1 2 3 33 Previous Next

SAP Enterprise Portal

491 Posts



In my recent project one of the Non functional requirements is to control the number of sessions a user can have, i,e if an user already has a session in portal a new session with the same userid shouldn't be allowed.

As per SAP Note 2052515 the one line answer is It is not possible to avoid multiple logons with the same user. 

This really stumped me as it is one of the key requirements with some financial implications. I can't spell the details as it's a confidential information.

Like all SAP Consultants we have forwarded this note to the client and have requested to handle this requirement outside portal (RSA Token etc).

I still believe handling it outside portal is a better solution but since I investigated this problem in some detail I would like to share my POC.

Let me make it clear from the outset that this solution uses Undocumented APIS,.


While Searching on Google and SDN I came across many threads where people want to implement this, but at all the places the discussion ends with it's not a valid business requirement. Let me assure you it is .

While investigating this, I came across the NWA functionality Session Management (Resource Consumption)


As you can see the WD JAVA application is showing the session information. I still had my doubts w.r.t  what will happen in a Clustered environment.

Like all developers I have a single node installation and I was not sure whether this application can show login details on multiple nodes in a cluster.

I confirmed this in the Preproduction environment in my client landscape that this application indeed shows sessions across nodes in a cluster.

I cannot share those screen shots as those are from client landscape but trust me it does .

Locating the DC (sap.com/tc~lm~itsam~ui~session~mngt~wd) and the jar (sap.com~tc~lm~itsam~ui~session~mngt~wd) was not very difficult but analysing it was a tedious task.

If you decompile the jar ,( Refer to my earlier blog Getting started with Netweaver 7.3 portal Part 2 - NWDS and Logon Page to know how to use jadeclipse.) you will find a number of classes. SessionMngt ,  SessionMngtView  and SessionManagementModel are the key classes.

I also found some useful information here:

Get list of all Logged in Users in SAP Netweaver 7.3 

Solution Design

Since my requirement is to stop the user from login if the same userid already has a portal session, I wanted to implement this in login module.

Here is what I planned:

1. Create a login module

2. Using the above API, check if an user has a HTTP session (Note that the user can have a P4 session also) don't allow him to login.

3. Modify the login page to show an appropriate error message.




Please refer to my earlier blog on login module and it's implementation Getting started with Netweaver 7.3 portal Part 3 -  Logon Language and Login Module

I decompiled the BasicPasswordLoginModule and used the decompiled code to build my own login module.

I have added one method to check if the user already has a session.


public boolean userHasActiveSession()


    CompositeData data[]=null;





    SessionManagementModel model = new SessionManagementModel();

     data = model.getSessions();


        catch(Exception ex)


// If this block gets executed, this means there are some problem accessing the session data.



          return false;






    for(int i=0;i<data.length;i++){




    data[i].get("RootContextID") != null) // This is important as there can be non HTTP sessions which won't have a context id assigned.


    return true;

    //throwNewLoginException((new StringBuilder()).append("Active session exists for user").append(user.getName()).toString(), (byte)15);




  return false;



This method is called after the user has been authenticated successfully (You don't want to show the error if someone is not entering right credentials).


/* To determine if there is already an active session*/



    //User already has an open session. Don't let him login.

    // The message here doesn't make any difference, it gets overwritten by the messages in the jars.

         throwNewLoginException((new StringBuilder()).append("Active session exists for user").append(user.getName()).toString(), (byte)15);



/* Continue with life as usual*/


In case you have a prior experience with Login Modules you will know that The way SAP has developed it the error messages come from a JAR file and it's an error prone and tedious process to modify those jars and place it at server level.

Most amusing part is the method throwNewLoginException() takes a parameter of type String but doesn't make any use of it decompile the class com.sap.engine.interfaces.security.auth.AbstractLoginModule and see it yourself!!.

The only field it makes use of is the byte field. Now for same strange reason only a predefined numbers are allowed, so there is no extensibility here, Say with me Bad Design.

These predefined values are stored in the interface com.sap.engine.lib.security.LoginExceptionDetails.

I choose 15 as it resembles the situation I am handling.

public static final byte USER_ALREADY_LOGGED_IN = 15;

After I deployed my login module and tested it. I didn't get the expected result. I was able to open multiple sessions.

After checking the logs I found that the Guest user doesn't have permission to access the Bean.

Below action needs to be assigned to the Guest user for this code to work.


With the Standard Login Page I got an in-line Error message, while trying to open another session

Authentication failed. Client is already authenticated as a different user

Not the message I was looking for.

I implemented my custom message using JQUERY and modifying the logonPage.jsp.

<script type="text/javascript">




var $d = $(".urTxtMsg").text();

if (($d.length != 0)&& ($d == 'Authentication failed. Client is already authenticated as a different user')) {


$(".urTxtMsg").text("New Session not allowed. You already have a running session!!");

//alert('Cannot create new session. You already have a running session!!');


   title: "Error"






Not very elegant, as we are doing a String comparison with a harcoded value. This will fail if user language is not English but hey this is just a POC



First Login


Second Login Attempt


Post Script

As I mentioned, This blog is result of a POC. It's not a full blown/tested/live solution.  Some key things to keep in mind:

1. Since HTTP is a stateless protocol the session management and session stickiness is implemented through cookies in SAP Portal. That's why if you are running a portal session in a browser say IE and open a new tab with the portal URL it won't be considered as a new session.

2. Consider a scenario where a User A accidentally closes the browser window, the server will not know that the session has been closed and it will not allow a new session for the same user till the session times out or an administrator closes the session.

3. I have not tested this solution in a clustered environment yet for obvious reasons (Need approvals etc). If someone can test and update it will be great. Incase I ever implement this in client environment I will update this blog.



The sca export can be downloaded from the dropbox link. It has got all the Development components needed for this blog. You can import the sca in your NWDS and play around with it.




Final Words


Please leave your feedback in comments, bouquets or brick-bats all are welcome.

Background: You have migrated a Web Dynpro Java application to version Netweaver 730 or higher.

Behaviour Noticed: When viewing the corresponding Web Dydnpro Java iView in the Portal Content Catalogue, this appears to be a Web Dynpro Page.


Areas Affected:  Netweaver 730+ & Enterprise Portal


Reproducing The Behaviour: Logon to the Enterprise Portal. Navigate to Content Administration -> Portal Content Management -> Portal Content. Navigate to Web Dynpro Java Applications -> Java Application. Select the application for which you intend to create the iView. Copy the object and select ‘Paste as PCD Object’ to the required folder. The object appears as a Web Dynpro Page rather than an iView.




Why: From Netweaver 730 onwards the concept for Web Dynpro iViews has changed. They are now known as Web Dynpro Application Pages. The runtime behaviour is identical to that of the old Web Dynpro iViews. The icon representing the new Web Dynpro Application Pages now resemble more a page than an iView.




Summary: As the functionality is the same for the new Web Dynpro Application Pages, you should use them in the same manner as per previous releases.

Background: You are using the SAP Enterprise Portal and are utilizing Knowledge Management (KM) in a document sharing setup and a network file system repository.


Issue Being Encountered: Upon enabling the subscription service across various folders the subscription mail for changed documents returns a user unknown.


Areas Affected: EP Release Independent, SAP NetWeaver, SAP Composition Environment


bloG11 KMEmailSub.PNG






Steps To Encounter Issue: Login into the portal from desktop - http://<host>:<port>/portal. Check if the Subscription Service is enabled -> choose Content Management → Repository Services → (Show Advanced Options) → Subscription Service in the Configuration iView. If the service is enabled and a document change is performed e.g. updated/created/deleted a resource a subscription mail will be sent. The subscription mail is sent accordingly but the action is listed as being performed by 'unknown' rather than a UserID.

Why: File System Repositories don’t support resource properties alongside the modifiedBy property which is a restriction of File System Repository setup.

Solution: If the issue is occuring for all event types (deletion, creation, modification etc.) then is standard and expected behaviour when using subscriptions with File System Repository. The File System Repository does not support "Predefined properties" and the FS repository does not keep track of predefined properties like "last modified by" which is why you see changed by unknown in the notification mail.

Background: You are attempting to run the WPC migration and are encountering issues with the migration tool i.e. it stops functioning.

Obstacle: When attempting to run the migration you encounter an issue which prevents the process from running smoothly


What You See: Error encountered migrating resource: /wpccontent/Sites/WEBSITETRE/Site Content/Work4/ABCDXYZ Error encountered during processing: com.sap.portal.pcc.exceptions.PccDesignTimeException: Could not find object:pcd:com.sap.portal.pcc/StagingAreaId/WEBSITETRE/Site Content/Work4.


Environment Affected: KMC Web Page Composer, Enterprise Portal 7.30 , SAP NetWeaver Composition Environment


Steps Towards Encountering Issue: Log into Enterprise Portal. When attempting to run the WPC Migration and upon further inspection you identify two core error exception highlights pertaining to "Error encountered migrating resource" & "Error encountered during processing". After the WPC Migration fails to run and complete you attempt to run the WPC Migration Cleaner and then the WPC Standalone Migration tool manually. The error exceptions do not indicate an issue with the WPC Migration tool itself but rather the content to be migrated.

bloG10 WPC.PNG


Why: A webpage contained within the ‘Site Content’ folder is not a supported scenario.


Solution: If the WPC migration is failing and upon further inspection of the default trace file you note a reference of  ‘Error encountered migrating resource’ this indicates a discrepancy.This error  ‘Error encountered migrating resource’ message when pointing to content in the Site Content folder indicates a conflicting folder setup. Here you need to ensure that there are no web pages stored in the Site Content folder.

Background: Upon attempting to "Integrate Collaboration for SAP NetWeaver" in your system and SAP Netweaver Portal enviornment you encounter an issue with the loading operation of the collaboration portal room and profiles.


Error:   You encounter the error exception 'Error in communication with Collaboration room API ' when trying to load the profiles.

Backdrop:  SAP NetWeaver 7.30 & SAP NetWeaver 7.3X

Steps to Reproduce the scenario:  Login to the portal from desktop (http://<host>:<port>/portal). Navigate to SAP Customizing Implementation Guide -> Training and Event Management -> SAP Learning Solution -> Training Management -> Integration -> Collaboration Room for SAP NetWeaver -> Edit Room Profiles.   You then encounter the error "'Error in communication with Collaboration API room "to while accessing the profiles or SPRO transactions. Upon analyzing the log files you highlight the following error

Tables: null JCO.ServerThread-16 [11:16:23:779]: [JAV-LAYER] Exception in dispatchRequest( LSO_COL_GET_ROOM_PRIVACYTYPES):java.lang.RuntimeException: Bean LSO_COL_GET_ROOM_PRIVACYTYPES not found on host mo7366ux0027, ProgId =SAP_ECC_TrainingManagement: Object not found in lookup of LSO_COL_GET_ROOM_PRIVACYTYPES. at com.sap.engine.services.rfcengine.RFCDefaultRequestHandler.handleRequest( RFCDefaultRequestHandler.java:121) at com.sap.engine.services.rfcengine.RFCJCOServer$J2EEApplicationRunnable.ru n(RFCJCOServer.java:267) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:1 85) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:302)Caused by: com.sap.engine.services.jndi.persistent.exceptions720.NameNotFoundExcepti on: Object not found in lookup of LSO_COL_GET_ROOM_PRIVACYTYPES. at com.sap.engine.services.jndi.implserver.ServerContextImpl.lookup(ServerContextImpl.java:641). 

Why: The reason for the occurrence of this issue is due to invalid configurations and property settings pertaining to the wrong system version guide.

old guide.PNG

Important Points & Resolution:  For 7.30 systems and upwards a new guide for Collaboration Room Integration with SAP NetWeaver has been developed.

For 7.30 & 7.40 Portals  please make sure you have configured the LSO Collaboration Rooms integration according to this guide: http://service.sap.com/support -> Release & Upgrade Info -> Installation & Upgrade Guides -> SAP Business Suite Applications -> SAP ERP -> SAP ERP 6.0 -> SAP ERP enhancement packages for SAP ERP 6.0 -> SAP ERP enhancement package 4 for SAP ERP 6.0 -> Installation Guide Collaboration for SAP Enterprise Learning.

correct guide.PNG

Remember:  This issue usually happens when you have configured a 7.30 or above portal the way it was described in the old guide (for 7.01 portal).The guide navigation (path) link outlined above describes the proper procedure for configuring LSO with a 7.30 and above releases of the SAP NetWeaver Portal.

Background: After System Copy, email links generated from Knowledge Management (KM) are pointing to incorrect Portal URL.


Breakdown: This behaviour may affect links generated through the following functionalities: SendTo Mail, Notification Emails & Approval Emails.

Area Backdrop: EP Release Independent, SAP NetWeaver, SAP Composition Environment, Knowledge Management Content Management


Reproducing Scenario: Perform System Copy of the Enterprise Portal. Use any KM functionality which results in the sending of an email link pointing to a KM resource (subscription, approval workflow, etc). Link generated in email is pointing to original Portal URL instead of copy.


Why:  URL's for applications and various KM functionalities are constructed using various components including resource URIs, system addresses, and paths specified in the configuration of the URL Generator Service. While many of the properties in the service are configured to default values, the host parameter is unique to each Portal environment. This should be pointing to the Fully Qualified Domain Name (FQDN) of the Portal. After a System Copy this property will still be pointing to the FQDN of the source system and needs to be updated.

The Resolution:  Navigate to System Administration -> System Configuration -> Knowledge Management -> Content Management. Select -> Global Services. Select -> Show Advanced Options. Select -> URL Generator Service. Click -> Edit.  Set <Host> Parameter to the Fully Qualified Domain Name (Host Name + Port) of your Portal. Save changes.

kelly kba.PNG

Background:  You have migrated a Web Dynpro Java application to version Netweaver 730 or higher.


Overview: When viewing the corresponding Web Dydnpro Java iView in the Portal Content Catalogue, this appears to be a Web Dynpro Page.


Affected Areas: NW 7.30+ & the Enterprise Portal


Seeing this behavior:  Logon to the Enterprise Portal.Navigate to Content Administration -> Portal Content Management -> Portal Content.Navigate to Web Dynpro Java Applications -> Java Application.Select the application for which you intend to create the iView.Copy the object and select ‘Paste as PCD Object’ to the required folder. The object appears as a Web Dynpro Page rather than an iView.




Why:  From Netweaver 730 onwards the concept for Web Dynpro iViews has changed. They are now known as Web Dynpro Application Pages. The runtime behaviour is identical to that of the old Web Dynpro iViews. The icon representing the new Web Dynpro Application Pages now resemble more a page than an iView.


Note: As the functionality is the same for the new Web Dynpro Application Pages, you should use them in the same manner as per previous releases.

Background: When you are navigating and performing actions in the Enterprise Portal (EP) you notice that the rendering of the message and the buttons contained within the Work Protect popup is different amongst web browser platforms.


Note: The issue occurs alongside the use of the Internet Explorer (IE), Chrome or the Firefox Web Browser Platforms.


screesnhot lad.jpg

Backdrop: SAP NW & Enterprise Portal


How the issue occurs: Login into the portal from desktop. http://<host>:<port>/portal Navigate to Configuration Management->Infrastructure->Application Modules. In the Module List select the WebModule "com.sap.portal.epcf.loader", then display its details.In the Web Module Details select the "Components"-tab and then search for "epcfloader" (Portal Service). When displaying Full Details for these portal services, you get following properties available (you may need scroll down): workprotect.mode.default, workprotect.mode.personalize, workprotect.window.features, workprotect.popup.layout (as of 7.0 EhP1 and 7.1 EhP1). Upon selecting the "workprotect.popup.layout" property which defines the layout of the WorkProtect Popup there are limitations for this property which prevent you from configuring a constant display amongst various web browser platforms.






Why this occurs: The portal uses an OS API to display the browser specific popup.


Pointers on potentially changing the layout:  You can tailor the popup window size and features via customizations properties within the WebModule "com.sap.portal.epcf.loader".  In terms of customizing the WorkProtectMode's Wording and Buttons there is a limitation to the amount of tailoring which can be performed as from a graphical standpoint the presentation of the popup comes down to the Browsers interpretation.

Background:  When you are navigating and performing actions in the Enterprise Portal (EP) you notice that the upon selecting "ok" on the Work Protect Mode popup, the application is opened in a second tab.


Overview:  The first tab from the previous step selection is still active in edit mode and the actions performed in this previous step result in that record continuing to be locked by the user.


screesnhot lad.jpg



Sample Scenario:  Login into the portal from desktop. http://<host>:<port>/portal Select an application Make a change but do not save (such as Purchase Requisition Message). Click on another tab The following message is shown: Your current page contains unsaved data. Do you want to continue with navigation and open a new window? OK or Cancel. Click OK - the application is opened in a second tab, the first tab remains active in edit mode and that record continues to be locked by the user.



Area of Interest: SAP NW Portal


Why: The Work Protect Mode options displayed in the popup are determined by the configurations maintained in the EPCF Service.


Overcoming this:  Go to: System Administration -> System Configuration -> Service Configuration -> Applications -> com.sap.portal.epcf.loader - > Services -> epcfloader. Set Workprotect.mode.default to one of the following values which suits the scenario requirement: (a) Protect unsaved data (open page in new window) (b) Discard unsaved data (open page in same window (c) Choose action in popup on unsaved data. Click on save.Right click on com.sap.portal.epcf.loader. Click on refresh.

Background: The portal activity report mechanism is a great tool to obtain monitoring information for analyze and overview purposes across EP. In this instance you are using a configured Activity Report in the Enterprise Portal (EP) and notice the report findings are not displaying all of the pages that have been visited.

Overview:  Although the Portal pages were indeed visited, only one/two page hits are subsequently recorded and displayed in the report listing.

Version Backdrop: SAP NW 7.31 and Enterprise Portal 7.31


Reports Configuration + Revisiting Setup:  Navigate to the Service Configuration Editor. From the top-level navigation, choose System Administration -> System Configuration. In the detailed navigation, choose Service Configuration. The Service Configuration Editor is displayed. Open the configuration page for the data collection service. In the Portal Catalog, navigate to Applications > com.sap.portal/activityreport.core -> Services -> ActivityReport. Go to “Customer Activity Reports” -> “Daily Activity Report by Page”.


Why are the page hits not recorded? The correct Page Properties have not been defined.


How do we ensure these properties are corrected?  Open the Portal Activity Report configuration settings. Locate and find the Page Property labelled 'User Hits'. The default value in the system is set to 'No' and in order for the report to capture and record Page Hits the property should be changed to 'Yes'. Change the Property to 'Yes' as required and save. Reproduce the scenario and run the report again to see the new report.


Background: A user is facing an issue while attempting to delete a UWL task which has been created and assigned to another employee.

Overview: The task of interest has already been completed and despite this it remains displayed in the Worklist and when the user attempts to delete the task it cannot be deleted as it is not displayed in worklist upon clicking  Approve/Reject and there is no reference entry to this task in the backend



Issue Backdrop: EP Release Indepedent & SAP NW

Sample Scenario:  You Log into Enterprise Portal and navigate to the Universal Worklist (UWL) by choosing the following: Approval Inbox -> Universal Worklist.In the "Tasks" tab, select the task of your interest. This task was created by "UserA" and assigned to "UserB" and has already been completed.

However when "UserB" tries to delete this task they are presented with no deletion option.



Whats the problem? The tasks which we are dealing with here are Java Workflow tasks, meaning that there is no backend system involved in the scenario for these particular items, and also we don't have task related information at the backend. The "task" of interest is part of a Task List, which has have created through the "Create Task" uwl button.


Whats the solution?  Open table KMC_WF_WORKITEM. Here in the ASSIGNED_USER_ID column try to locate a detail reference related to this user in the traces. Highlight the work item id in the WORKITEM_ID and the OBJREF_ID column where that user is the ASSIGNED_USER_ID. The TIME_COMPLETED column for this line should be empty, as the task is due. There is a DUE_DATE column as well, which is likely passed. Delete these rows. Now open KMC_WF_WFTASK, and locate the matching OBJREF_ID, and delete the rows. Now open KM_WF_WORKFLOW and delete all lines where TIMESTAMP_TERM is empty to cancel all possible remaining tasks. If you would prefer to delete the content of the WF related tables, these are which starting with KMC_WF or KMC_WI.


After applying this instruction Customizing Logon Page on Portal 7.3 to customize logon screen you may need

to add specific doctype to logon page JSP or reset it's head.

This post describes how to set DOCTYPE on customized logon page in SAP EP 7.3,7.4,

clear html head, remove html body class etc.


Step 1. You will need some classes (fig.1), provided by SAP team to manipulate html elements.

You can find class EnhancedPortalResponse in "com.sapconsulting.portal.utils.html_api.jar" file which is packaged in Ajax Framework sample code available for download from SDN Code Exchange ([Ajax Framework Sample code|https://cw.sdn.sap.com/cw/groups/sap-portal-ajax-framework?view=overview]).


For more info about this jar please, refer to 4.1.1 Create a Portal Application in this guide http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/001bfa1a-958e-2e10-c2be-d914f673e21e?overridelayout=t…


fig.1 Standart SAP classes for HTML manipulation.


Step 2. Assuming that you have that custom component, there is still a question, how to instantiate EnhancedPortalResponse object on portal logon

JSP in login web-module. My suggestion is to use reflection. You will need next imports on JSP (clsses that we have created in step1) (fig.2):

fig.2 Logon web-module JSP imports.

Step 3. Add custom code to logonPage.jsp as in example on fig.3

fig.3 Code to set doctype, reset head, add some html elements.

A brief description about what goes on fig 3:

On line 12 we get class of an object that wraps EP runtime ordinary servlet request.

If user enters portal by adress  like HOST:PORT/irj/portal the type of this wrapper object will will be

com.sap.portal.prt.util.PortalServletRequestWrapper, but if user enters direct link e.g. to nwa : HOST:PORT/nwa, this object will be of other type (in our case we dont deep-cudtomize HOST:PORT/nwa logon page, just show simple logon page for administrators without deep customization

so I will not describe how to get EnhancedPortalResponse in this situation)


Next on line 14 we get method of that wrapper object PortalServletRequestWrapper, make it accesible on 15 line, and invoke that method to recieve IPortalComponentRequest object.


Next on line 18 we invoke EnhancedPortalResponse constructor wich gets IPortalComponentRequest object as a parameter, and on lines 19-25 we are working with html head (resetting it, creating IE=edge meta tag, setDocTypeToXhtml10Transitional and even adding bootstrap.css).


Here you can find other examples of using EnhancedPortalResponse for html content manipulation http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/001bfa1a-958e-2e10-c2be-d914f673e21e?overridelayout=t…


Please, ask me in comments if you have questions about how to find SAP framework classes or what decompiler I used in this example etc.

Background: You have been carrying out security checks on the Enterprise Portal (EP) and  encountered a vulnerability type " MongoDB Script Injection Attack" for a system URL.


Overview:  At first glance a security attack may appear prevelant because of a HTTP 200 response which signifies the response was returned with some altered parameters.


Important Point To Remember:  The WorkProtectPopup which may lead you to believe that there is a  security issue or breach but this is not the case.



The WorkProtectPopup request is just a popup window with some options and  does not perform any SQL queries or submission actions. MongoDB is not  associated to or used in EP in any method.






The work protect mode provides the infrastructure for handling unsaved data in  SAP NetWeaver Portal. An application is called“dirty” if the  entered data has not yet been saved. Normally data is lost when the  user navigates to another application without having first saved the  data. To prevent this from happening, the client framework of the  portal monitors the current status of all the applications in the portal.

Hi All,


Recently, I integrated SAP Portal 7.4 with SuccessFactors and established Single Sing On (SSO) between the systems. In this post, I am sharing the steps I have followed to achieve the same.

Here, Portal system is the Identity Provider and SuccessFactors is the Service Provider. These systems are integrated using SAML 2.0 protocol.


By default the standard Portal systems acts as Service provider. The prerequisite to integrate the Portal with SuccessFactors is to enable the Portal as Identity Provider. To do so, we have to deploy an SCA file (IDMFEDERATION<release>.sca) on the Portal server.

Please refer the SAP Help document for more details on this:: Downloading and Installing the Federation Software - Identity Provider for SAP NetWeaver Single Sign-On and SAP NetWeave…


Upon successful deployment of the .sca file, we have to perform the below configurations:


1. Configure SAP Portal as Identity provider.


     1.1 Click on Configuration --> Authentication and Single Sign-On --> Select SAML 2.0

Select SAML 2.0.png

     1.2 Click on Enable SAML button and provide a name to the identity provider Identity Provider.jpg

    1.3 Click on “Next” button and select “Browse” button. On the popup screen, select “Create” button.     create.jpg

     1.4 Provide a name for the Identity provider and select the check box as shown below.


     1.5 Enter the same name as mentioned in the previous step and click on “Finish” button.finish.jpg

     1.6 Finally click on “OK” button.


     1.7 Continue with the initial wizard. No changes required in this screen, click on “Finish”. final.jpg

We have successfully configured Portal as the Identity provider. Next step is to define SuccessFactors system as Service provider.


2. Adding SuccessFactors system as Trusted Provider


     2.1 Click on the link “Trusted Provider", Select Add button and select “Manually” option from the menu.Service.jpg

      2.2 Enter the name of the Service Provider and click “Next” to continue.  provider.jpg

     2.3 Click on “Browse” button to import the SF certificate.browser.jpg

     2.4 Click on “Import Entry”. Select X.509 certificate and browser to select the SF certificate file shared from the SuccessFactors, once done, click      “Import” button to import the SF certificate.

sf certi.jpg

     2.5 Select the newly imported SF certificate and click on “OK"SF OK.jpg

     2.6 Select the same SF certificate imported earlier as encryption certificate and click on “Next"encrip.jpg

     2.7 Add Assertion Consumer Service as below. URL from SF looks similar to this:: https://Demo.SuccessFactors.eu/sf/saml2/SAMLAssertionConsumer?company=Dev


     2.8 Add Single logout service as below. This configuration is required to log off from both the system when logoff button at portal level is clicked. URL from SF looks similar to this:: https://Demo.SuccessFactors.eu/saml2/LogoutServiceHTTPRedirectResponse?company=Dev


    2.9 Click on “Next” until the end and “Finish”. Once done, click on “Edit” button from the initial screen and click on “Add” under Supported Name ID formats. Select format “Unspecified” and add source as “Logon ID”. Finally Save and Enable the Trusted Provider.


  2.10 We have successfully configured SuccessFactors system as service provider in SAP NWA. Next step is to export the Portal Certificate and Import in      SF system.

3. Add Portal as Trusted Identity Provider in SuccessFactors


     3.1 Click on Configuration --> Certificate and Keys, Select SAML 2.0 and the entry Portal certificate.SAML- cert.jpg

     3.2 Click on “Export Entry”, select Base64 and click on Download.base64.jpg

3.3 Save the file and open it. Content should look like this.


Import this Certificate in SuccessFactors and do necessary configuration.


4. SuccesFactors Configuration


     4.1 Login to SuccessFactors provisioning and navigate to Edit Company Settings --> Single Sign-On (SSO) Settings. Select SAML V2 SSO.SAML-SF.png

  • Entered SAML Asserting Party Name as SAP Portal 7.3 as this field can have any value.
  • Entered SAML Issuer name same as mentioned in the Portal Identity Provider.
  • Selected “Assertion” for field require Mandatory Signature.
  • Enable SAML Flag is selected as “Enabled”
  • Login request Signature is not selected.
  • SAML Profile is set as Browser /post Profile
  • Enforce Certificate Valid Period is selected as “No”
  • We have pasted the Certificate shared with us.
  • Selected Add Asserting Party after providing above details.


5. URL Iview configuration in Portal

     5.1 As final step, create an URL Iview and provide the URL ::  http://Portal7.3.demo.system/saml2/idp/sso

     Add 2 parameters “saml2sp” and “RelayState” with the values similar to below url's. These URL's will be shared from SF team.

     Saml2sp = https://Demo.SuccessFactors.eu/sf/start

     RelayState = https://Demo.SuccessFactors.eu/sf/start/xi/ui/home/pages/home.xhtml


   5.2 Save the URL Iview changes and close it. Create a Portal Role and assign the URL iview we created in previous step to this role.

   Assign this role to a Portal user whose UserID is present in Portal as well as in SF system.

    Upon successful login to Portal, SF content will be loaded in Portal content area as below. SF-Final.jpg



I hope this will be helpful to integrate the Portal with SuccessFactors and to enable SSO between the systems.



Best Regards,


Background: This final piece of my session blog series will outline in summary some of the most commonly reported session issues with the Enterprise Portal and also provide an overview on the resolution documentation and steps which exist to resolve such occurences.


Some Common Issues (Across Multiple Scenarios):



  1. Session Retention - User A logs out and User B is presented with User A's session upon logging in.
  2. RFC sessions are not terminated in the back-end even after the logoff is called within the Portal.
  3. The browser session does not get terminated when the user clicks "logoff" in the Portal.
  4. The application does not invalid the existing, authenticated session on the server upon user logout.
  5. Cookies may appear to get "cleaned" but when the user returns to the logon page the previous application session is still active.


BLOG9 session.PNG

One user logs out, another logs in and its the same session what do we do?


Let us revert back to the points we discussed in the earlier blog postings and what we mentioned about sessions and how they are handled. Let us begin by reaffirming the point that when a session expires or a logoff is invoked or browser is closed, no matter what, the connection is not terminated but returned to the pool and kept open as defined in the Connection Lifetime property. In short, the connection stays open for the predefined amount of time by design and this is not an unexpected behavior. It remains in the pool, it is no longer used by another service e.g. the UWL and it is available for other clients. The connection lifetime pool can be reset to a different value.


Initial Troubleshooting!


With any issue regarding sessions you should firstly try and simplify it. Beginning with a simple analysis approach i.e. check if the issue occurs for all users (various roles) and within all web browser platforms, is this a recent issue? Has something played a role in this issue arising?




When you use transaction SM04 to check sessions what are you seeing? In many cases when the portal is closed (via logoff) a reference is stored. From using the SM04 transaction it may appear that the sessions remain open but infact they will only be references. But you are seeing the transaction field remaining filled?


Note Fixes...Plentiful and effective.


Some of the most commonly reported session issues are resolved via the following notes:


  • SAP Note: 1903478 - Session remains open after the logoff on enterprise portal from enterprise portal.
  • SAP Note: 1660720 - Session remains open after the logoff on enterprise portal.
  • SAP Note: 1717945 - Portal Logoff Does Not Logoff the Backend When Using HTTP Session Management.


WIKI describes the SM04 transaction screen and the retention of RFC Connections


RFC Connections remain in SM04



SM04 viewing, does it indicate more than a reference? Is the session incorrectly kept open?


  • SAP Note: 1261669 - RFC connections are not closed
  • SAP Note: 1322944 - ABAP: HTTP security session management


Backend sessions are the culprit






When a user  logs off from your company portal by choosing the Log Off button, a logoff action should be triggered on the SAP portal side (portal and connected back-end systems). Although SAP NetWeaver Portal comes with an out-of-the-box mechanism that terminates a session when the  user closes the browser or navigates out of the SAP iFrame, the mechanism does not handle logoff. Instead, your company portal must raise the terminating event when logging off from the SAP portal.




Filter Blog

By author:
By date:
By tag: