5 Replies Latest reply: Dec 2, 2013 10:39 PM by Bruno Marleau RSS

Single Sign-On from .Net Application to SAP SOAP Service

Mike Pearce
Currently Being Moderated

Let me start by asking forgiveness if I get the SAP side of this incorrect as I'm a Microsoft developer and not entirely familiar with our SAP environment.


I'm trying to implement a solution whereby I can provide single-sign-on to SAP Enterprise SOAP Services from a Microsoft .Net application.  I currently have it working but in a somewhat convoluted way:

(1) .Net app accesses NetWeaver portal, which is configured for single sign-on.  NW portal returns SAPSSO2 ticket via cookie, which is captured by .Net app

(2) .Net app then inserts cookie into request to SAP ECC system to provide authentication.  A trust relationship is already established between NW and ECC.


I'm hoping to skip the part where I access the NW system, as it tends to add a somewhat long delay into the process.  I was directed to the SAPSSOEXT library as a possible way to generate SAP assertions tickets.  After much trial and error, I have been able to generate a ticket with a PSE file provided from the ECC system.  Unfortunately, the ECC system is not accepting the assertion ticket for authentication.  My guess is that there needs to be some sort of trust relationship set up between my Windows system and the ECC system.  I have no idea how to set up that trust relationship as I believe STRUSTSSO2 requires a certificate and I don't have one on my Windows system (at least I don't think so).


I'm hoping someone out there has tried to do something like this and can provide some guidance.  At this point I'm open to just about any solution.  I will mention that we don't yet have a SAML environment set up, so I can't use that mechanism for authentication.



  • Re: Single Sign-On from .Net Application to SAP SOAP Service
    Martin Voros
    Currently Being Moderated



    so what certificate do you use to sign cookie generated by SAPSSOEXT library? How it's configured right now is that portal generates cookie and signs it with certificate. The public key of certificate is imported in ECC and ECC accepts any cookies signed by this certificate. So you need to perform same thing. Generate a valid cookie that is signed by certificate that is accepted by SAP.


    Another issue could be time. If clocks in your systems are not in sync then ECC can reject cookie. You can trace call to your web service in transaction SMICM and see why cookie gets rejected.



    • Re: Single Sign-On from .Net Application to SAP SOAP Service
      Mike Pearce
      Currently Being Moderated

      Thanks for the reply.  I've made a little progress today but I've still hit a roadblock.  My SAP system admin has generated a new certificate/PSE.  I am now creating Assertion Tickets with that certificate.  When using the SAPSSOEXT library, I'm specifying the following parameters: myOwnSystemId="System Id used when creating certificate"; myOwnSystemClient="System client used when creating certificate"; extSystemId="System Id of the ECC system"; extSystemClient="System client of the ECC system".

      The certificate has been imported into the ECC system using STRUST and an ACL has been added using my system id and client.

      The error we're seeing now is:

      System ID and client from ticket are not the same then mine

      Neither was ticket issued by myself nor can I find issuer in TWPSSO2ACL.


      Are there utilities in ECC that will show the details of the ticket?  Is that SMICM?  We're really confused as to why ECC doesn't seem to recognize the sending system.