Beruflich Dokumente
Kultur Dokumente
com
The following diagram helps you find out which method of Single Sign-On to use with a specific SAP System.
Scenario 1: Single Sign-On using SAP logon tickets without user mapping
Users must have the same user IDs in all SAP systems that are accessed via SSO with SAP logon tickets. If
the SAP user IDs are the same as the portal user IDs, user mapping is not required. You need to perform the
following steps:
Scenario 2: Single Sign-On using SAP logon tickets with user mapping
Way-to-Sap-Basis@googlegroups.com
If users have different users IDs in the SAP Systems than in the portal, you must define a SAP reference
system and map each user's user ID to their user ID in the reference system. You must perform the following
steps:
Scenario 3: Single Sign-On using user ID and password with user mapping
There are two cases where you would use this method of Single Sign-On:
Procedure
Configure the lifetime of the SAP logon ticket
You set the lifetime of the SAP logon ticket in the user management configuration tool. For details, see
Setting General User Management and Security Settings.
If users have different IDs in the component systems, you must map the portal users to the users in the other
systems. For details, see User Mapping.
If you have several SAP component systems in your portal landscape, and the SAP users have not been
synchronized with the portal users, you define a reference system for user data and map the portal users to
the users in this system. For more information, see Defining an SAP R/3 Reference System for User Data.
Way-to-Sap-Basis@googlegroups.com
• Define an overall configuration for user management and security in the portal: You can define more
than one configuration. Each configuration is stored in the Microsoft Windows registry. If you are
configuring the Unification Server, you can define a different configuration for each unifier project.
• Define a user ID and password with which an administrator can log on to the portal without being
authenticated against the corporate LDAP directory. The very first time you log onto the portal to
configure this setting, you log on with the admin user.
• Define a user for running the portal Web server (Microsoft Internet Information Server).
• Define the validity period of the SAP logon ticket that the Portal Server issues to each user when they
have been successfully authenticated on the portal.
Prerequisites
You have administrator rights in the portal.
Procedure
1. Start the configuration tool by choosing System Configuration → User Management Config..
If you are calling the configuration tool from the Unification Server, choose Unification Server →
<Unifier Project> → User Management → Security & Configuration
Current Host Name of host on which the registry is located where the configuration is stored
Current Config. Name of configuration currently in use. You can choose a previously defined
configuration from the list. If you want to access a configuration on a remote host, enter
the host name in the Current Host field. The configurations in the registry of that host
will appear for selection.
The configuration name can only contain the characters 'A' to 'Z' and 'a' to 'z', the digits
'0' to '9', and the '-' and '_' signs. Special characters are not supported.
4. You can also create a new configuration by entering a configuration name in the Create New field and
choosing Create. Each configuration is stored as a separate entry in the Microsoft Windows registry.
5. Define a user ID and password with which an administrator can log on to the portal without being
authenticated against the corporate LDAP directory. Enter data in the fields as follows:
6.
7. Initially this is set to the user admin and password admin with the role portal_admin. It makes sense
to change this default value, as the password is not very safe.
8. In the NT User Impersonation group, define a user ID and password to be used for running the portal
Web server (Microsoft Internet Information Server) process. The user must be an existing NT user
with permissions to all portal and unifier resources, for example network access to required
databases. The user ID must be entered as <domain>\<user>.
9. To define the validity period of SAP logon tickets, enter a value in the Logon Ticket Expiration field.
This value must have the syntax HH:MM, for example '8:30' for eight and a half hours, or '24' for
twenty-four hours or '0:15' for fifteen minutes.
10. If you are using the configuration tool in the Unification Server, you can choose to Set Component
Permissions. However, before you can do this, you must first configure the connection to the
corporate LDAP directory on the Directory Server tab page.
By setting component permissions, you are granting all users in the corporate directory access to all
components (info object in unifier project, for example a database table) on the Unification Server. By
default, when a unifier project is created, access to components is denied to all users. Only when
users have been granted access to the components, can you, the administrator, assign the
appropriate permissions to each user for a component.
Way-to-Sap-Basis@googlegroups.com
11. When you have filled all the fields, choose Apply.
You need to restart the portal Web server (Microsoft Internet Information Server) and the Java servlet
engine for your changes to take effect.
Way-to-Sap-Basis@googlegroups.com
User Mapping
Use
The user's portal user ID is stored in the central user repository for the Enterprise Portal. Typically this is a
corporate LDAP directory. To enable Single Sign-On, a user's portal user ID must be mapped to the
corresponding user ID for each system in which the user ID is different.
The Enterprise Portal provides you with a user interface for entering mapping data. The data is stored in the
portal LDAP directory.
• SSO using user ID and password: In this case, it is necessary to map the portal user ID and
password to the user ID and password in the component system. See Single Sign-On with User ID
and Password.
• Using SAP logon tickets for Single Sign-On to SAP Systems: You can only use user mapping in
conjunction with logon tickets in the case of Single Sign-On to SAP Systems.
The requirement is that the user ID be the same for all SAP Systems using logon tickets for Single
Sign-On. If the SAP user IDs are the same as the portal user IDs, there is no need for mapping. If the
SAP user IDs are different to the portal user IDs, you must define an SAP reference system. This is
the system that is then used for user mapping. In other words, users map their portal user ID to the
user ID in the SAP reference system.
A user's portal user ID and the SAP user ID are stored in the user's SAP logon ticket. When the user
tries to access a component system, the system extracts the user ID from the logon ticket.
For more details on defining an SAP reference system, see Defining an SAP Reference System for
User Data.
You can map either a user, group, or role to a user ID in a system connected to the portal. When a user tries
to access an iView that requires data from a connected system that does not support SAP logon tickets, the
procedure is as follows:
1. The portal first checks whether the user has been mapped to a user and if so, logs on with the
mapped user data.
2. If not, then it checks whether the group that contains the user has been mapped to a user and if so,
logs on with the mapped user data.
3. If not, then it checks whether the first role assigned to the user has been mapped and if so, logs on
with the mapped user data.
4. If not, the iView will normally ask the user to enter mapping data (the iView developer needs to
program the iView accordingly).
If the component system supports SAP logon tickets, the user ID is already contained in the ticket.
Prerequisites
You have set up a corporate LDAP directory or other repository that stores user data for all portal users. You
have configured the location of this repository as described in Defining Location of Central User Data
Repository.
Way-to-Sap-Basis@googlegroups.com
Typically, user mapping data is stored on the portal LDAP directory. You have configured where this data is
stored as described in Defining Location of User Mapping Data.
You have defined the system landscape as described in Defining the System Landscape.
Features
There are three methods for entering mapping data:
• The portal administrator enters user mapping data for groups and roles when configuring the
Enterprise Portal for use. See Mapping Users: Administrator Tool.
• The user enters his personal mapping data in the Enterprise Portal. See Mapping Users: Self
Registration by User.
• The user calls an iView that needs to connect to a component system. If there is no user mapping
data stored yet, the user will be redirected to the user mapping iView in order to enter his logon data
for this system. After submit, the user mapping iView sends a redirect back to the calling application.
Way-to-Sap-Basis@googlegroups.com
The mapped user ID is included in the SAP logon ticket and enables Single Sign-On using logon tickets to all
SAP Systems in which the user has the same user ID.
Prerequisites
Users have the same ID in all SAP component systems that are configured to use logon tickets for Single
Sign-On. Passwords do not have to be identical.
Procedure
1. Open the system landscape file as described in Defining the System Landscape.
2. In the system attributes of the SAP reference system, add the following line:
You must not define any credentials attributes for the SAP reference system.
Result
When users start the user mapping function, one of the component systems that they can select is the SAP
reference system. They can map their portal user ID to their user ID in this reference system. This user ID is
stored in the SAP logon ticket.
Example
This is an example of what an entry in the system landscape file for a SAP reference system would look like:
<System name="QW2050TICKETREFERENCE">
</Title>
</Description>
<Accessability value="true"/>
<Attributes>
</Attributes>
<LogonLanguages>
<LogonLanguage value="EN"/>
<LogonLanguage value="DE"/>
</LogonLanguages>
</System>
Way-to-Sap-Basis@googlegroups.com
• The SAP component system should only accept SAP logon tickets issued from their designated
Portal Server. Therefore, the identity of the Portal Server needs to be entered in the component
system’s SSO access control list (ACL).
• The SAP component system needs to be able to verify the Portal Server’s digital signature. At
present, the Portal Server has a self-signed public-key certificate. To verify the Portal Server’s digital
signature, the SAP component system needs access to the Portal Server’s public-key information,
which needs to be entered in the component system’s certificate list.
Prerequisites
The SAP System has Release 4.0B or higher. SAP logon tickets are not supported in releases lower than
4.0B.
The Enterprise Portal Plug-In that corresponds to the Enterprise Portal release has been installed in the
component system.
The required kernel patches have been applied to R/3 Systems prior to Release 4.6C. For more information,
see the section on implementing new kernels for the SAP Application Server in SAP Note 177895. Note that
after applying the kernel patches, you may need to patch the operating system of the R/3 System so that the
new kernel works.
Users must have the same user IDs in all SAP Systems that are accessed via Single Sign-On with SAP logon
tickets. If the SAP user IDs are different to the portal user IDs, you must define a SAP reference system. See
Defining an SAP R/3 Reference System for User Data.
The SAP Security Library is installed on all of the component system's application servers. For best practices,
we recommend installing the most recent version of the library, which is available on the sapserv<x> under
/general/misc/security/SAPSECU/<platform>.
You have configured the Portal Server for Single Sign-On with logon tickets. See Configuring Portal Server for
SSO with SAP Logon Tickets.
The Portal Server possesses a public-key pair and a public-key certificate. These are automatically generated
the first time the Portal Server is started. See Files for SAP Logon Tickets on Portal Server.
Procedure
Add Portal Server to ACL of component system
The Portal Server is identified by system ID, client, and the name in the certificate. You must enter these
details in the access control list of the component system as follows.
Note that if you want to enter more than one Portal Server in the same ACL, you must configure one of the
Portal Servers as described in Using More Than One Portal.
Way-to-Sap-Basis@googlegroups.com
Normally you only need to change these default values if you are entering more than one Portal
Server in the ACL. If you do wish to define different values, you must change the parameters
login.ticket_issuer and login.ticket_client respectively in the file
usermanagement.properties on the Portal Server.
4. Enter the following values for Subject name, Issuer name, and Serial number.
Field Value
Serial number 00
5.
6. Again, these are default values. You only need to change them if you are entering more than one
Portal Server in the ACL. If you do wish to define different values, you must change the parameters
login.ticket_dn in the file usermanagement.properties on the Portal Server.
7. Save your entries.
• If the SAP component system is based on Release 4.6C or higher, follow the procedure detailed in
Importing Portal Certificate into SAP System >= 4.6C.
• If the SAP component system is based on Release 4.0B to 4.6B, follow the procedure detailed in
Importing Portal Certificate into SAP System < 4.6C
On each of the ITS servers of the SAP component system, in the global service file global.srvc , set the
following parameters:
~login (space)
~password (space)
Result
The SAP component systems are able to accept SAP logon tickets and verify the Portal Server's digital
signature when they receive a logon ticket from a user.