Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO for Enterprise Portal 6 with different Portal and R/3 userIDs

Go to solution
Former Member

‎02-28-2008 3:29 PM

0 Kudos

Hi there,

We are using SNC library for SAP GUI logon to R/3 and SPNEGO for Web access to EP. What works for us currently is:

SSO from Windows logon to Portal using SPNego (LDAP as our datasource with AD)

However once we are inside the portal, the SSO to R/3 using SNC is not working. I have my Portal user mapped to my R/3 user as they are different usernames.

But, if i launch SAP GUI on its own i can SSO into R/3 no problem.

So, i have 3 queries here!

1) Why am i not able to SSO into R/3 once i have SSO into Portal?

2) Is there any way around the high maintenance of the user mapping?

3) I have read on SAP Help about "Using an LDAP Directory Attribute as the ABAP User ID" but this will still require user / administrator to maintain the R/3 password.

Is it possible to disable the R/3 password and thus have no maintenance as the R/3 (ABAP) User ID will be stored in LDAP attribute?

Hoping you can help...

Thanks.

1 ACCEPTED SOLUTION

Go to solution
tim_alsop
Active Contributor

‎02-28-2008 3:35 PM

0 Kudos

> 

> 1) Why am i not able to SSO into R/3 once i have SSO into Portal?
Can you let us know if you get any error message ? There should not be any conflict since SNC logon with SAP GUI is not using Web or HTTP and portal logon happens within the browser, so without knowing what error you get it is not clear what might cause this.
> 2) Is there any way around the high maintenance of the user mapping? 
Yes, there is - you can setup portal logon to use same mapping information as used by SNC logon so you only have to maintain the mapping in SU01.
> 3) I have read on SAP Help about "Using an LDAP Directory Attribute as the ABAP User ID" but this will still require user / administrator to maintain the R/3 password. 
I think you will find this is not required, as there are better solutions available that do not require attribute changes or maintenance of mapping in two places.
> Is it possible to disable the R/3 password and thus have no maintenance as the R/3 (ABAP) User ID will be stored in LDAP attribute?
You can disable the r/3 password - I recommend you do in order to avoid possibility of a back-door logon, e.g. somebody can logon as themselves using SNC, but somebody else might find their r/3 password and logon as this person, thus causing a security issue.
> 
> Hoping you can help...
> 
> Thanks.

3 REPLIES 3

Go to solution
tim_alsop
Active Contributor

‎02-28-2008 3:35 PM

0 Kudos

> 

> 1) Why am i not able to SSO into R/3 once i have SSO into Portal?
Can you let us know if you get any error message ? There should not be any conflict since SNC logon with SAP GUI is not using Web or HTTP and portal logon happens within the browser, so without knowing what error you get it is not clear what might cause this.
> 2) Is there any way around the high maintenance of the user mapping? 
Yes, there is - you can setup portal logon to use same mapping information as used by SNC logon so you only have to maintain the mapping in SU01.
> 3) I have read on SAP Help about "Using an LDAP Directory Attribute as the ABAP User ID" but this will still require user / administrator to maintain the R/3 password. 
I think you will find this is not required, as there are better solutions available that do not require attribute changes or maintenance of mapping in two places.
> Is it possible to disable the R/3 password and thus have no maintenance as the R/3 (ABAP) User ID will be stored in LDAP attribute?
You can disable the r/3 password - I recommend you do in order to avoid possibility of a back-door logon, e.g. somebody can logon as themselves using SNC, but somebody else might find their r/3 password and logon as this person, thus causing a security issue.
> 
> Hoping you can help...
> 
> Thanks.

Go to solution
Former Member
In response to tim_alsop

‎02-28-2008 4:08 PM

0 Kudos

Hi Tim,

Thanks you for your feedback

1) I am faced with a logon screen to ITS stating: "Please log on to the SAP System " and asking for my R/3 logon credentials

2) Where is it that i setup portal logon to use same mapping information

3) What are the better solutions available

Thanks again...

Go to solution
tim_alsop
Active Contributor
In response to tim_alsop

‎02-28-2008 4:17 PM

0 Kudos

Answers below:

1)

When you say "ITS" I assume you are referring to the Integrated ITS in NetWeaver, not the external ITS product ?

Anyway, if you are referring to Integrated ITS, then surely you are using webgui, not SAP GUI. The webgui is accessed via browser and is not related to SNC or SAP GUI product. The SAP GUI product is a Windows application that uses SNC to authenticate to SAP systems.

If you are logged onto portal, which is a J2EE application and trying to access webgui which is running on ABAP Engine, then this might not work becasue your SSO2 trust is not setup correctly. Do you see an error in work process log saying anything about why the SSO2 ticket is not accepted ? Also, if ABAP and JAVA are on same system and Java Engine was installed as an add-in, you might need to create new SSO2 certificates to avoid a clash, and change client number from 000 to something else so SSO2 tickets issued in J2EE engine are differentiated from SSO2 tickets issued by ABAP Engine, but they are still trusted through configuration in STRUSTSSO2 t-code.

2)

You need to use a different product, which is available from a SAP partner to do this. I am not allowed to mention third party products on this forum, so if you want to know more you will have to contact me offline via email.

3)

See answer to question 2.

Thanks,

Tim