Single Sign-On Portal

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2010 SAP AG 1

Single Sign-On (Logon Ticket)

Applies to:

EP7.0 SPS14 and above

SAP ECC6.0 SPS14 and above

Summary

Single Sign-On provides single point access to systems in the landscape. SSO is mainly categorized into two types SSO using User Mapping method and Logon Ticket method. In the article I have configured SSO using Logon Ticket method

Author: Venkata Sriharsha.L

Company: Willsys Infosystems PVT.LTD.,

Created on: 13 July 2010

Author Bio

Venkata sriharsha has 2 years of experience in IT Industry as SAP NetWeaver Consultant and working on various new dimensional components.Working on SAP EP7.0 , BI and PI implementation, support and maintenance.



© 2010 SAP AG 2

Table of Contents

Single Sign-On (SSO) Configuration .................................................................................................................. 3

Procedure ........................................................................................................................................................ 3 Backend System .......................................................................................................................................................... 3

Configuration Steps: ........................................................................................................................................ 4 Portal System ( Issuing Ticket ) ................................................................................................................................... 4

Backend System: (Accepting Ticket) ........................................................................................................................... 5

Testing SSO: ...................................................................................................................................................... 8

Disclaimer and Liability Notice .......................................................................................................................... 13



© 2010 SAP AG 3

Single Sign-On (SSO) Configuration

Procedure

Backend System

Login to the backend system with user having authorizations to work with TCD RZ10

Call TCD RZ10 – select “instance profile” -- Extended maintenance – click on “change”

Click on tab

Set the profile parameter’s

Set the parameters

Login/accept_sso2_ticket=1

Login/create_ss02_ticket=0

Set these parameters to accept the ticket from issuer (portal) and it can’t create any ticket.

Also set the FQHN (fully qualified host name)

Icm/host_name_full=<FQHN> ( company name.domain.com)



© 2010 SAP AG 4

Click on Copy tab come BACK

SAVE and ACTIVATE the parameters

Note: You have to restart the SAP Instance to get effected by the changes.

Configuration Steps:

Portal System ( Issuing Ticket )

Login to portal as Administrator

System Administration – System Configuration – Keystore Administration

Select “ Content “ tab

SAPLogonTicketKeypair - cert

Click on tab and save it on the local system (it will generate ―verify.der.zip‖ file which consist of verify.der file extract the verify.der from verify.der.zip).



© 2010 SAP AG 5

Backend System: (Accepting Ticket)

Login to ECC6.0 system

Call the TCD STRUSTSSO2



© 2010 SAP AG 6

On the column Certificate – click on icon Import certificate

Select the tab File – in File path specify the location of verify.der file that was imported from Portal

Select Binary – confirm

On the Certificate column you can see the details of ticket issuer system (Portal)



© 2010 SAP AG 7

Click on tab to add certificate to system PSE

The above process has to be done only once in the system (i.e., to add certificate to System PSE)

0n the Certificate column click on the tab to add certificate to SS0 access control list.

System ID -- <SID> of the portal

Client – 000 (as the portal don’t have client concept)

Confirm

Click on SAVE



© 2010 SAP AG 8

Testing SSO:

Defining System Aliases

Login to portal with Administrative rights

Create your folder for easy organization

Click on Finish



© 2010 SAP AG 9

Right click on Newly created folder ( here TEST SSO)

Select based on your requirement click on Next tab



© 2010 SAP AG 10

Click on Next – Finish

on left hand side you can see Newly created system (here TEST SSO)

Right click Open—Object

In Property Category select Connector

You have fill in the following details of the backend system (here ECC6.0)

Application Host – host name of Backend System

Gateway Host

Gateway Service – sapgw<instance no>

Remote Host Type – 3 (connection to R3 system)

SAP Client – client where we added ticket to access control list

SID

SAP System Number

Server Port – 32<instance no> (Dispatcher port) as we are using connection type for dedicated

application server

System Type – SAP_R3 /SAP_BW/SAP_CRM



© 2010 SAP AG 11

Create System Aliases

Specify the Alias Name click on Add -- SAVE

System Administration – Support – SAP Application



© 2010 SAP AG 12

Select Transaction – click on Run

Select System you have defined -- click on Go

It will open window of the backend system if SSO is successful.

Note: In SSO using Logon Ticket method both the frontend (EP) and backend (ECC) should have same users

(generally in backend we use service user) .



© 2010 SAP AG 13

Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.

SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk.

SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.

Documents

Single Sign-On Portal