Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO from BEA Weblogic Portal to SAP Enterprise Portal

Former Member

‎04-09-2008 9:13 PM

0 Kudos

People,

We want to have SSO from BEA-WLP to SAP-EP, WLP being the first port of login.

Do any of you know how to acomplish that? What alternatives do we have?

Notice that we already have both up & running in different servers of the same domain.

EP 7.0 on Windows 2003

WLP 10.2 on Windows 2003

Thanks in advance and <unspeakable_word_removed_by_moderator>

Gustavo.

Edited by: Julius Bussche on Apr 9, 2008 8:18 PM

8 REPLIES 8

tim_alsop
Active Contributor

‎04-09-2008 9:20 PM

0 Kudos

Gustavo,

You need to get the SAP portal to issue an SSO2 ticket, which is actually a SAP propriatory digitally signed cookie. To make SAP issue such a ticket for a user, you need to have something which you can present to the SAP system which it can trust to identify who the user is. Normally, in cases like yours this is done using a HTTP header variable. The WLP would authenticate the user and make the user id available in a HTTP header variable, and when SAP needs to know the user id it can look in this header variable to find the user id before issuing an SSO2 ticket. Once the SSO2 ticket is issued, and baked into a cookie, the browser will send this cookie for subsequent page requests to the SAP system, so user gets an SSO experience, and is identified to SAP as the same user id they logged onto WLP with.

Another idea - if both WLP and SAP are using Active Directory credentials to authenticate the user, then a user can logon to WLP and be authenticated using these AD credentials, and when they logon to SAP they would be identified as same person. This would allow the user to logon to workstation and access SAP portal without first visiting the WLP, but it would also allow a user to logon to WLP and be authenticated and then access SAP Portal and be authenticated again as the same user, since both portals will use same approach for user authentication.

I hope this helps ?

Thanks,

Tim

Former Member
In response to tim_alsop

‎04-10-2008 8:22 PM

0 Kudos

Hi, Tim. Thanks for the quick answer.

Both options are ok, but do you have any link and/or documentation on how to do that?

Now I have questions like:

1st option:

- How can I put the user in the header?

- How to make SAP-EP look in the header and trust it's source?

- After that, is the logon ticket issued automatically?

2nd option:

- Will I have to use kerberos? Would you have a "best documentation" suggestion?

- I understand that, if I choose this option, SAP-EP will just need to check AD, no matter the other portal involved, is that right?

- Can I make it impossible for the user to access the SAP-EP directly?

Thanks a lot.

tim_alsop
Active Contributor
In response to tim_alsop

‎04-10-2008 8:30 PM

0 Kudos

> 

> Hi, Tim. Thanks for the quick answer.
> 
> Both options are ok, but do you have any link and/or documentation on how to do that?
> 
> Now I have questions like:
> 1st option:
> - How can I put the user in the header?
I suspect WLP has this capability, so you would have to ask somebody who knows more about this portal product. If it is running on Apache server, then you might need to configure Apache to do this for you after Apache has authenticated the user. If WLP is using some other web server, then you might be able to do something similar to make the authenticated id available.
> - How to make SAP-EP look in the header and trust it's source?
You need to use visual admin to configure the ticket auth stack.
> - After that, is the logon ticket issued automatically?
If your ticket login stack contains CreateTicketLoginModule it will issue a logon ticket after successfully authenticating the user with the http header variable.
> 
> 2nd option:
> - Will I have to use kerberos? Would you have a "best documentation" suggestion?
No, your don't. However, I guess your users will be logging onto Windows workstations, and you are using AD, so the users Kerberos credentials are already available and being used by Windows operating system, so it is therefore easy to take advantage of this and use them to authenticate the user to SAP.
> - I understand that, if I choose this option, SAP-EP will just need to check AD, no matter the other portal involved, is that right?
No, SAP EP will need to use an SPNEGO logon module so that it can authenticate the user using the Kerberos protocol via the browser. There is no technical need for SAP-EP to make any contact with AD.
> - Can I make it impossible for the user to access the SAP-EP directly?
Yes, the user will access SAP-EP directly, and they will be authenticated. I think I mentioned this in my last post. They would also be able to logon to WLP and link to SAP-EP or logon to SAP-EP and if you want, have a link to WLP. The use of a common method of authentication allows you to do this.
> 
> Thanks a lot.

Former Member
In response to tim_alsop

‎04-10-2008 9:38 PM

0 Kudos

Hi, Tim.

Thanks again for the you help.

You are right: in fact I am responsible for the SAP side, just giving some directions to the BEA guy.

In my last question I mean the opposite, so the user is compelled to access the WLP first, because we are trying to put the EP "inside" WLP (in a frame or something).

Would you have technical documentation to meet those scenarios?

Regards.

tim_alsop
Active Contributor
In response to tim_alsop

‎04-10-2008 9:53 PM

0 Kudos

Hi,

Yes, making it so that SAP portal pages are displayed inside WLP pages, or linked to only by WLP pages is possible with both of the solutions being discussed.

Can you please:

1. let me know which of the 2 solutions you prefer.

2. What operating systems you are using for your SAP servers, and WLP server ?

Thanks,

Tim

tim_alsop
Active Contributor
In response to tim_alsop

‎04-10-2008 9:55 PM

0 Kudos

Oops. I just noticed in your first post that you mentioned the operating systems. I still need to know the answer to my first question

Former Member
In response to tim_alsop

‎04-10-2008 10:06 PM

0 Kudos

As I said, both are ok. And, as both systems haven't gone live yet, I'd like to make some tests.

But, for now, I think we can start with the easiest one, if you don't mind.

tim_alsop
Active Contributor
In response to tim_alsop

‎04-11-2008 9:08 AM

0 Kudos

Hi,

For SNC you should look at SAP note 352295. This is only relavent since your SAP system is on Windows. If you were using UNIX or Linux instead you would need to buy a third-party product for this.

For the SPNEGO requirement, allowing the user to be authenticated to portal using credentials on workstation, you should search in sap help library (help.sap.com) for spnego and you will find instructions for installation and configuration of this login module on J2EE engine. You will then be able to authenticate to portal and be recognised as the same user you logged onto windows with.

For HTTP header logon, I suggest you search in help.sap.com and look for HTTPHeaderLoginModule.

I hope this helps ?

Thanks,

Tim