Way-to-Sap-Basis@googlegroups.

com

Single Sign-On to SAP Systems

This section summarizes the different scenarios for Single Sign-On to SAP Systems. Which method of Single
Sign-On (SSO) you use with a SAP System depends on various parameters, such as the release of the
system. There are different prerequisites, for example, users must have the same user ID in all SAP Systems
that are accessed via SSO with SAP logon tickets.

The following diagram helps you find out which method of Single Sign-On to use with a specific SAP System.

Scenario 1: Single Sign-On using SAP logon tickets without user mapping

Users must have the same user IDs in all SAP systems that are accessed via SSO with SAP logon tickets. If
the SAP user IDs are the same as the portal user IDs, user mapping is not required. You need to perform the
following steps:

1. Configure Portal Server for SSO with SAP Logon Tickets

2. Configure SAP Systems to Accept and Verify SAP Logon Tickets

Scenario 2: Single Sign-On using SAP logon tickets with user mapping
 Way-to-Sap-Basis@googlegroups.com

If users have different users IDs in the SAP Systems than in the portal, you must define a SAP reference
system and map each user's user ID to their user ID in the reference system. You must perform the following
steps:

1. Define an SAP R/3 Reference System for User Data

2. Configure Portal Server for SSO with SAP Logon Tickets
3. Configure SAP Systems to Accept and Verify SAP Logon Tickets
4. Each user must map his or her user ID to his or her user ID in the SAP Reference System as
described in Mapping Users: Self Registration by User.

Scenario 3: Single Sign-On using user ID and password with user mapping

There are two cases where you would use this method of Single Sign-On:

• The SAP System has release 3.1I.

• Users have a different user ID in the SAP System in question than in the reference SAP System used
for logon tickets.

You must perform the following step:

Configuring SSO with User ID and Password to SAP Systems

 Way-to-Sap-Basis@googlegroups.com

Configuring Portal Server for SSO with SAP Logon

Tickets
Use
In the default mode, the Portal Server creates and digitally signs SAP logon tickets for users, therefore you do
not need to make any settings. However there are some settings that you need to make in particular cases.
These are described below.

Procedure
Configure the lifetime of the SAP logon ticket

You set the lifetime of the SAP logon ticket in the user management configuration tool. For details, see
Setting General User Management and Security Settings.

Map portal user IDs to user IDs in other systems

If users have different IDs in the component systems, you must map the portal users to the users in the other
systems. For details, see User Mapping.

If you have several SAP component systems in your portal landscape, and the SAP users have not been
synchronized with the portal users, you define a reference system for user data and map the portal users to
the users in this system. For more information, see Defining an SAP R/3 Reference System for User Data.
 Way-to-Sap-Basis@googlegroups.com

Setting General User Management and Security

Settings
Use
In this step, you make central settings for user management and security in the Enterprise Portal. In
particular, you:

• Define an overall configuration for user management and security in the portal: You can define more
than one configuration. Each configuration is stored in the Microsoft Windows registry. If you are
configuring the Unification Server, you can define a different configuration for each unifier project.
• Define a user ID and password with which an administrator can log on to the portal without being
authenticated against the corporate LDAP directory. The very first time you log onto the portal to
configure this setting, you log on with the admin user.
• Define a user for running the portal Web server (Microsoft Internet Information Server).
• Define the validity period of the SAP logon ticket that the Portal Server issues to each user when they
have been successfully authenticated on the portal.

Prerequisites
You have administrator rights in the portal.

Procedure
1. Start the configuration tool by choosing System Configuration → User Management Config..

If you are calling the configuration tool from the Unification Server, choose Unification Server →
<Unifier Project> → User Management → Security & Configuration

2. Choose the General Setting tab.

The following screen appears.

 Way-to-Sap-Basis@googlegroups.com

3. Define the name of your configuration, filling the fields as follows:

Field Name Field Data

Current Host Name of host on which the registry is located where the configuration is stored

Current Config. Name of configuration currently in use. You can choose a previously defined
configuration from the list. If you want to access a configuration on a remote host, enter
the host name in the Current Host field. The configurations in the registry of that host
will appear for selection.

The configuration name can only contain the characters 'A' to 'Z' and 'a' to 'z', the digits
'0' to '9', and the '-' and '_' signs. Special characters are not supported.

4. You can also create a new configuration by entering a configuration name in the Create New field and
choosing Create. Each configuration is stored as a separate entry in the Microsoft Windows registry.
5. Define a user ID and password with which an administrator can log on to the portal without being
authenticated against the corporate LDAP directory. Enter data in the fields as follows:

Field Name Field Data

Super Admin Login User ID of administrator

Super Admin Password Password of administrator

Adminstrator's Role Role assigned to the administrator

6.
7. Initially this is set to the user admin and password admin with the role portal_admin. It makes sense
to change this default value, as the password is not very safe.
8. In the NT User Impersonation group, define a user ID and password to be used for running the portal
Web server (Microsoft Internet Information Server) process. The user must be an existing NT user
with permissions to all portal and unifier resources, for example network access to required
databases. The user ID must be entered as <domain>\<user>.
9. To define the validity period of SAP logon tickets, enter a value in the Logon Ticket Expiration field.

This value must have the syntax HH:MM, for example '8:30' for eight and a half hours, or '24' for
twenty-four hours or '0:15' for fifteen minutes.

The default value for this setting is 8 hours.

10. If you are using the configuration tool in the Unification Server, you can choose to Set Component
Permissions. However, before you can do this, you must first configure the connection to the
corporate LDAP directory on the Directory Server tab page.

By setting component permissions, you are granting all users in the corporate directory access to all
components (info object in unifier project, for example a database table) on the Unification Server. By
default, when a unifier project is created, access to components is denied to all users. Only when
users have been granted access to the components, can you, the administrator, assign the
appropriate permissions to each user for a component.
 Way-to-Sap-Basis@googlegroups.com

11. When you have filled all the fields, choose Apply.

You need to restart the portal Web server (Microsoft Internet Information Server) and the Java servlet
engine for your changes to take effect.
 Way-to-Sap-Basis@googlegroups.com

User Mapping
Use
The user's portal user ID is stored in the central user repository for the Enterprise Portal. Typically this is a
corporate LDAP directory. To enable Single Sign-On, a user's portal user ID must be mapped to the
corresponding user ID for each system in which the user ID is different.

The Enterprise Portal provides you with a user interface for entering mapping data. The data is stored in the
portal LDAP directory.

User mapping is required for two methods of Single Sign-On:

• SSO using user ID and password: In this case, it is necessary to map the portal user ID and
password to the user ID and password in the component system. See Single Sign-On with User ID
and Password.
• Using SAP logon tickets for Single Sign-On to SAP Systems: You can only use user mapping in
conjunction with logon tickets in the case of Single Sign-On to SAP Systems.

The requirement is that the user ID be the same for all SAP Systems using logon tickets for Single
Sign-On. If the SAP user IDs are the same as the portal user IDs, there is no need for mapping. If the
SAP user IDs are different to the portal user IDs, you must define an SAP reference system. This is
the system that is then used for user mapping. In other words, users map their portal user ID to the
user ID in the SAP reference system.

A user's portal user ID and the SAP user ID are stored in the user's SAP logon ticket. When the user
tries to access a component system, the system extracts the user ID from the logon ticket.

For more details on defining an SAP reference system, see Defining an SAP Reference System for
User Data.

You can map either a user, group, or role to a user ID in a system connected to the portal. When a user tries
to access an iView that requires data from a connected system that does not support SAP logon tickets, the
procedure is as follows:

1. The portal first checks whether the user has been mapped to a user and if so, logs on with the
mapped user data.
2. If not, then it checks whether the group that contains the user has been mapped to a user and if so,
logs on with the mapped user data.
3. If not, then it checks whether the first role assigned to the user has been mapped and if so, logs on
with the mapped user data.
4. If not, the iView will normally ask the user to enter mapping data (the iView developer needs to
program the iView accordingly).

If the component system supports SAP logon tickets, the user ID is already contained in the ticket.

Prerequisites
You have set up a corporate LDAP directory or other repository that stores user data for all portal users. You
have configured the location of this repository as described in Defining Location of Central User Data
Repository.
 Way-to-Sap-Basis@googlegroups.com

Typically, user mapping data is stored on the portal LDAP directory. You have configured where this data is
stored as described in Defining Location of User Mapping Data.

You have defined the system landscape as described in Defining the System Landscape.

You have defined any unifier projects as portal data sources.

Features
There are three methods for entering mapping data:

• The portal administrator enters user mapping data for groups and roles when configuring the
Enterprise Portal for use. See Mapping Users: Administrator Tool.
• The user enters his personal mapping data in the Enterprise Portal. See Mapping Users: Self
Registration by User.
• The user calls an iView that needs to connect to a component system. If there is no user mapping
data stored yet, the user will be redirected to the user mapping iView in order to enter his logon data
for this system. After submit, the user mapping iView sends a redirect back to the calling application.
 Way-to-Sap-Basis@googlegroups.com

Defining an SAP Reference System for User Data

Use
When you use SAP logon tickets for Single Sign-On to SAP Systems, users must have the same user IDs in
all SAP Systems that are configured to use SAP logon tickets. If the SAP user IDs are different to the portal
user IDs, you must define an SAP reference system. This is the system that is then used for user mapping. In
other words, users map their portal user ID to the user ID in the SAP reference system.

The mapped user ID is included in the SAP logon ticket and enables Single Sign-On using logon tickets to all
SAP Systems in which the user has the same user ID.

Prerequisites
Users have the same ID in all SAP component systems that are configured to use logon tickets for Single
Sign-On. Passwords do not have to be identical.

Procedure
1. Open the system landscape file as described in Defining the System Landscape.
2. In the system attributes of the SAP reference system, add the following line:

<pcd:Attribute name="r3usernamereference" value="1" />

You must not define any credentials attributes for the SAP reference system.

3. Save your changes.

Result
When users start the user mapping function, one of the component systems that they can select is the SAP
reference system. They can map their portal user ID to their user ID in this reference system. This user ID is
stored in the SAP logon ticket.

Example
This is an example of what an entry in the system landscape file for a SAP reference system would look like:

<System name="QW2050TICKETREFERENCE">

<Title multilingual="true" textID="123">

<pcd:TitleText language="DE">Ticket SSO Referenzsystem</pcd:TitleText>

<pcd:TitleText language="EN">Ticket SSO reference system</pcd:TitleText>

 Way-to-Sap-Basis@googlegroups.com

</Title>

<Description multilingual="true" textID="002">

<pcd:DescriptionText language="de">Ticket SSO

Referenzsystem</pcd:DescriptionText>

<pcd:DescriptionText language="en">Ticket SSO reference

system</pcd:DescriptionText>

</Description>

<Accessability value="true"/>

<Attributes>

<pcd:Attribute name="Type" value="3"/>

<pcd:Attribute name="MessageServer" value="xyhost.atcustomer.com"/>

<pcd:Attribute name="ServerPort" value="8047"/>

<pcd:Attribute name="Group" value=""/>

<pcd:Attribute name="Lang" value="EN"/>

<pcd:Attribute name="R3Name" value="QW2"/>

<pcd:Attribute name="Client" value="050"/>

<pcd:Attribute name="SystemType" value="SAP_R3"/>

<pcd:Attribute name="r3usernamereference" value="1" />

</Attributes>

<LogonLanguages>

<LogonLanguage value="EN"/>

<LogonLanguage value="DE"/>

</LogonLanguages>

</System>
 Way-to-Sap-Basis@googlegroups.com

Configuring SAP Systems to Accept and Verify SAP

Logon Tickets
Use
The Portal Server digitally signs SAP logon tickets as it issues them to the portal users. SAP component
systems need to accept the tickets and verify the Portal Server’s digital signature. The following information is
important for the SAP component system to be able to accept and verify SAP logon tickets:

• The SAP component system should only accept SAP logon tickets issued from their designated
Portal Server. Therefore, the identity of the Portal Server needs to be entered in the component
system’s SSO access control list (ACL).
• The SAP component system needs to be able to verify the Portal Server’s digital signature. At
present, the Portal Server has a self-signed public-key certificate. To verify the Portal Server’s digital
signature, the SAP component system needs access to the Portal Server’s public-key information,
which needs to be entered in the component system’s certificate list.

Prerequisites
The SAP System has Release 4.0B or higher. SAP logon tickets are not supported in releases lower than
4.0B.

The Enterprise Portal Plug-In that corresponds to the Enterprise Portal release has been installed in the
component system.

The required kernel patches have been applied to R/3 Systems prior to Release 4.6C. For more information,
see the section on implementing new kernels for the SAP Application Server in SAP Note 177895. Note that
after applying the kernel patches, you may need to patch the operating system of the R/3 System so that the
new kernel works.

Users must have the same user IDs in all SAP Systems that are accessed via Single Sign-On with SAP logon
tickets. If the SAP user IDs are different to the portal user IDs, you must define a SAP reference system. See
Defining an SAP R/3 Reference System for User Data.

The SAP Security Library is installed on all of the component system's application servers. For best practices,
we recommend installing the most recent version of the library, which is available on the sapserv<x> under
/general/misc/security/SAPSECU/<platform>.

You have configured the Portal Server for Single Sign-On with logon tickets. See Configuring Portal Server for
SSO with SAP Logon Tickets.

The Portal Server possesses a public-key pair and a public-key certificate. These are automatically generated
the first time the Portal Server is started. See Files for SAP Logon Tickets on Portal Server.

Procedure
Add Portal Server to ACL of component system

The Portal Server is identified by system ID, client, and the name in the certificate. You must enter these
details in the access control list of the component system as follows.

Note that if you want to enter more than one Portal Server in the same ACL, you must configure one of the
Portal Servers as described in Using More Than One Portal.
 Way-to-Sap-Basis@googlegroups.com

1. In the component system, maintain table TWPSSO2ACL with transaction SM30.

2. Create a new entry for the Portal Server by choosing New entries.
3. Enter 'WP3' as System ID and '000' as Client. These are the default values for these parameters.

Normally you only need to change these default values if you are entering more than one Portal
Server in the ACL. If you do wish to define different values, you must change the parameters
login.ticket_issuer and login.ticket_client respectively in the file
usermanagement.properties on the Portal Server.

4. Enter the following values for Subject name, Issuer name, and Serial number.

Field Value

Subject name CN=Portal EP 5.0

Issuer name CN=Portal EP 5.0

Serial number 00

5.
6. Again, these are default values. You only need to change them if you are entering more than one
Portal Server in the ACL. If you do wish to define different values, you must change the parameters
login.ticket_dn in the file usermanagement.properties on the Portal Server.
7. Save your entries.

Import public-key certificate of Portal Server to component system's certificate list

This procedure is release-specific.

• If the SAP component system is based on Release 4.6C or higher, follow the procedure detailed in
Importing Portal Certificate into SAP System >= 4.6C.
• If the SAP component system is based on Release 4.0B to 4.6B, follow the procedure detailed in
Importing Portal Certificate into SAP System < 4.6C

Set profile parameters

On all of the component system's application servers:

1. Set the profile parameters login/accept_sso2_ticket = 1 and login/create_sso2_ticket

= 0. (Use DEFAULT.PFL.)
2. For Releases 4.0 and 4.5, also set the profile parameter SAPSECULIB to the location (path and file
name) of the SAP Security Library.

Set ITS service parameters

 Way-to-Sap-Basis@googlegroups.com

On each of the ITS servers of the SAP component system, in the global service file global.srvc , set the
following parameters:

Set the Parameter To the Value Comment

~login (space)

~password (space)

~mysapcomusesso2cookie 1 Enables the user to log on to the system using an

existing SAP logon ticket.

Result
The SAP component systems are able to accept SAP logon tickets and verify the Portal Server's digital
signature when they receive a logon ticket from a user.