Connecting 2 Backend Systems, Part Two: Trusted Relationship
This is a blog series in three parts::
Users want single sign-on. ie They want to simply log on once, then consume applications, regardless of which system these come from, without having to enter their password more than once. Setting up the trusted relationship enables you to set up single sign-on for users.
Before you start: Make sure you have completed Connecting 2 Backend Systems, Part One: RFC Connections
From that blog, note down the name of the RFC destination (ABAP connection, type 3 is fine).
Before you create the trusted relationship, you need to assign your user to a role. This role contains the authorization profile, which in turn specifies: system ID, client, user, and optionally a transaction.
The trusted relationship you then create specifies the RFC destination (from part one, which in turn specifies connection type, IP address, client) and user.
The whole setup looks a bit like this:
Before you start:
- Make sure you have completed Connecting 2 Backend Systems, Part One: RFC Connections. From that blog, note down the name of the RFC destination (ABAP connection, type 3).
- Make sure you have 2 identically-named users, one in each system, ERP and CRM. Check that they are both OK, by logging on to each system in turn.
1. Creating an authorization role and profile (in PFCG)
Start in the calling system - that is, the CRM system (M20 in this blog)
- Open the transaction Roles (PFCG) and create a role. I called mine ZJP_TRUST.
- On the Authorizations tab, click the icon beside Profile Name (tooltip = Propose Profile Names):
The system automatically generates a profile name:
3. Choose Save.
4. Once the profile is created, choose Change Authorization Data. (You don't need a template).
5. Add a new profile, by choosing from the toolbar, then enter the authorization object S_RFCACL.
6. Drill down, then enter the following:
7. Choose Generate (also from the toolbar) and save your changes. (If necessary, choose Generate again from the dialog that appears).
8. Now switch to the user tab.
9. Add your user to the role and do a user comparison.
10. Save your changes.
2. Creating a Trusted-Trusting Connection (in SMT1)
- Still in the CRM System, M20, open the transaction Trusted-Trusting Connections, (SMT1).
- Choose Create from the lower toolbar.
- Work through the wizard:
- Enter the RFC Destination that you created in Connecting 2 Backend Systems, Part One: RFC Connections (connection type = ABAP, type 3).
- Log on to the ERP System, M10, by entering your user and password. The system will then log on to our ERP System, M10, and create a relationship from M10 to M20.
- Display Information: All the necessary information, such as the application server name and the security key is supplied automatically.
- Configuration (optional): You can specify a validity period or a specific transaction.
Finish: When you press this pushbutton in the last dialog box, the trust relationship is set up and can be used.
- Save your changes and log off from M20.
3. In the ERP System: Creating a Trusted-Trusting Connection (in SMT2)
- Log on to the ERP System, M10 - using the same user to which you added the authorization role in Step 1 of this tutorial.
- Open the transaction Trusted-Trusting Connections, SMT2.
- Switch to the tab Systems that trust current system.
- Select the CRM System, M20 and check its status, by choosingSingle Status.
- The status should turn green.
- Now test the connection:
- Double-click the system M20
- Choose Transaction Call.
- Enter any transaction for which you are authorized, eg SE80. (Optional: Choose New Session = Yes).
The CRM System, M20, should open in a new NWBC shell.
OK, you are nearly finished. You just need to do Connecting 2 Backend Systems, Part Three: Single Sign-On, which doesn't take long.
For more information, eg troubleshooting your connections, the following may help: