cancel
Showing results for 
Search instead for 
Did you mean: 

How to achieve SSO to a web dynpro application triggered from SAPGUI

Former Member
0 Kudos

Hello experts,

A user working with sapgui presses a button on one of the sapgui screens which triggers a locally developed web dynpro application. We wish that the user logon to this application without username or password. I have not been able to find any documentation on how to achieve this.

System is configured for SSO.

Thanks

Boaz

Accepted Solutions (1)

Accepted Solutions (1)

abhimanyu_lagishetti7
Active Contributor
0 Kudos

SSO between different SAP servers and third party Servers, not between Client and Server.

You are running a WDA application from a Client it will definitely ask User ID and Password.

you can set the Logon credentials for the WDA application in SICF, if you don't want the login page.

Abhi

thomas_jung
Developer Advocate
Developer Advocate

>

> SSO between different SAP servers and third party Servers, not between Client and Server.

> You are running a WDA application from a Client it will definitely ask User ID and Password.

> Abhi

That is totally incorrect. That is the second time today that you have provided incorrect information with some certainty. You are a frequent contributor to the forum, but that only makes your incorrect information all the more dangerous. Please be cautious.

Now to the answer:

SSO in general is designed for Client and Server as well as Server to Server. There is also a special SSO mode that is available for the SAPGUI. This is how you can launch a Web Dynrpo or BSP application from SE80 without being prompted for authentication.

This is all done via the class cl_gui_html_viewer.There is a method called ENABLE_SAPSSO. This is a special ticket that is only useful within the context of the SAPGUI HTML Container. However there is also a method of the gui html viewer to open in a new window as well.

DATA: url TYPE string, urlc(2048) TYPE c.
*Build URL - however you want to do it
urlc = url. " type conversion STRING to C
DATA: viewer TYPE REF TO cl_gui_html_viewer.
DATA: empty_container TYPE REF TO cl_gui_container.
CREATE OBJECT viewer EXPORTING parent = empty_container.
CALL METHOD viewer->enable_sapsso
EXPORTING enabled = 'X'
EXCEPTIONS OTHERS = 1.
CALL METHOD viewer->DETACH_URL_IN_BROWSER
EXPORTING url = urlc.
cl_gui_cfw=>flush( ).

Answers (4)

Answers (4)

marco-silva
Participant

Hello thomas.jung,

I know this thread is quite old but I'm struggling with the requirement of execute an SICF service from ABAP without losing the connected session.

I'm already trying with the solution you proposed:

  CREATE OBJECT lo_gui_html_viewer
    EXPORTING
      parent = lo_gui_container
    EXCEPTIONS
      OTHERS = 0.

  CALL METHOD lo_gui_html_viewer->enable_sapsso
    EXPORTING
      enabled = 'X'
    EXCEPTIONS
      OTHERS  = 0.

  CALL METHOD lo_gui_html_viewer->detach_url_in_browser
    EXPORTING
      url    = lv_url
    EXCEPTIONS
      OTHERS = 0.

  cl_gui_cfw=>flush( ).

But at the end the browser opens trying to reach this kind of URL:

http://<server>:<port>/sap/public/myssocntl?sap-client=<client>;

And I get an 500 Internal Server Error

Any idea of what can be wrong in my code / system?

The URL that I want to execute is to request OAuth 2.0 token for a profile (/sap/bc/sec/oauth2/client/grant/authorization/?profile=<myprofile>).

Thank you!

Best regards,

Marco Silva

thomas_jung
Developer Advocate
Developer Advocate

Well I wanted to make sure the code sample still works as its more than a decade old. I recreated the test program on my S/4 1809 system (7.53):

REPORT zbrowser_launch_test.


DATA: empty_container TYPE REF TO cl_gui_container.
DATA(viewer) = NEW cl_gui_html_viewer( parent  = empty_container ).
viewer->enable_sapsso( enabled     = abap_true ).
viewer->detach_url_in_browser(  url = `http://hanapm.local.com:8000/sap/bc/webdynpro/sap/demo_value_help?sap-client=000` ).
cl_gui_cfw=>flush( ).

And it worked perfectly fine:

So the code and concept still work, so I'd have to guess that there is something with the system configuration of your system. However its impossible to say what as I know nothing about your system. We system above is pretty vanilla S/4 with very little post install configuration. I've not even configured HTTPS.

marco-silva
Participant
0 Kudos

thomas.jung, thank you so much for your time and expertise! It helped me to understand what was going wrong!

Here is my guess: when we enable SAP SSO, the system first gets the token from /sap/public/myssocntl and then tries to reach our endpoint.

My problem: the protocol for myssocntl is HTTP and for my endpoint is HTTPS. I was passing my endpoint with HTTPS, so he tries to reach myssocntl with this protocol and fails.

My tested solution: I call the endpoint with the protocol of myssocntl. If the final endpoint node in SICF is well-defined, the system will automatically adapt the call to the right protocol.

Thank you again! You rock.

Former Member
0 Kudos

Thomas,

Thank you very much for giving the solution.

Regards

Boaz

Former Member
0 Kudos

Hello,

I have another question on the same lines.

So it is quite simple to call a Web Dynpro Application from ABAP program. But how do I pass the data to this WD Application?

I have few attributes in WD Component Controller Context. How do pass values to these attributes from ABAP program?

Thanks

Sagar

thomas_jung
Developer Advocate
Developer Advocate
0 Kudos

You can always use URL parameters - they in turn get translated into input parameters for the window start plug. However there are limitations to how much data you can pass via URL parameter. So if I have more than a key or two to pass, I like to serialize the data to XML and then write it into a server cookie (basically just storing it in a temporary database table - but if you aren't familiar with the classes - since they were created for BSP - that do this let me know and I can post a sample) and then just pass the key to the server cookie via the URL parameter. The start plug can then pickup the key from the URL parameter and deserialize the server cookie - adding into its own context.

Former Member
0 Kudos

In a similiar thread, in this forum Thomas Jung, from SAP, wrote. I quote:

The best you can do with standalone ABAP SSO is prompt the user once for authentication and then then generate a ticket off of that.

The only exception is if you are launching your WDA standalone from the SAPGUI. The SAPGUI can generate an SSO ticket off of the SAP logon (SY-UNAME) for use only with the local system. This is how you can run WD applications from SE80 and not be prompted for authentication.

Can someone explain to me how to use this exception?

Thanks.