Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SSO for Portal

Private_Member_82764
Active Participant
0 Kudos

Dear all:

Currently I am running BI 7.0 (NW04s). I have implemented SSO for AS-ABAP using Kerberos without problem. However, all my users will only be able to login to portal instead of AS-ABAP to run report or dashboard.

For Portal and BEx, I just wonder what is the best method (may be the easiest way) to implement SSO for portal since there are few options avaible. Thanks.

1 ACCEPTED SOLUTION

Private_Member_82764
Active Participant
0 Kudos

Thank you for all your respones. yes, I am using SAP logon ticket and it seems working fine but I was confused with ABAP SSO and Portal SSO because I don't need to put in account & password to login to ABAP after SSO is configured and I thought Portal will do the same using SAP logon ticket but it is not the case.

I used SAP logon ticket via the URL link to portal and I still need at least put in account and password once unless I use some other methods or 3rd party softwrare for Portal SSO.

7 REPLIES 7

fredrik_borlie
Contributor
0 Kudos

Hi, we have looked into this ourselves and it is quite tricky.

There are many things that have to be working together to make it work.

For instance, what source you would use for the basic trust?

Do you have to align the domainnames of the servers?

Etc..

When you know all this, then you can create your single sign on into the portal..

However there are some 3rd party providers that can assist you with this. Here are some examples:

Siteminder by CA

Trustbroker by Cybersafe

Full list at:

http://www1.sap.com/solutions/security/partners/index.epx

Regards

Fredrik

former_member698570
Active Participant
0 Kudos

Hi,

do you want to access the abap system via sap gui or are you accessing http resources?

In both cases you can use the SAP Logon Ticket issued by the SAP J2EE to login to your AS-ABAP from portal. All you have to do is to export the J2EE Certificate (verify.der) by accessing System Administration > System Configuration > Keystore Administration (Download verify.der)

This file has to be imported in the PSE of your AS-ABAP using transaction strustsso2 (Import the certficate into certificate list and Access Control List)

You will also have to make sure that the AS-ABAP accepts logon tickets (use rz10 to edit your profile and modify parameter login/accept_sso2_ticket if necessary (value should be 1)

After that you have to create a system object in the portal to access your backend system and afterwards you either create a url iview for http communication or a sap transaction iview for accessing the backend using sap gui!

Hope this helps

Cheers

Private_Member_82764
Active Participant
0 Kudos

Thank you for all your respones. yes, I am using SAP logon ticket and it seems working fine but I was confused with ABAP SSO and Portal SSO because I don't need to put in account & password to login to ABAP after SSO is configured and I thought Portal will do the same using SAP logon ticket but it is not the case.

I used SAP logon ticket via the URL link to portal and I still need at least put in account and password once unless I use some other methods or 3rd party softwrare for Portal SSO.

0 Kudos

Hi,

I did not yet try to do that but you can access the portal using a SAP Logon Ticket as well.

In order to do this you have to configure the Portal / J2EE appropriately.

- First of all you will have to import the certificate of all your source systems (your abap systems) in the trusted keystore

(In Portal choose System Administration > System Configuration > Keystore Administration: Button Import Trusted Certificate)

=> see documentation referenced below!

- Make sure your ABAP System is configured not only to accept but also to create logon tickets (This will only work when you access the ABAP System via HTTP since your logon ticket is a Cookie which will be carried by your browser. So when accessing the ICM your ABAP System should create a logon ticket after successfull login! => I did not yet try but I guess this is how it should work!

- The EvaluateAssertionTicketLoginModule (instead of EvaluateTicketLoginModule) has to be configured in the Logon Stack of the application you are accessing in the SAP J2EE (e.g. /irj/portal)

See the following documentation which might be helpful:

http://help.sap.com/erp2005_ehp_03/helpdata/EN/42/dddfda02302cede10000000a1553f7/frameset.htm

When all this is done you should be able to logon to portal using a logon ticket issued by your SAP System

<removed_by_moderator>

Cheers

Edited by: Julius Bussche on Jul 11, 2008 7:34 PM

0 Kudos

>

> Thank you for all your respones. yes, I am using SAP logon ticket and it seems working fine but I was confused with ABAP SSO and Portal SSO because I don't need to put in account & password to login to ABAP after SSO is configured and I thought Portal will do the same using SAP logon ticket but it is not the case.

>

> I used SAP logon ticket via the URL link to portal and I still need at least put in account and password once unless I use some other methods or 3rd party softwrare for Portal SSO.

If you are using Kerberos for AS ABAP then you must be using SNC and using a GSS-API Kebreros library. I this correct ?

If you want to implement the same/similar authentication for portal, then you need to consider using the Negotiate protocol (akak SPNEGO) for access to any Web-based SAP application, such as the portal. This also uses Kerberos so the user authentication method is the same as for your AS-ABAP.

Thanks,

Tim

Private_Member_82764
Active Participant
0 Kudos

Thank you for your response again but it has been done. Portal is AS-java so the procedure is pretty much same except different version have different template so it come with different procedure. you still need to login once using your account and password not like AS-ABAP which you don't need to. Thank you for your helping and I still give you points. Thanks.

Private_Member_82764
Active Participant
0 Kudos

Thanks. That is what I am looking for.