Additional Blogs by Members
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Quick Guide for setting up SSO between EP and R/3

Former Member
‎09-15-2004 1:52 AM
0 Kudos

<b>Objective:</b><br>

To setup SSO to help users access different SAP systems under consideration with a single log in.

<br><br>

<b>System Landscape:</b><br>

EP6.0 SP6 + Guided Procedures + Composite Application Framework installed on WebAS 640 + Web Dynpro applications on the same host. At the backend a R/3 472. Since the WebAS installation used is the same there is only a single UME (User Management Engine). This I think is the simplest configuration where in there is a mapping between one UME to the R/3 system.<br><br>

<b>Procedure:</b><br>

To put it simply we need to take a certificate from the WebAS or EP and then put that

into R/3 System. Then we need to configure the R/3 so that they start accepting the

logon tickets from the WebAS. Also we need to set up the ACL (Access Control List) to mention the host. Find the detailed step-by-step procedure below.

<br><br>

1.Set the profile parameter login/accept_sso2_ticket = 1. Set login/create_sso2_ticket = 0 unless the server should also be able to issue tickets. (Use DEFAULT.PFL). Remember you need to talk to the ever helpful basis person to get this done.

<br>

<br>

2.Download certificate from the Web AS (OR) Enterprise Portal. (Talk to your Web AS administrator or the EP System Administrator)<br>

Web AS:<br>

In the Visual Administrator, press on "Export" button

"Server -> Services -> Key Storage -> Ticket Keystore -> SAP Logon Ticket Key Pair-Cert"

Enterprise Portal:<br>

Press on button "Download verify.der File" - navigate using link given below.

"System Administration -> System Configuration -> Keystore Administration-> SAP Logon Ticket Key Pair-Cert"

<br><br>

3.Go to transaction "STRUSTSSO2", add the certificate (Talk to your ABAP Basis person again)

<br><br>

4.Add to the ACL. You have to enter the WPS System and the WPS Client.

WPS System: <Instance Name> - click on the certificate and take the "Issued By" value

WPS Client: Enter this as "000" (3 Zeroes)

<br><br>

5.If you want to allow access to more than one client using the digitally signed certificates then you need to log into the R/3 system in that client and add to ACL alone again.

<br><br>

6.Create the equivalent user IDs in WebAS/EP as in the R/3. If you don't want to create as many equivalent users then do "User Mapping" (Refer to Help portal). But then to begin with I suggest you to create corresponding users even if you are enabling SSO for many users.

<br><br>

7.In the "Webdynpro Content Administrator"

Change JCO connection settings accordingly:

     I.     Set Model data logical destination to UseSSO.

    II.     Set Metadata logical destination to DefinedUser (because metadata is common for all users)

<br><br>

During runtime only the user IDs in the UME and the R/3 are verified. If they are the same then it would allow access as per the authorization for that user in the R/3 system.  So the passwords can be different.

<br><br>

Search for "User Authentication and Single Sign-On" in the sap.help.com for complete information.

<br><br>

Also recommended is this excellent article

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sapportals.km.docs/documents/a1-8-4/sso%2...

<br><br>

6 Comments
Popular Blog Posts