12 Replies Latest reply: Jan 25, 2011 10:36 AM by Ghochi Elin Kuswoyo RSS

SSO Problem when access portal with SAP webdispatcher

Ghochi Elin Kuswoyo
Currently Being Moderated

dear Gurus,

 

we are SAP Parnert certified in Indonesia, we face problem SSO ticket when setup SAP webdispatcher integrated with SAP EP together LDAP as UME for User autthentication.

 

currently,

 

1 . we already setup SSO Logon Ticket between SAP EP and our backend (SAP ECC 6)

2.  we tested with LDAP User successfully when user access BSP Application from Backend by access our SAP EP hostname (FQDN)

in our case : User directly access BSP Iview at URL Portal not access through http://portal.intra.com:50000/irj/portal, but http://portal.intra.com:50000/irj/servlet/portal/!folder.bsp_test?sap-config=true

 

when we access this page, we need to input our LDAP user and directly  BSP Iview came up sucessfully

 

but,

 

if we access SAP EP through SAP webdispatcher (http://m.extra.com) that we alreadty setting our redirect to be

icm/HTTP/redirefct_0  = PREFIX=/, TO=/irj/servlet/portal/!folder.bsp_test?sap-config=true

 

after we execute http://m.extra.com

first we need to input our LDAP user, but after we push Logon button, we face Pop up to input again user at Backend, its like SSO is failed

 

can you give us some suggestion or simple solution

 

many thanks for your attention

 

regards,

Ghochi

  • Re: SSO Problem when access portal with SAP webdispatcher
    Biren kalaria
    Currently Being Moderated

    Hi Gochi,

     

    When you configure your system object in portal , over there instead of giving hostname of ECC 6 , try giving name of your web dispatcher ,ie   m.extra.com  instead of your ecc host name.

     

    Its illogical ,but it worked when i was facing same problem.

     

    Regards

    Biren

    • Re: SSO Problem when access portal with SAP webdispatcher
      Ghochi Elin Kuswoyo
      Currently Being Moderated

      Hi biren,

       

      do you mean i have to change for System Alias properties especially for ITS and WebAS ?? if i change that hostname, may be i face problem when connection test with backend

       

      currently, ITS and WEB AS hostname hava value hostname (FQDN) of backend (R/3)..

       

      one thing, i want to confirm... is it problem when we wrong for NAT configuration between external address and internal addres (SAP webdispatcher) for SSO matter??

       

      because, today we test with SAP webdispatcher hostame (FQDN), it works.. and no problem with SSO

       

      thanks

       

      ghochi

      • Re: SSO Problem when access portal with SAP webdispatcher
        Biren kalaria
        Currently Being Moderated

        See try to test the system object using FQDN and by using http://m.extra.com . check the test connection with both things, than after change the currently, ITS and WEB AS hostname to m.extra.com instead of hava value hostname (FQDN) of backend (R/3)..

         

        Then test the connection,,even though connection will fail but the SSO will be working if you test the real scenerio by accessing any transaction iview of ECC from portal.

         

        Regards

        Biren

        • Re: SSO Problem when access portal with SAP webdispatcher
          Ghochi Elin Kuswoyo
          Currently Being Moderated

          Hi Biren,

           

          sorry before, do you mean i just change hostname at backend with extern address?? how about port and path for ITS/Web AS... it's necessary for change it,

           

          for example..

          as is (current)

           

          ITS hosname = backend.intra.com:8443
          ITS path = /sap/bc/gui/sap/its/webgui
          
          WEB AS hostname = backend.intra.com:8443
          WEB as path = /sap/bc/bsp/sap

           

          to be

           

          ITS hosname = m.extra.com:8443
          ITS path = /sap/bc/gui/sap/its/webgui
          
          WEB AS hostname = m.extra.com:8443
          WEB as path = /sap/bc/bsp/sap

           

          is is correct as your suggestion???

           

          many thanks..

           

          regards,

           

          ghochi

        • Re: SSO Problem when access portal with SAP webdispatcher
          Ghochi Elin Kuswoyo
          Currently Being Moderated

          HI Biren,

           

          as your suggestion, we are still got same problem..

           

          can you give me detail solution what you have done before.

           

          thanks

           

          regards,

           

          gochi

          • Re: SSO Problem when access portal with SAP webdispatcher
            Shanti Mupkala
            Currently Being Moderated

            You don't need to necessarily use all the options I have mentioned earlier.

             

            Please use the appropriate option according to your landscape and requirements.

             

            For accessing BSP applications through portal from Internet, the corresponding backend system also needs to be OPEN for outside connectivity. This is usually done through some kind of proxy mechanism to avoid exposing the real host name of your backend system.

             

            In your case, not only the portal but also the backend system should be able to connect from outside. The exact procedure will depend on what you would choose to put in front of your backend system. You may choose to use the web dispatcher to redirect the corresponding backend http requests as well.

             

            Please go through the following presentation: (Slide 29 onwards ...)

            http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/24396589-0a01-0010-3c8c-ab2e3acf6fe2?QuickLink=events&overridelayout=true

             

            Reverse Proxies for ITS Applications

             

            How to...Configure SAP Webdispatcher as a reverse proxy

             

            Thanks,

            Shanti

            • Re: SSO Problem when access portal with SAP webdispatcher
              Biren kalaria
              Currently Being Moderated

              Hi Gochi,

               

              when you change parameter of  ITS and WAS ., and test the system connection,,it will throw error. but when you test the real scenerio,i.e create a iac iview or transaction iview from you back end and test using the system object, it will work. Also try what shanti is telling,,,that is also a second option.

              • Re: SSO Problem when access portal with SAP webdispatcher
                Ghochi Elin Kuswoyo
                Currently Being Moderated

                Hi Shanti and Biren,

                 

                i solve this problem with 2 options :

                 

                1.  we create DNS Alias at backend system, so SSO Issued successfully from external address to backend system

                2.  we create 2 SAP Webdispatcher with different port (both SSL), first SAP webdispatcher for Access (redirect) into SAP Enterprise Portal, second SAP webdispatcher for resolving backend system (directly connect to backend system/message server of backend system)

                3. We change System Alias (for System Object) especially WEB AS because we run BSP Application from backend system, we change hostname and port with Reverse Proxy and port as backend port ( port sap webdispatcher = port backend ITS)

                 

                so our landscape here :

                 

                WD1(443) -------> SAP Enterprise Portal --------> Backend
                                                                                                ^
                                                                                                |
                WD2(8443) -------------------------------------------------

                set WD1/WD2 has same external name, let say : extra.domain.com

                 

                WD1 and WD2 has same Alias Name, so when we access https://extra.domain.com/

                 

                directly, client will be redirect to SAP EP and after client fill user and password at SAP EP, client will be forwarded to backend system, ITS of backend system will have same hsotname of reverse proxy and with same port, so it's like ITS running well and BSP iview works and SSO works also

                 

                regards,

                 

                Ghochi

                 

                Edited by: Ghochi Elin Kuswoyo on Jan 25, 2011 10:35 AM

      • Re: SSO Problem when access portal with SAP webdispatcher
        Shanti Mupkala
        Currently Being Moderated

        The SSO cookie is domain specific.

         

        Lets say that your backend system is backend.intra.com and when you access your portal with http://portal.intra.com, a SSO cookie that is valid for *.intra.com is issued. Thats the reason the backend accepts this ticket and SSO is successful.

         

        However, when you access portal with http://portal.extra.com, a SSO cookie that is valid for *.extra.com is issued. The backend system will not accept this ticket and hence the SSO fails.

         

        You can do a couple of thing here:

        1. Relaxing the domain - search for ume.logon.security.relax_domain.level

        2. You can use the property ume.login.mdc.hosts to achieve cross domain SSO

         

        You could also incorporate some kind of proxy mechanism between the portal and the backend system (as suggested above). So, instead of calling the backend directly using the hostname of the backend system, you can use a proxy name of your choice that will match the domain name for your portal (some thing like backend.extra.com). You can then use this proxy name in the System Object configuration and connection tests will also pass.

         

        Hope that helps !!

         

        - Shanti

Actions