cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Webservice from Portal to XMII using SSO

Former Member

on ‎03-06-2008 9:53 AM

0 Kudos

Hello,

  • I recently posted this question in a different forum but this seems to be the better place. *

we have a Netweaver 2004s based Portal and a Netweaver-based SAP XMII (v12.0) System providing Webservices.

What we try to do is to call a webservice out of the Portal EAR Application using SSO.

SSO-Konfiguration between Portal and XMII is done and works fine. I tested this using an URL-iView, which calls a https-URL on XMII and SSO-Authentification is done in the background.

Now I want to call a Webservice using SSO.

Without SSO (prodiving UID/PW), the webservice-call works fine.

In order to use SSO with Webservice, I created a "Deployable Webservice Proxy" with "HTTP-Authentication" and "use SAP Logon Ticket" turned on.

Then I removed Login/Password from my SOAP-Request and unfortunately it doesn't work (with SSO).

It seems that (in case of communicating with SOAPRunner-Servlet) the SSO-Ticket is not evaluated. Is this possible?

In URL-iView case we have some entries in the Netweaver security-log but in SOAPRunner-case there are no such entries.

Calling SOAPRunner (from URL-iView for testing purposes or from real program code) there is no security-log entry but only an entry in xmii-log

- Unable to load user information

XMII seems not to care about SSO. Instead it only searches for UID/PW in the SOAP-Request...

What do I have to consider in addition to the topics above?

Can you provide any useful links with tutorials, hints, documentation, ...?

Thanks in advance

Andreas

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎03-09-2008 11:06 AM
0 Kudos

Hi, Andreas.

I'm surprised that this change wasn't made in V12, since all of the remaining security is based on UME, but it appears that the "inline" credentials (in the SOAP message content) are still required.

It would be fairly easy to enhance this to accept SSO tickets and standard web-based authentication methods (Basic, Digest, etc.), as well as perhaps Kerberos tickets. I would suggest entering an enhancement request for this need.

An alternative might be to use the Runner servlet (no SOAP required), but that depends on the nature of your application. Personally, I find that SOAP tends to get "in the way" more than it helps, but it depends on the client application/code's capability to issue URL requests and process returned XML in so-called "REST" style web services.

Best regards,

Rick

Show replies
Show replies
Former Member
‎03-07-2008 3:21 AM
0 Kudos

Hi Andreas,

As far as I understand, SSO would work only via direct web content. SOAP requests and HTTP posts would be unable to gain direct SSO advantages.

However, as a potential workaround, you may wish to send the SSO2 ticket as a parameter in the SOAP request. If you have a custom service (external to xMII) that can authenticate against this SSO2 ticket, xMII could call it and verify.

I know that this is a reasonable bit of work, but might get you around your hurdles.

If you are able to get this to work, please post back and let all of us know.

Cheers,

Jai.

Show replies
Show replies
Former Member
‎03-07-2008 12:03 PM
0 Kudos

Hi Jai,

I don't think so.

I found this document "Authentication of a WS Client using a SAP Logon Ticket" which describes the tasks that are necessary.

But in case of XMII, this seems not to work.

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/ae399f0d-0301-0010-cebf-bb1...

<excerpt>

In this tutorial, you will learn – based on a predefined project – all the development steps required to configure an existing Web service in such a way that it authenticates itself to the Web service provider via a SAP logon ticket.

</excerpt>

The solution is based on a "Deployable Webservice" which can be configured to use a "SAP Logon Ticket" for authentication.

In our case the situation should be rather simple because both server systems are Netweaver WebAS but it doesn't work.

Greetings

Andreas

Ask a Question