cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO with R/3

s0004895470
Active Participant

on ‎03-20-2013 5:03 PM

0 Kudos

Hi experts,

We're facing an issue with SSO configuration.

SOVN is installed on a portal 7.3 system that is linked to a BI and ERP system. The UME master system is the BI system. HR master data resides on the ERP system.

We have configured SSO trust between all systems.

Since the portal is linked to the BI system, not all users that will be using the SOVN exist on the portal.

We figured that with the SSO in place between the ABAP and JAVA system, we could launch SOVN from a bsp application and have the user authenticate against the ABAP system. When we call SOVN from this BSP page, no authentication errors seems to occur as the application is loaded, but no role mapping is taken into account.

When debugging function module RFC_READ_TABLE, we noticed that the OPTION table is not filled as we would expect.

UNAME = 'O' AND FROM_DAT <= '20130320' AND TO_DAT >= '20130320'

If we access the application with a valid auth ticket issued by JAVA, the UNAME is filled correctly.

Is this something that we can resolve with the configuration of SOVN or do we really need to create all users on the portal?

Thanks in advance!

Kind regards,

Luk

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

lukemarson
Active Contributor
‎03-20-2013 5:15 PM
0 Kudos

Hi Luk,

SSO for OrgChart is configured in the AdminConsole. Check out the Admin Guide, section 4.3.4 Single Sign-on with Logon Tickets.

Best regards,

Luke

Show replies
Show replies
s0004895470
Active Participant
‎03-21-2013 10:33 AM
0 Kudos

Luke,

Will it be possible to use the logon tickets that are issued by the ABAP system to perform SSO with Nakisa?

In that case, we could try and check whether the verify.pse of the ABAP system can be used to check the ticket.

Thanks in advance!

Luk

lukemarson
Active Contributor
‎03-21-2013 8:40 PM
0 Kudos

Hi Luk,

Nakisa uses the logon ticket of the ABAP system. Verify.pse is not needed because it uses the more secure method of Base64 decoding. Just follow the instructions in the Admin Guide and it should work. It takes around 5 to 10 minutes to setup.

Best regards,

Luke

s0004895470
Active Participant
‎03-22-2013 10:33 AM
0 Kudos

Hi Luke,

We have configured the SSO with the ABAP system as described in the configuration guide.

There seems to be a problem while decoding the SSO ticket. The user that is mentioned in the logon ticket (when doing a base64 decode) is LMOREELS, but it is decoded as O by Nakisa.

In the log, we get the following entries:

22 Mar 2013 09:34:49 INFO  com.nakisa.Logger  - Tenant ID: 000

22 Mar 2013 09:34:49 INFO  com.nakisa.Logger  - LoginSettingsObject Load: 26

22 Mar 2013 09:34:49 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : Credential provider SapSso

22 Mar 2013 09:34:49 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : Ticket is: AjQxMDIBABgATABNAE8AUgBFAEUATABTACAAIAAgACACAAYAMAAxADADABAARABFAFYAIAAgACAAIAAgBAAYADIAMAAxADMAMAAzADIAMgAwADgAMwA0BQAEAAAACAYAAgBYCQACAEX%2fAVcwggFTBgkqhkiG9w0BBwKgggFEMIIBQAIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYIBHzCCARsCAQEwbzBkMQswCQYDVQQGEwJERTEcMBoGA1UEChMTU0FQIFRydXN0IENvbW11bml0eTETMBEGA1UECxMKU0FQIFdlYiBBUzEUMBIGA1UECxMLSTAwMjAxNTUzNjAxDDAKBgNVBAMTA0RFVgIHIBECCRUkJzAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwMzIyMDgzNDQ0WjAjBgkqhkiG9w0BCQQxFgQUsHC%21E%2fHRcFSe2u1BtuMMtXw4H0QwCQYHKoZIzjgEAwQwMC4CFQDU1R02GcnIFk2u%2fzZ5N1wyXwNlkwIVALD%21ud3lBaUTB5PbU74cSboYhNyh

22 Mar 2013 09:34:49 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : Information extracted: TicketDecoder [backendUser=O, portalUser=L]

22 Mar 2013 09:34:49 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : com.nakisa.framework.login.Credentials_SapSso.getCredentialsBase64Decode(HttpServletRequest, HttpServletResponse) : Name: L, Paassword: *, ID: O

22 Mar 2013 09:34:49 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : User to authenticate O

22 Mar 2013 09:34:49 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : Authentication provider SapSso

22 Mar 2013 09:34:49 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : User authenticated O

22 Mar 2013 09:34:49 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : Authentication row is {SapSsoTicket=AjQxMDIBABgATABNAE8AUgBFAEUATABTACAAIAAgACACAAYAMAAxADADABAARABFAFYAIAAgACAAIAAgBAAYADIAMAAxADMAMAAzADIAMgAwADgAMwA0BQAEAAAACAYAAgBYCQACAEX%2fAVcwggFTBgkqhkiG9w0BBwKgggFEMIIBQAIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYIBHzCCARsCAQEwbzBkMQswCQYDVQQGEwJERTEcMBoGA1UEChMTU0FQIFRydXN0IENvbW11bml0eTETMBEGA1UECxMKU0FQIFdlYiBBUzEUMBIGA1UECxMLSTAwMjAxNTUzNjAxDDAKBgNVBAMTA0RFVgIHIBECCRUkJzAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwMzIyMDgzNDQ0WjAjBgkqhkiG9w0BCQQxFgQUsHC%21E%2fHRcFSe2u1BtuMMtXw4H0QwCQYHKoZIzjgEAwQwMC4CFQDU1R02GcnIFk2u%2fzZ5N1wyXwNlkwIVALD%21ud3lBaUTB5PbU74cSboYhNyh}

22 Mar 2013 09:34:49 INFO  com.nakisa.Logger  - com.nakisa.framework.login.Main : LogIn : User population provider is Database

22 Mar 2013 09:34:49 INFO  com.nakisa.Logger  - com.nakisa.framework.login.UserPopulation_DataBase : getWhereClause : Login where clause: (Userid='O')

This clause is also passed to function module RFC_READ_TABLE to retrieve the user's backend roles. Since user O does not exist, no suitable roles can be found to do the role mapping.

Best regards,

Luk

lukemarson
Active Contributor
‎03-22-2013 12:08 PM
0 Kudos

Hi Luk,

What SOVN application, version and build number are you using?

Best regards,

Luke

s0004895470
Active Participant
‎03-22-2013 12:46 PM
0 Kudos

Hi Luke,

We have the following Nakisa application and version

NameOrgChart
Version3.0 SP3
Build0703017900

Best regards,

Luk

lukemarson
Active Contributor
‎03-22-2013 12:50 PM
0 Kudos

Hi Luk,

The latest build is 0703033900 and I strongly recommend upgrading, since there is a very high chance that the issue is resolved in it. You can get it by raising an OSS message under part XX-PART-NKS and requesting the latest service patch for OrgChart 3.0 SP3.

Best regards,

Luke

s0004895470
Active Participant
‎03-26-2013 1:29 PM
0 Kudos

Hi Luke,

We have installed the latest build that we received via OSS.

Now, the parsing error doesn't show up anymore in the log.

However, the problem hasn't been resolved. Instead of decoding user O from the logon ticket, the system extracts user DEV from the logon ticket. From the log:

26 Mar 2013 08:37:33 INFO com.nakisa.Logger  - com.nakisa.framework.login.Credentials_SapSso : Information extracted: TicketDecoder [backendUser=DEV, portalUser=LMOREELS]

The backendUser (DEV) is sent to the backend to determine the roles in the ABAP system. The field portalUser contains the correct username.

Any clues? We're also creating an OSS message in parallel.

Best regards,

Luk

lukemarson
Active Contributor
‎03-29-2013 12:48 PM
0 Kudos

Hi Luk,

It looks like you've moved a step closer, but not far enough. I can only think that there is a product bug, so raising an OSS message is the best avenue to pursue.

Please let us know the solution one you find it. I'm sorry I can't help any more.

Best regards,

Luke

Former Member
‎10-16-2014 5:15 AM
0 Kudos

Hi Luk,

Can you share how the issue is resolved.

Thanks

Sunitha

Former Member
‎06-15-2015 5:34 PM
0 Kudos

Good Afternoon Luk Moreels -

Were you able to resolve this issue? We are facing the exact same thing:

[backendUser=DEV, portalUser=LMOREELS]

Thank you,

Ask a Question