Solved: SSO2 logon ticket with alias

Former Member · ‎05-09-2007

Does anyone know about an SSO2 ticket that can be issued by the SAP Portal and contain an alias, which can then give the user a default identity and an alias identity ?

Until now "login with alias" is only available for the basic login module, however we would like to be able to issue an SSO2 ticket fom the EP and accepted by a backend system where the userids in both systems are different. (We don't want to use "EP userid mapping" !)

If anyone know any details please comment. Thanks.

WolfgangJanzen · ‎05-20-2007

An "SAP Logon Ticket" can contain both, an ABAP userID (notice: that <u>not</u> the ABAP user aliasname) and a J2EE/EP username. This is typically the case when an EP issues a logon ticket; ABAP systems never issue a SAP logon ticket which contains a J2EE/EP username.

ABAP systems only evaluate the ABAP userID contained in the ticket.

J2EE/EP systems usually only evaluate the J2EE/EP username.

Since SAP Logon Tickets can contain only one ABAP userID it is clear that this imposes certain constraints: in an EP landscape all ABAP systems need to use the same ABAP userID. That's why the user mapping (J2EE/EP username <-> ABAP userID) can be performed centrally (at the EP).

Obviously Steven is looking for a kind of decentralized user mapping (which would then need to take place on the ticket receiver side). Well, I'm sorry, but that's not implemented - mainly because it's an open issue how to maintain such distributed mapping information in a proper way (without causing an administrative nightmare).

Cheers, Wolfgang

MichaelShea · ‎05-10-2007

But Steven, this is just what user mapping is designed to do. When you log on to the portal, the portal issues you a ticket with the user ID for the refrence system in the ticket. Then when you access the back-end system, the back-end system uses your reference system user ID for ticket authentication.

http://help.sap.com/saphelp_nw04s/helpdata/en/f8/3b514ca29011d5bdeb006094191908/frameset.htm

-Michael

Former Member · ‎05-11-2007

Michael

Thanks for your reply. I asked the question as user mapping that requires either administrators or users entering their passwords (even once) is not a practicle solution for us. Do you know of any other type of login ticket aliasing ? Thanks.

MichaelShea · ‎05-11-2007

Hi Steven,

I do not know of any other type of login ticket aliasing (not to say there isn't one), but I do have a solution for you. You can disable the password check for administrators with the following UME property:

ume.usermapping.admin.pwdprotection=FALSE

http://help.sap.com/saphelp_nw04s/helpdata/en/fe/d22a41b108f523e10000000a155106/frameset.htm

So now your administrator merely has to assign the mapping. You can even get around that if you use an LDAP as your data source. The online help is unfortunately a little out of date, but here is the topic:

http://help.sap.com/saphelp_nw04s/helpdata/en/0b/d82c4142aef623e10000000a155106/frameset.htm

The LDAP data source configuration files already defines the back-end user ID as being stored in the LDAP by declaring attribute REFERENCE_SYSTEM_USER. You have to map this attribute to the LDAP physical attribute where you store this information. The default is sapusername. Skip the bit at the end of the data source configuration about the additional object class. Apparently you don't need that anymore.

So how do you get the reference system user ID in the LDAP? Set up an LDAP sync between the reference ABAP system and your LDAP.

http://help.sap.com/saphelp_nw04s/helpdata/en/95/49cb3a663bfc70e10000000a114084/frameset.htm

-Michael

Former Member · ‎05-11-2007

Hi Steven,

not quite sure, whether u two talk about the same usermapping. We have one based on reference systems for the logon tickets, in this case no password is stored by anybody. But this only works if the other system is accepting logon tickets. And within the portal only, we have something which is called user mapping as well, where u store username/password for accessing systems, that can only be integrated by adding the username/password to the request.

Regards,

Patrick

tim_alsop · ‎05-11-2007

Patrick, Michael,

I think Steven is asking about the alias ID/name stored in an SSO2 ticket. Normally when an SSO2 ticket is issued it contains one ID for the user, but I think (unless I am mistaken) there is a way to store in an SSO2 ticket a default ID + an alias ID for a given user, which can then be accepted by the portal, but the normal ID is used when logging onto other http enabled SAP apps.

Is above correct ? I am sure I heard in a presentation at TechEd last year that an SSO2 ticket can have an alias ID ? Perhaps I missunderstood ? Anyway, I think this is what Steven is asking about.

Regards,

Tim

Former Member · ‎05-11-2007

the Alias is the name stored in the reference system.

You can have a portal user and an ABAP user name in the ticket. ABAP will only use the ABAP user name. Portal based systems can be configured to use either using ticket_portalid for the receiving side.

regards,

Patrick

tim_alsop · ‎05-11-2007

> You can have a portal user and an ABAP user name in

> the ticket. ABAP will only use the ABAP user name.

> Portal based systems can be configured to use either

> using ticket_portalid for the receiving side.

So, how can the CreateTicketLoginModule be used to issue an SSO2 ticket containing both a portal user name and an ABAP user name ?

Steven - is this what you were asking about in your original post ?

Thanks,

Tim

Former Member · ‎05-11-2007

for a portal with a user persisntece other than ABAP this is done automatically, as soon as the reference ystem mappings are maintained correctly. Without a portal, you can't do it, as the functionality to store the second user name in the sap logon ticket requires functionality available only in a portal. Please have a look at the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/ed/845896b89711d5993900508b6b8b11/frameset.htm">documentation</a> in the help portal.

regards,

Patrick

WolfgangJanzen · ‎05-20-2007

An "SAP Logon Ticket" can contain both, an ABAP userID (notice: that <u>not</u> the ABAP user aliasname) and a J2EE/EP username. This is typically the case when an EP issues a logon ticket; ABAP systems never issue a SAP logon ticket which contains a J2EE/EP username.

ABAP systems only evaluate the ABAP userID contained in the ticket.

J2EE/EP systems usually only evaluate the J2EE/EP username.

Since SAP Logon Tickets can contain only one ABAP userID it is clear that this imposes certain constraints: in an EP landscape all ABAP systems need to use the same ABAP userID. That's why the user mapping (J2EE/EP username <-> ABAP userID) can be performed centrally (at the EP).

Obviously Steven is looking for a kind of decentralized user mapping (which would then need to take place on the ticket receiver side). Well, I'm sorry, but that's not implemented - mainly because it's an open issue how to maintain such distributed mapping information in a proper way (without causing an administrative nightmare).

Cheers, Wolfgang