Sap Webgui Sso

1. Sap Webgui Sso Login
2. Sap Webgui Sso Not Working
3. Sap Webgui Sso Logon Not Possible
4. Sap Fiori Webgui Sso
5. Sap Webgui Sso Kerberos
6. Sap Webgui Sso Between Two Systems
7. Sap Tivoli Webgui Sso

Chapter 6
Single Sign-On Solution for SAP Internet Transaction Server 2.0

Sap Webgui Sso Login

This chapter describes the steps needed to integrate Sun ONE Identity Server into a Single Sign-On (SSO) environment with SAP's Internet Transaction Server (ITS) 2.0. Topics in this chapter include:

Introduction

SAP ITS 2.0 acts as the gateway between your web server and the backend SAP R/3 application server by adding an HTML-based user interface to SAP applications. It is composed of two parts, WGate and AGate. WGate establishes the connection between ITS and the Web server and forwards user requests to AGate, which establishes the connection to the SAP R/3 system and performs processing tasks that are required to move data between SAP R/3 applications and the Internet. WGate resides on the same computer as the web server, as a server extension.

HTTPS configuration on ABAP system. Before we run into the configuration make sure you have.

• STEP 4: Login In to the SAP GUI though Web. The purpose is this document is to show step by step to configure webgui for SAP Netweaver. Applies to SAP Netweaver R/3 System. Author: Priyashantha Fernando. Company: CPSTL – Sri Lanka. Step 1: Verifying the configuration parameters for ICM. Use Transaction SMICM (ICM Monitor).
• How do I get SAP to sign this data with the Private Key in STRUST. I have looked at a few of the standard classes such as CLSMIME / CLSTCRYPTOX509 – my thinking is that I could create an instance based on my SSL Client Identity I have created.
• This procedure configures the single sign-on between the SAP Configuration Panel and the SAP ABAP system. Steps 1 - 8 configure the SSO in the Configuration Panel. Steps 9 - 11 configure the SSO in the SAP ABAP system.
• 2786913-Fiori: SSO does not work or incorrect client for some Web Dynpro/WebGUI applications, but works for others Symptom When opening a WebGUI (SAP GUI for HTML) or Web Dynpro application/tile from the Fiori Launchpad, SSO does not work or the incorrect client is used so the end user is presented with a logon screen.

Sun ONE Identity Server along with Sun ONE Identity Server Policy Agent provides a natural integration between the SAP applications and non-SAP applications through the use of the SAP Pluggable Authentication Service (PAS).

Architecture Details

SSO is achieved through the use of PAS provided by SAP. PAS supports several types of external authentication methods, including X.509 Certificates, NTLM, NTPassword, LDAP, HTTP and dynamic libraries (DLL). This SSO solution, using Sun ONE Identity Server, uses the DLL method for external authentication. This scenario offers SSO using a partner-specific library, which is a shared library and is developed using SAP's SDK for PAS. SAP's SDK has four functions, and provides an interface to the ITS system without the knowledge of the XGateway interface of the ITS itself.

The process flow in the SSO environment is as follows:

A user issues an HTTP request to a SAP service named sapdll.
The request is intercepted by the policy agent. Since there is no valid SSOToken in the request, the user is redirected to Sun ONE Identity Server for authentication.
Upon successful authentication, the user is granted access to the sapdll service. This is the PAS dynamic link library which communicates with Sun ONE Identity Server and verifies the validity of the SSO Token.
The PAS dynamic link library then sets the value of ~login to that of the user who authenticated with Sun ONE Identity Server and is mapped in the SAP system.
PAS then issues a SAP logon ticket for the user, which is set in the user's browser.
PAS reroutes the user to the requested service (such as Webgui).

Prerequisites

The following steps are prerequisite to ensuring that SSO scenario works properly:

Install and configure two ITS instances. The first instance is the regular ITS which hosts the Webgui service, and the second instance is the ITS administration which hosts the PAS service.
Configure at least one SAP system to issue SAP SSO (SSO2 logon) tickets
Configure the other SAP systems to accept SSO2 logon tickets.
Ensure that the browser supports and accepts cookies because SSO2 logon tickets are saved as browser cookies.
Configure SAP Secure Network Connections (SNC) on the ticket-issuing SAP system, but not necessarily on the ticket-accepting system. SNC is a software layer in the SAP system architecture, which assures safe communication between trusted SAP components. It requires a cryptographic library to secure the data communication paths between the various SAP systems.
Configure PAS to use an external authentication mechanism. For details, refer SAP documentation.
Install and configure Sun ONE Identity Server and Sun ONE Identity Server Policy Agent for Sun ONE Web Server 6.0.

Installing PAS

PAS must be installed on the Administration AGate (ADM) instance. The library needed for PAS (sapextauth.dll) is supplied with SAP ITS from 4.6D C3 onwards, and is also located in the ITS program directory. For detailed instructions to install PAS, see SAP documentation.

The required service and template files must be installed in the respective instance in the subdirectories services and templates, respectively. To do so, you can unpack ITS package ntauth.sar from the SAP Service Marketplace or from the server component CD in path ITScommonpackages211, or create the following files manually:

templatespasname99login.html
templatespasname99extautherror.html

For details of these template files, see section SAP Template Files.

It is important to note that two separate AGate instances are required on the ticket issuing system. While PAS is installed on the ADM instance of the ticket issuing system, the Webgui service is hosted on the other AGate instance. On a ticket accepting system, only the Webgui service is hosted on the typical AGate instance.

Configuring the SAP Systems

To set up the SSO environment, you need to configure at least one SAP system to issue SSO2 logon tickets and some other systems to accept the SSO2 logon tickets. The following sections provide steps to configure these systems.

Configuring SAP R/3 System and the ITS instance

As stated in the section Prerequisites, the connection between AGate and the ticket-issuing SAP system need to be configured for SNC. The following instructions describe how to configure the SAP R/3 system and its corresponding ITS instance. For instructions on how to install SNC, please refer to the SAP SNC User's Guide.

On the ticket issuing SAP R/3 system, configure the following parameters in the DEFAULT.PFL file.

Table 6-1 Parameters in DEFAULT.PFL

Parameter	Value
snc/enable	1
snc/gssapi_lib	path_to_SAPCRYPTOLIB
snc/identity/as	SNC name of the application server
snc/data_protection_max	3
snc/data_protection_min	1
snc/data_protection_use	2

Specify AGate's SNC information in the system access control list for SNC. This list is available in the table SNCSYSACL, view VSNCSYSACL and TYPE=E.
Enter the SNC name for AGate in the SNC name field.
Entry for diag activated
Create a generic entry for AGate in the extended user access control list. This list is available in the table USRACLEXT:
Enter AGate's SNC name in the SNC name field
If you require external user name mapping, you need to maintain the mapping in the table USREXTID.
In the ITS component's AGATE global.srvc file, configure these parameters:

Table 6-2 Parameters in global.srvc

Parameter	Value
~Type	2
~SncNameAgate	SNC name of AGate and ITS Manager
~sncNameR3	SNC name of the application server
~sncQoPR3	2
~secure	0

Make sure the environment variable SNC_LIB contains the path and file name of sapcryptolib.

Configuring the System to Issue SSO2 Logon Tickets

Use the following steps to configure the SAP R/3 Stem as well as its corresponding ITS instance for issuing SAP SSO2 logon tickets.

Stop the running AGate instance on the ITS server, if necessary.
Set the parameters in the global service file global.srvc:

Table 6-3 Parameters in global.srvc

Parameter	Value
~login	(space)
~password	(space)
~cookies	1
~mysapcomusesso2cookie	1
~mysapcomnosso1cookie	1
~mysapcomssonoits	1
~mycomgetsso2cookie	1
~secure	0
~type	2

Set the following parameters in the application server's profile on the ticket issuing SAP R/3 system by modifying DEFAULT.PFL:

Table 6-4 Parameters in DEFAULT.PFL

Parameter	Value
login/accept_sso2_ticket	1
login/create_sso2_ticket	2
login/ticket_expiration_time	Desired Value

Execute the SSO administration wizard (transaction SSO2 in the SAP system).
Choose Edit->Activate Workplace.

Configuring Systems to Accept SSO2 Logon Tickets

To configure the component systems to accept and verify SSO2 logon tickets:

In the global service file global.srvc, set the following parameters:

Table 6-5 Parameters in global.srvc

Parameter	Value
~login	(space)
~password	(space)
~mysapcomusesso2cookie	1

On all of the component systems' application servers, set the following profile parameters:

Table 6-6 Parameters in the Component Systems' Application Servers

Parameter	Value
login/accept_sso2_ticket	1
login/create_sso2_ticket	0 Adobe acrobat pro 9 key.

Execute the Transaction SSO2 using the SSO administration wizard on the SAP R/3 system.
Enter the RFC destination or the host name and system number for the ticket issuing system.
If the report indicates errors on the SAP R/3 system, correct these errors on the ticket issuing SAP R/3 system and re-execute the SSO administration wizard on the component systems.
To initiate the configuration steps on the component system, choose Edit->Activate Workplace. Red traffic lights indicate errors in the configuration.
Place the PAS shared library in the programs directory of the SAP instance. After you have installed the policy agent, copy the policy agent shared libraries also to this directory. For details, see section Installing and Configuring the Policy Agent.

Each SAP service must have its own corresponding template files and service files. The SAPDLL service file will follow the same naming conventions as the rest of the SAP services, that is, if the service name is sapdll, the service file name will be sapdll.srvc. For more information on the template files, see section SAP Template Files.

The sapdll.srvc service file must be configured as follows. This file must be located under SAP Install_dir/SAP/ITS/2.0/ADM/services.

Table 6-7 Parameters in sapdll.srvc

Sap Webgui Sso Not Working

Installing and Configuring the Policy Agent

Once you have configured the SAP R/3 systems and Sun ONE Identity Server, you can install Sun ONE Identity Server Policy Agent, version 2.1 for Sun ONE Web Server 6.0. For details on installing and configuring the policy agent, see Chapter 2 of this guide.

For the SSO solution to work properly, you must take care of the following:

In Identity Server, policies must exist to allow or deny user access to the SAP service and resources.

The SAP Service typically resides at:

http://host.domain:port/scripts/wgate/sapdll/!

This is the URL for the sapdll PAS module service, which eventually redirects the user to the requested resource as indicated by the parameters ~redirectHost and ~redirectQS in the sapdll.srvc file. Policies must exist to protect the service (/scripts/wgate/sapdll/!) and the corresponding redirecting resource. For information on creating policies in Sun ONE Identity Server, please see Sun ONE Identity Server documentation.

The following policy agent shared libraries must be placed in the programs directory of your SAP ITS instance (Program FilesSAPITS2.0programs). For the PAS shared library to work properly, it is absolutely necessary that the shared libraries for the policy agent are accessible.

The following are the libraries that you will need:

libnspr4.dll
libplds4.dll
nss3.dll
The global.srvc file on the ITS which hosts the Webgui service must contain at least the following parameters:

Table 6-8 Required Parameters in global.srvc

Parameter	Value
~client	000
~cookies	1
~exiturl	http://s1is_host:port/amserver/UI/Logout
~login	(space)
~password	(space)
~xgateway	sapdiag
~xgateways	sapxgadm,sapdiag,sapxgwfc,sapxginet,sapxgbc,sapextauth
~mysapcomgetsso2cookie	1
~mysapcomusesso2cookie	1
~mysapcomnosso1cookie	1
~mysapcomssonoits	1

Sap Webgui Sso Logon Not Possible

SAP Template Files

Along with the SAP Service file (sapdll.srvc), a template directory needs to be created under ADM/templates and it must contain the default templates. These templates are presented here. You can create these files manually at this location:

templatespasname<99>extautherror.html

Sap Fiori Webgui Sso

Template file login.html

Code Example 6-1 Template file login.html

Template file extautherror.html

Code Example 6-2 Template file extautherror.html

Template file redirect.html

Code Example 6-3 Template file redirect.html

Sap Webgui Sso Kerberos

Code Example 6-1 Template file login.html

Template file extautherror.html

Code Example 6-2 Template file extautherror.html

Template file redirect.html

Code Example 6-3 Template file redirect.html

Sap Webgui Sso Kerberos

Sap Webgui Sso Between Two Systems

Sap Tivoli Webgui Sso

Copyright 2004 Sun Microsystems, Inc. All rights reserved.