Let me start by asking forgiveness if I get the SAP side of this incorrect as I'm a Microsoft developer and not entirely familiar with our SAP environment.
I'm trying to implement a solution whereby I can provide single-sign-on to SAP Enterprise SOAP Services from a Microsoft .Net application. I currently have it working but in a somewhat convoluted way:
(1) .Net app accesses NetWeaver portal, which is configured for single sign-on. NW portal returns SAPSSO2 ticket via cookie, which is captured by .Net app
(2) .Net app then inserts cookie into request to SAP ECC system to provide authentication. A trust relationship is already established between NW and ECC.
I'm hoping to skip the part where I access the NW system, as it tends to add a somewhat long delay into the process. I was directed to the SAPSSOEXT library as a possible way to generate SAP assertions tickets. After much trial and error, I have been able to generate a ticket with a PSE file provided from the ECC system. Unfortunately, the ECC system is not accepting the assertion ticket for authentication. My guess is that there needs to be some sort of trust relationship set up between my Windows system and the ECC system. I have no idea how to set up that trust relationship as I believe STRUSTSSO2 requires a certificate and I don't have one on my Windows system (at least I don't think so).
I'm hoping someone out there has tried to do something like this and can provide some guidance. At this point I'm open to just about any solution. I will mention that we don't yet have a SAML environment set up, so I can't use that mechanism for authentication.
so what certificate do you use to sign cookie generated by SAPSSOEXT library? How it's configured right now is that portal generates cookie and signs it with certificate. The public key of certificate is imported in ECC and ECC accepts any cookies signed by this certificate. So you need to perform same thing. Generate a valid cookie that is signed by certificate that is accepted by SAP.
Another issue could be time. If clocks in your systems are not in sync then ECC can reject cookie. You can trace call to your web service in transaction SMICM and see why cookie gets rejected.
Thanks for the reply. I've made a little progress today but I've still hit a roadblock. My SAP system admin has generated a new certificate/PSE. I am now creating Assertion Tickets with that certificate. When using the SAPSSOEXT library, I'm specifying the following parameters: myOwnSystemId="System Id used when creating certificate"; myOwnSystemClient="System client used when creating certificate"; extSystemId="System Id of the ECC system"; extSystemClient="System client of the ECC system".
The certificate has been imported into the ECC system using STRUST and an ACL has been added using my system id and client.
The error we're seeing now is:
System ID and client from ticket are not the same then mine
Neither was ticket issued by myself nor can I find issuer in TWPSSO2ACL.
Are there utilities in ECC that will show the details of the ticket? Is that SMICM? We're really confused as to why ECC doesn't seem to recognize the sending system.
have you checked SAP documentation how to configure ABAP system to accept logon ticket generaed by another system.
Are you sure that you can generate ticket with that library? I always thought that it can be used only for verifying tickets. 3rd party apps can use it to integrate with SAP systems but the tickets must be generated in one of the SAP systems.
The system can already accept logon tickets. We currently have a NetWeaver system set up that generates Logon tickets. I can use one of those as authentication to a web service without issue. The problem is that the NetWeaver portal can sometimes take a long time to generate a ticket - the system is somewhat overloaded at this time.
My hope is that I can use another mechanism to generate the ticket - hence my investigation into SAPSSOEXT.
In terms of Logon tickets the library can only be used to validate them. It can, however, be used to generate Assertion tickets, which is what I'm trying to do.