Single Sign On

If you are one of those admin who faces any of the issues listed below, then SSO is for you.

  • Users access multiple systems, including SAP and non-SAP Systems. Some systems reside in a dedicated network zone in the intranet but many systems reside on different networks or on the Internet.
  • Users need to have different IDs and passwords to access these systems.
  • Each of these systems also maintains its own password policy. For example, in the SAP HR system, the user has to change his or her password every 30 days. In the next system, the user has to change the password every 90 days. In another system, the user does not need to regularly change his or her password at all.

What does this lead to? Users forget their passwords. The administrator is constantly resetting passwords. Keep in mind that this makes social engineering much easier.

Solution is Single Sing On. SSO users access multiple systems based on single authentication.

Netweaver 2004s

Verify the following profile parameters are set correctly in the backend using rz11

login/accept_sso2_ticket = 1
login/create_sso2_ticket = 0

Make sure that in the portal the connector to back end is defined with following setting and permission is set correct.

Authentication Ticket Type – SAP Logon Ticket
Logon Method – SAPLOGONTICKET
User Mapping Type – useradmin,user

Fix certificate

Login in to Visual Administrator
1. Select the Key Storage Service.

2. Select the TicketKeystore view.

3. Delete the SAPLogonTicketKeypair and SAPLogonTicketKeypair-cert entries.

4. Under Entry, choose Create . The Key and Certificate Generation dialog appears.

5. Enter the Subject Properties in the corresponding fields.

The entries in these fields build a Distinguished Name in the form:
CN= , OU= , O=, L=, ST= , C=

Use capital letters for the Country Name.

6. Enter SAPLogonTicketKeypair as the Entry Name.

Do not enter a different name. This J2EE Engine uses the entry with this name to sign logon tickets.

7. Select the Store certificate option and choose DSA as the algorithm to use.

8. Choose Generate .

Now downloaded the J2EE Ticket via Visual Admin Tool

Login to Visual Admin Tool
open tree “Server # > Services > Key Storage”
Within the “Key Storage” choose view “Ticket Keystore” and entry “SAPLogonTicketKeypair-cert”
click on “Export” and save the ticket to a propper location

Finaly uploaded the new ticket to STRUST

Click on the link for video tutorial

 

R/3 / Enterprise portal

 

Procedure
Download public-key certificate of Portal Server

Use the Keystore Administration tool to download the verify.der file from the
portal.

Set profile parameters
On all of the component system’s application servers:

1. Set the profile parameters login/accept_sso2_ticket = 1 and login/create_sso2_ticket = 0 in every instance profile.

Import public-key certificate of Portal Server to component system’s certificate list and
add Portal Server to ACL of component system

Both of these steps can be performed with transaction STRUSTSSO2, which is an extended
version of transaction STRUST. For detailed documentation on transaction STRUST, see the
Web Application Server documentation under Security > Trust Manager.
In the SAP System, start transaction STRUSTSSO2.

A screen with the following layout appears

The PSE status frame on the left displays the PSEs that are defined for the system.

image1

The PSE maintenance section on the top right displays the PSE information for the
PSE selected in the PSE status frame.

Below that, the certificate section displays certificate information for a certificate that
you have selected or imported.

The Single Sign-On ACL section on the bottom right displays the entries in the ACL of
the system.

Note that the layout of the transaction will vary slightly, depending on the
release of the SAP System.

  1. In the PSE status frame on the left, choose the system PSE.
  2. In the certificate section, choose Import Certificate.

The Import Certificate screen appears.

  1. Choose the File tab.
  2. In the File path field, enter the path of the portal’s verify.der  file.
  3. Set the file format to DER coded and confirm.
  4. In the Trust Manager, choose Add to PSE.
  5. Choose Add to ACL, to add the Portal Server to the ACL list.
  6. In the dialog box that appears, enter the portal’s system ID and client. By default, the portal’s system ID is the common name (CN) of the Distinguished Name entered during installation of the portal. The default client is 000.

If necessary, you can change these default values by changing the properties login.ticket_issuer and login.ticket_client respectively in user
management properties.

The other values are taken from the certificate.

  1. Save your entry.
  1. Do not forget to set profile parameters and ITS service parameters as described in Configuring SAP Systems to Accept and Verify SAP Logon Tickets .

Result

The SAP component systems are able to accept SAP logon tickets and verify the Portal
Server’s digital signature when they receive a logon ticket from a user.

Importing Portal Certificate into SAP System

Prerequisites
You have downloaded the public-key certificate of the portal server (verify.pse file). Use
the Keystore Administration  tool for this.

Procedure

  1. In the component system, start transaction STRUST.

The following screen appears.

image2

This screen displays a list of the certificates contained in the PSE of the component system.

  1. In the certificate group box, choose Import Certificate.

The Import Certificate screen appears.

image3

  1. Choose the File tab.
  2. In the File path field, enter the path of the portal’s verify.der file.
  3. Set the file format to DER coded and confirm.
  4. In the Trust Manager, choose Add to PSE.
  5. Save the new certificate list.

The new certificate list is automatically replicated to all application servers in the
system. You do not have to import the portal certificate onto each application
server separately.

Single Sign Onultima modifica: 2009-09-05T21:48:00+02:00da pedroccda
Reposta per primo quest’articolo

Un pensiero su “Single Sign On

  1. If you are one of those admin who faces any of the issues listed below, then SSO is for you.

    * Users access multiple systems, including SAP and non-SAP Systems. Some systems reside in a dedicated network zone in the intranet but many systems reside on different networks or on the Internet.
    * Users need to have different IDs and passwords to access these systems.
    * Each of these systems also maintains its own password policy. For example, in the SAP HR system, the user has to change his or her password every 30 days. In the next system, the user has to change the password every 90 days. In another system, the user does not need to regularly change his or her password at all.

Lascia un commento