correct for issuing logon ticket, it appears Green.

did you also check the logon ticket to contain a signature which is valid on AM8 and is the user listed in the logon ticket a valid user on the target?

Regards,

Patrick

I have created the user on two systems with same user name. Is that Okay for this scenarios?

As long as you have no user mapping configured, this is ok.

What about the signer of the logon ticket?

Kind regards,

Patrick

Hi Patrick,

what do you mean signer of the logon ticket? where should I find such information in my system?

Thanks and best regards,

Jenny

Hi Jenny,

please check 1257108 - Collective Note: Analyzing issues with Single Sign On (SSO).

There should be all the pointers you need to diagnose the problem and wether the ticket is the way it is required to be on the receiveing system.

Kind regards,

Patrick

Answers (1)

Hey Jenny,

what version of NW are you running and do you mind telling me exactly what you are trying to do with the ticket?

To me, "logon tickets" have to do with allowing one SAP system to talk to another in terms of exchanging data. I think you are talking about a browser cookie.

Still, that being said, it would help if we knew what you were really trying to do at the end of the day.

Thanks

NICK

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Nick,

The login ticket is not used for system to talk to another. The login ticket is created when a user has authenticated and it if HTTP authentication was used, the ticket is 'baked' into a cookie so that the browser can send the cookie when another page is accessed, to confirm that the user has already authenticated. If this didn't happen then the user would have to authenticate every time the browser accesses a page.

Thanks

Tim

Yeah, I'm thinking of the "logon ticket" in strustsso2

that's where we export our certificate from one SAP system, then import into another system, and put in the "logon ticket" to establish trust between systems.

my bad

Nick

Ask a Question

Top Q&A Solution Author

User

Count

issuing MYSAPSSO2 from ABAP stack

Accepted Solutions (1)

Accepted Solutions (1)

Answers (1)

Answers (1)

AFIP Integration in CPI/CI

Re: OS compatibility

OS compatibility

Re: How to show value help with values for Applica...

Re: Allocation of multiple hierarchies from parent...