Single Sign-On Portal
Content
Single Sign-On (Logon Ticket)
Applies to:
EP7.0 SPS14 and above SAP ECC6.0 SPS14 and above
Summary
Single Sign-On provides single point access to systems in the landscape. SSO is mainly categorized into two types SSO using User Mapping method and Logon Ticket method. In the article I have configured SSO using Logon Ticket method Author: Venkata Sriharsha.L
Company: Willsys Infosystems PVT.LTD., Created on: 13 July 2010
Author Bio
Venkata sriharsha has 2 years of experience in IT Industry as SAP NetWeaver Consultant and working on various new dimensional components.Working on SAP EP7.0 , BI and PI implementation, support and maintenance.
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 1
Single Sign-On (Logon Ticket)
Table of Contents
Single Sign-On (SSO) Configuration .................................................................................................................. 3 Procedure ........................................................................................................................................................ 3
Backend System .......................................................................................................................................................... 3
Configuration Steps: ........................................................................................................................................ 4
Portal System ( Issuing Ticket ) ................................................................................................................................... 4 Backend System: (Accepting Ticket) ........................................................................................................................... 5
Testing SSO: ...................................................................................................................................................... 8 Disclaimer and Liability Notice .......................................................................................................................... 13
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 2
Single Sign-On (Logon Ticket)
Single Sign-On (SSO) Configuration
Procedure Backend System Login to the backend system with user having authorizations to work with TCD RZ10 Call TCD RZ10 – select “instance profile” -- Extended maintenance – click on “change”
Click on
tab
Set the profile parameter’s Set the parameters Login/accept_sso2_ticket=1 Login/create_ss02_ticket=0 Set these parameters to accept the ticket from issuer (portal) and it can’t create any ticket. Also set the FQHN (fully qualified host name) Icm/host_name_full=<FQHN> ( company name.domain.com)
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 3
Single Sign-On (Logon Ticket)
Click on Copy tab come BACK SAVE and ACTIVATE the parameters
Note: You have to restart the SAP Instance to get effected by the changes.
Configuration Steps: Portal System ( Issuing Ticket ) Login to portal as Administrator System Administration – System Configuration – Keystore Administration
Select “ Content “ tab SAPLogonTicketKeypair - cert Click on tab and save it on the local system (it will generate ―verify.der.zip‖ file which consist of verify.der file extract the verify.der from verify.der.zip).
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 4
Single Sign-On (Logon Ticket)
Backend System: (Accepting Ticket) Login to ECC6.0 system Call the TCD STRUSTSSO2
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 5
Single Sign-On (Logon Ticket)
On the column Certificate – click on icon Import certificate Select the tab File – in File path specify the location of verify.der file that was imported from Portal Select Binary – confirm
On the Certificate column you can see the details of ticket issuer system (Portal)
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 6
Single Sign-On (Logon Ticket)
Click on tab
to add certificate to system PSE
The above process has to be done only once in the system (i.e., to add certificate to System PSE) 0n the Certificate column click on the tab list. to add certificate to SS0 access control
System ID -- <SID> of the portal Client – 000 (as the portal don’t have client concept) Confirm
Click on SAVE
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 7
Single Sign-On (Logon Ticket)
Testing SSO:
Defining System Aliases Login to portal with Administrative rights
Create your folder for easy organization
Click on Finish
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 8
Single Sign-On (Logon Ticket)
Right click on Newly created folder ( here TEST SSO)
Select
based on your requirement click on Next tab
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 9
Single Sign-On (Logon Ticket)
Click on Next – Finish on left hand side you can see Newly created system (here TEST SSO)
Right click Open—Object
In Property Category select Connector You have fill in the following details of the backend system (here ECC6.0) Application Host – host name of Backend System Gateway Host Gateway Service – sapgw<instance no> Remote Host Type – 3 (connection to R3 system) SAP Client – client where we added ticket to access control list SID SAP System Number Server Port – 32<instance no> (Dispatcher port) as we are using connection type for dedicated application server System Type – SAP_R3 /SAP_BW/SAP_CRM
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 10
Single Sign-On (Logon Ticket)
Create System Aliases
Specify the Alias Name click on Add -- SAVE
System Administration – Support – SAP Application
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 11
Single Sign-On (Logon Ticket)
Select Transaction – click on Run
Select System you have defined -- click on Go
It will open window of the backend system if SSO is successful.
Note: In SSO using Logon Ticket method both the frontend (EP) and backend (ECC) should have same users (generally in backend we use service user) .
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 12
Single Sign-On (Logon Ticket)
Disclaimer and Liability Notice
This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 13
Applies to:
EP7.0 SPS14 and above SAP ECC6.0 SPS14 and above
Summary
Single Sign-On provides single point access to systems in the landscape. SSO is mainly categorized into two types SSO using User Mapping method and Logon Ticket method. In the article I have configured SSO using Logon Ticket method Author: Venkata Sriharsha.L
Company: Willsys Infosystems PVT.LTD., Created on: 13 July 2010
Author Bio
Venkata sriharsha has 2 years of experience in IT Industry as SAP NetWeaver Consultant and working on various new dimensional components.Working on SAP EP7.0 , BI and PI implementation, support and maintenance.
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 1
Single Sign-On (Logon Ticket)
Table of Contents
Single Sign-On (SSO) Configuration .................................................................................................................. 3 Procedure ........................................................................................................................................................ 3
Backend System .......................................................................................................................................................... 3
Configuration Steps: ........................................................................................................................................ 4
Portal System ( Issuing Ticket ) ................................................................................................................................... 4 Backend System: (Accepting Ticket) ........................................................................................................................... 5
Testing SSO: ...................................................................................................................................................... 8 Disclaimer and Liability Notice .......................................................................................................................... 13
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 2
Single Sign-On (Logon Ticket)
Single Sign-On (SSO) Configuration
Procedure Backend System Login to the backend system with user having authorizations to work with TCD RZ10 Call TCD RZ10 – select “instance profile” -- Extended maintenance – click on “change”
Click on
tab
Set the profile parameter’s Set the parameters Login/accept_sso2_ticket=1 Login/create_ss02_ticket=0 Set these parameters to accept the ticket from issuer (portal) and it can’t create any ticket. Also set the FQHN (fully qualified host name) Icm/host_name_full=<FQHN> ( company name.domain.com)
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 3
Single Sign-On (Logon Ticket)
Click on Copy tab come BACK SAVE and ACTIVATE the parameters
Note: You have to restart the SAP Instance to get effected by the changes.
Configuration Steps: Portal System ( Issuing Ticket ) Login to portal as Administrator System Administration – System Configuration – Keystore Administration
Select “ Content “ tab SAPLogonTicketKeypair - cert Click on tab and save it on the local system (it will generate ―verify.der.zip‖ file which consist of verify.der file extract the verify.der from verify.der.zip).
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 4
Single Sign-On (Logon Ticket)
Backend System: (Accepting Ticket) Login to ECC6.0 system Call the TCD STRUSTSSO2
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 5
Single Sign-On (Logon Ticket)
On the column Certificate – click on icon Import certificate Select the tab File – in File path specify the location of verify.der file that was imported from Portal Select Binary – confirm
On the Certificate column you can see the details of ticket issuer system (Portal)
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 6
Single Sign-On (Logon Ticket)
Click on tab
to add certificate to system PSE
The above process has to be done only once in the system (i.e., to add certificate to System PSE) 0n the Certificate column click on the tab list. to add certificate to SS0 access control
System ID -- <SID> of the portal Client – 000 (as the portal don’t have client concept) Confirm
Click on SAVE
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 7
Single Sign-On (Logon Ticket)
Testing SSO:
Defining System Aliases Login to portal with Administrative rights
Create your folder for easy organization
Click on Finish
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 8
Single Sign-On (Logon Ticket)
Right click on Newly created folder ( here TEST SSO)
Select
based on your requirement click on Next tab
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 9
Single Sign-On (Logon Ticket)
Click on Next – Finish on left hand side you can see Newly created system (here TEST SSO)
Right click Open—Object
In Property Category select Connector You have fill in the following details of the backend system (here ECC6.0) Application Host – host name of Backend System Gateway Host Gateway Service – sapgw<instance no> Remote Host Type – 3 (connection to R3 system) SAP Client – client where we added ticket to access control list SID SAP System Number Server Port – 32<instance no> (Dispatcher port) as we are using connection type for dedicated application server System Type – SAP_R3 /SAP_BW/SAP_CRM
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 10
Single Sign-On (Logon Ticket)
Create System Aliases
Specify the Alias Name click on Add -- SAVE
System Administration – Support – SAP Application
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 11
Single Sign-On (Logon Ticket)
Select Transaction – click on Run
Select System you have defined -- click on Go
It will open window of the backend system if SSO is successful.
Note: In SSO using Logon Ticket method both the frontend (EP) and backend (ECC) should have same users (generally in backend we use service user) .
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 12
Single Sign-On (Logon Ticket)
Disclaimer and Liability Notice
This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.
SAP COMMUNITY NETWORK © 2010 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 13
