Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Single Sign On issue

Former Member
0 Kudos

Hello,

We have a VC++ Windows Explorer type application from where we are launching PLM Core UI( A webdynpro appplication) in an Internet Explorer.

When we launch it for the first time, it asks for username and password. If we close the browser now, and try to repeat the same, the login screen is presented again.

I want MYSAPSSO2 cookie being generated to be persistable, which is not happening. Please help.

Regards,

Sukant Kole

14 REPLIES 14

tim_alsop
Active Contributor
0 Kudos

Hello,

What you are trying to do is not possible using MYSAPSSO2 cookie. Instead, you need to use an SPNEGO login module so that the authentication is performed each time the application logon is required, using Kerberos credentials which are cached outside of the browser in Windows, and obtained when user logs onto a domain account at their workstation. The browser has built-in support for the Negotiate protocol, which is used to implement Integrated Windows Authentication, so you just need to configure the NetWeaver server software to use SPNEGO, and then you will get what you need.

Thanks,

Tim

Former Member
0 Kudos

Hello Tim,

Correct me if I am wrong, but, SPNegoLoginModule is a JAAS login module.Isn't?

So, will the solution proposed by you still hold true if the WebAS is ABAP instaed of JAVA ?

Regards,

Sukant Kole

tim_alsop
Active Contributor
0 Kudos

Hi,

Yes, it will work as I explained. The ABAP application would have to be configured using SICF to redirect to the j2ee engine where the login module is installed, and then redirect back again after the login module has authenticated the user and created an sso2 ticket.

Thanks,

Tim

Former Member
0 Kudos

Hi Tim,

Thank you very much for the alternative solution.

But, why the MYSAPSSO2 cookie approach won't work ?

Are there any other solutions apart from what you proposed earlier ?

Thanks & Regards,

Sukant Kole

tim_alsop
Active Contributor
0 Kudos

The approach you described won't work because when the browser is closed it will destroy all session cookies, so the MYSAPSSO2 cookie is removed and this is why you need to authenticate again when the browser is re-opened.

Thanks,

Tim

Former Member
0 Kudos

Hi,

Please reply to my second question as well.

Regards,

Sukant kole

tim_alsop
Active Contributor
0 Kudos

Regarding your second question - I am not aware of any other solutions available. The fact is that you need persistence for credentials outside of the browser, and the Kerberos credentials are already present outside of the browser so the solution I proposed will use these credentials to authenticate the user to the SAP system each time they access the application. You will of course gain Single SignOn when you implement this, which you might find useful elsewhere.

Former Member
0 Kudos

Hi,

Are there Microsoft APIs available to implement the Kerberos based solution ?

Regards,

Sukant Kole

tim_alsop
Active Contributor
0 Kudos

You don't need to use any API. You just need to launch the application in Internet Explorer (as you are doing already), and the Kerberos support included in the IE browser will authenticate the user.

Regards,

Tim

Former Member
0 Kudos

Let me put my initial question the follwoing way:

I am launching the URL along with the "ticket" (generated by the ABAP functional module CREATE_RFC_REENTRANCE_TICKET) using the IWebBrowser2 's Navigate method with the "ticket" being the header parameter.

But, I am presented with the login screen everytime.

Where am I going wrong ?

Regards,

Sukant Kole

tim_alsop
Active Contributor
0 Kudos

Hi,

I am not clear now what you are trying to do. Are you trying to implement Single SignOn, and using the RFC to issue an SSO2 ticket ? If you are, then please confirm if user is closing the browser after logging in, and why are they closing it ? Does SSO work if user doesn't close the browser ? Have you logged in and checked in the browser cache to see if the SSO2 ticket has been issued turned into a cookie ?

Thanks,

Tim

Former Member
0 Kudos

Yes you are right. I am implementing SSO using RFC to provide the SSO2 ticket.

"If you are, then please confirm if user is closing the browser after logging in, and why are they closing it ?"

I was doing this for different scenarios in which SSO will work.

"Does SSO work if user doesn't close the browser ?"

Yes it works.

"Have you logged in and checked in the browser cache to see if the SSO2 ticket has been issued turned into a cookie ?"

Yes I did using Internet Explorer addon (ieHTTPHeaders) which showed that the cookie is formed using SSO2 ticket.

So, my concern is when I am launching the URL along with the SSO2 ticket for the first time in the internet explorer why am I unable to bypass the login screen ?

Regards,

Sukant Kole

tim_alsop
Active Contributor
0 Kudos

Hi,

if the problem you are experiencing is that you get an SSO2 ticket and then (without closing browser) send a message to SAP with the SSO2 cookie and login screen appears again, then perhaps you need to check the work process log on server to find the error, e.g. why the SSO2 ticket was not accepted.

However, I am a bit confused still, because you tell me that you have SSO working and then you say that you send the SSO2 ticket and you are still getting a logon screen ?

I hope you are clear that if you close browser the browser will not send the SSO2 cookie next time it is started so the attempt to logon will require re-authentication.

Thanks,

Tim

Former Member
0 Kudos

Hi Tim,

The issue got solved by altering the Export parameter's (the ticket) size from 255 to 4096 for the backend function module ZRFC_CREATE_REENETRANCE_TICKET_GEN.

I hope you are clear that if you close browser the browser will not send the SSO2 cookie next time it is started so the attempt to logon will require re-authentication.

You made me comprehend this concept quite early.

However, I am a bit confused still, because you tell me that you have SSO working and then you say that you send the SSO2 ticket and you are still getting a logon screen ?

SSO works when:

The user authenticates himself once and an instance of internet explorer is still in the main memory. If he tries to launch the URL again, only then he is able to bypass the login screen.

But, unfortunately this was not the expected behaviour. I was just testing my code to work in different situations.

Anyways the issue got solved.

It was quite wonderful in having a discussion with you and grateful for your prompt & elaborate replies.

Regards,

Sukant Kole