05-09-2007 7:44 AM
Does anyone know about an SSO2 ticket that can be issued by the SAP Portal and contain an alias, which can then give the user a default identity and an alias identity ?
Until now "login with alias" is only available for the basic login module, however we would like to be able to issue an SSO2 ticket fom the EP and accepted by a backend system where the userids in both systems are different. (We don't want to use "EP userid mapping" !)
If anyone know any details please comment. Thanks.
05-20-2007 8:45 PM
An "SAP Logon Ticket" can contain both, an ABAP userID (notice: that <u>not</u> the ABAP user aliasname) and a J2EE/EP username. This is typically the case when an EP issues a logon ticket; ABAP systems never issue a SAP logon ticket which contains a J2EE/EP username.
ABAP systems only evaluate the ABAP userID contained in the ticket.
J2EE/EP systems usually only evaluate the J2EE/EP username.
Since SAP Logon Tickets can contain only one ABAP userID it is clear that this imposes certain constraints: in an EP landscape all ABAP systems need to use the same ABAP userID. That's why the user mapping (J2EE/EP username <-> ABAP userID) can be performed centrally (at the EP).
Obviously Steven is looking for a kind of decentralized user mapping (which would then need to take place on the ticket receiver side). Well, I'm sorry, but that's not implemented - mainly because it's an open issue how to maintain such distributed mapping information in a proper way (without causing an administrative nightmare).
Cheers, Wolfgang
05-10-2007 4:39 PM
But Steven, this is just what user mapping is designed to do. When you log on to the portal, the portal issues you a ticket with the user ID for the refrence system in the ticket. Then when you access the back-end system, the back-end system uses your reference system user ID for ticket authentication.
http://help.sap.com/saphelp_nw04s/helpdata/en/f8/3b514ca29011d5bdeb006094191908/frameset.htm
-Michael
05-11-2007 5:13 AM
Michael
Thanks for your reply. I asked the question as user mapping that requires either administrators or users entering their passwords (even once) is not a practicle solution for us. Do you know of any other type of login ticket aliasing ? Thanks.
05-11-2007 8:34 AM
Hi Steven,
I do not know of any other type of login ticket aliasing (not to say there isn't one), but I do have a solution for you. You can disable the password check for administrators with the following UME property:
ume.usermapping.admin.pwdprotection=FALSE
http://help.sap.com/saphelp_nw04s/helpdata/en/fe/d22a41b108f523e10000000a155106/frameset.htm
So now your administrator merely has to assign the mapping. You can even get around that if you use an LDAP as your data source. The online help is unfortunately a little out of date, but here is the topic:
http://help.sap.com/saphelp_nw04s/helpdata/en/0b/d82c4142aef623e10000000a155106/frameset.htm
The LDAP data source configuration files already defines the back-end user ID as being stored in the LDAP by declaring attribute REFERENCE_SYSTEM_USER. You have to map this attribute to the LDAP physical attribute where you store this information. The default is sapusername. Skip the bit at the end of the data source configuration about the additional object class. Apparently you don't need that anymore.
So how do you get the reference system user ID in the LDAP? Set up an LDAP sync between the reference ABAP system and your LDAP.
http://help.sap.com/saphelp_nw04s/helpdata/en/95/49cb3a663bfc70e10000000a114084/frameset.htm
-Michael
05-11-2007 9:08 AM
Hi Steven,
not quite sure, whether u two talk about the same usermapping. We have one based on reference systems for the logon tickets, in this case no password is stored by anybody. But this only works if the other system is accepting logon tickets. And within the portal only, we have something which is called user mapping as well, where u store username/password for accessing systems, that can only be integrated by adding the username/password to the request.
Regards,
Patrick
05-11-2007 9:23 AM
Patrick, Michael,
I think Steven is asking about the alias ID/name stored in an SSO2 ticket. Normally when an SSO2 ticket is issued it contains one ID for the user, but I think (unless I am mistaken) there is a way to store in an SSO2 ticket a default ID + an alias ID for a given user, which can then be accepted by the portal, but the normal ID is used when logging onto other http enabled SAP apps.
Is above correct ? I am sure I heard in a presentation at TechEd last year that an SSO2 ticket can have an alias ID ? Perhaps I missunderstood ? Anyway, I think this is what Steven is asking about.
Regards,
Tim
05-11-2007 9:50 AM
the Alias is the name stored in the reference system.
You can have a portal user and an ABAP user name in the ticket. ABAP will only use the ABAP user name. Portal based systems can be configured to use either using ticket_portalid for the receiving side.
regards,
Patrick
05-11-2007 10:13 AM
> You can have a portal user and an ABAP user name in
> the ticket. ABAP will only use the ABAP user name.
> Portal based systems can be configured to use either
> using ticket_portalid for the receiving side.
So, how can the CreateTicketLoginModule be used to issue an SSO2 ticket containing both a portal user name and an ABAP user name ?
Steven - is this what you were asking about in your original post ?
Thanks,
Tim
05-11-2007 10:28 AM
for a portal with a user persisntece other than ABAP this is done automatically, as soon as the reference ystem mappings are maintained correctly. Without a portal, you can't do it, as the functionality to store the second user name in the sap logon ticket requires functionality available only in a portal. Please have a look at the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/ed/845896b89711d5993900508b6b8b11/frameset.htm">documentation</a> in the help portal.
regards,
Patrick
05-20-2007 8:45 PM
An "SAP Logon Ticket" can contain both, an ABAP userID (notice: that <u>not</u> the ABAP user aliasname) and a J2EE/EP username. This is typically the case when an EP issues a logon ticket; ABAP systems never issue a SAP logon ticket which contains a J2EE/EP username.
ABAP systems only evaluate the ABAP userID contained in the ticket.
J2EE/EP systems usually only evaluate the J2EE/EP username.
Since SAP Logon Tickets can contain only one ABAP userID it is clear that this imposes certain constraints: in an EP landscape all ABAP systems need to use the same ABAP userID. That's why the user mapping (J2EE/EP username <-> ABAP userID) can be performed centrally (at the EP).
Obviously Steven is looking for a kind of decentralized user mapping (which would then need to take place on the ticket receiver side). Well, I'm sorry, but that's not implemented - mainly because it's an open issue how to maintain such distributed mapping information in a proper way (without causing an administrative nightmare).
Cheers, Wolfgang