on 03-20-2013 5:03 PM
Hi experts,
We're facing an issue with SSO configuration.
SOVN is installed on a portal 7.3 system that is linked to a BI and ERP system. The UME master system is the BI system. HR master data resides on the ERP system.
We have configured SSO trust between all systems.
Since the portal is linked to the BI system, not all users that will be using the SOVN exist on the portal.
We figured that with the SSO in place between the ABAP and JAVA system, we could launch SOVN from a bsp application and have the user authenticate against the ABAP system. When we call SOVN from this BSP page, no authentication errors seems to occur as the application is loaded, but no role mapping is taken into account.
When debugging function module RFC_READ_TABLE, we noticed that the OPTION table is not filled as we would expect.
UNAME = 'O' AND FROM_DAT <= '20130320' AND TO_DAT >= '20130320'
If we access the application with a valid auth ticket issued by JAVA, the UNAME is filled correctly.
Is this something that we can resolve with the configuration of SOVN or do we really need to create all users on the portal?
Thanks in advance!
Kind regards,
Luk
Hi Luk,
SSO for OrgChart is configured in the AdminConsole. Check out the Admin Guide, section 4.3.4 Single Sign-on with Logon Tickets.
Best regards,
Luke
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Luke,
We have configured the SSO with the ABAP system as described in the configuration guide.
There seems to be a problem while decoding the SSO ticket. The user that is mentioned in the logon ticket (when doing a base64 decode) is LMOREELS, but it is decoded as O by Nakisa.
In the log, we get the following entries:
22 Mar 2013 09:34:49 INFO com.nakisa.Logger - Tenant ID: 000
22 Mar 2013 09:34:49 INFO com.nakisa.Logger - LoginSettingsObject Load: 26
22 Mar 2013 09:34:49 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : Credential provider SapSso
22 Mar 2013 09:34:49 INFO com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : Ticket is: AjQxMDIBABgATABNAE8AUgBFAEUATABTACAAIAAgACACAAYAMAAxADADABAARABFAFYAIAAgACAAIAAgBAAYADIAMAAxADMAMAAzADIAMgAwADgAMwA0BQAEAAAACAYAAgBYCQACAEX%2fAVcwggFTBgkqhkiG9w0BBwKgggFEMIIBQAIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYIBHzCCARsCAQEwbzBkMQswCQYDVQQGEwJERTEcMBoGA1UEChMTU0FQIFRydXN0IENvbW11bml0eTETMBEGA1UECxMKU0FQIFdlYiBBUzEUMBIGA1UECxMLSTAwMjAxNTUzNjAxDDAKBgNVBAMTA0RFVgIHIBECCRUkJzAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwMzIyMDgzNDQ0WjAjBgkqhkiG9w0BCQQxFgQUsHC%21E%2fHRcFSe2u1BtuMMtXw4H0QwCQYHKoZIzjgEAwQwMC4CFQDU1R02GcnIFk2u%2fzZ5N1wyXwNlkwIVALD%21ud3lBaUTB5PbU74cSboYhNyh
22 Mar 2013 09:34:49 INFO com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : Information extracted: TicketDecoder [backendUser=O, portalUser=L]
22 Mar 2013 09:34:49 INFO com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : com.nakisa.framework.login.Credentials_SapSso.getCredentialsBase64Decode(HttpServletRequest, HttpServletResponse) : Name: L, Paassword: *, ID: O
22 Mar 2013 09:34:49 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : User to authenticate O
22 Mar 2013 09:34:49 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : Authentication provider SapSso
22 Mar 2013 09:34:49 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : User authenticated O
22 Mar 2013 09:34:49 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : Authentication row is {SapSsoTicket=AjQxMDIBABgATABNAE8AUgBFAEUATABTACAAIAAgACACAAYAMAAxADADABAARABFAFYAIAAgACAAIAAgBAAYADIAMAAxADMAMAAzADIAMgAwADgAMwA0BQAEAAAACAYAAgBYCQACAEX%2fAVcwggFTBgkqhkiG9w0BBwKgggFEMIIBQAIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYIBHzCCARsCAQEwbzBkMQswCQYDVQQGEwJERTEcMBoGA1UEChMTU0FQIFRydXN0IENvbW11bml0eTETMBEGA1UECxMKU0FQIFdlYiBBUzEUMBIGA1UECxMLSTAwMjAxNTUzNjAxDDAKBgNVBAMTA0RFVgIHIBECCRUkJzAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwMzIyMDgzNDQ0WjAjBgkqhkiG9w0BCQQxFgQUsHC%21E%2fHRcFSe2u1BtuMMtXw4H0QwCQYHKoZIzjgEAwQwMC4CFQDU1R02GcnIFk2u%2fzZ5N1wyXwNlkwIVALD%21ud3lBaUTB5PbU74cSboYhNyh}
22 Mar 2013 09:34:49 INFO com.nakisa.Logger - com.nakisa.framework.login.Main : LogIn : User population provider is Database
22 Mar 2013 09:34:49 INFO com.nakisa.Logger - com.nakisa.framework.login.UserPopulation_DataBase : getWhereClause : Login where clause: (Userid='O')
This clause is also passed to function module RFC_READ_TABLE to retrieve the user's backend roles. Since user O does not exist, no suitable roles can be found to do the role mapping.
Best regards,
Luk
Hi Luke,
We have installed the latest build that we received via OSS.
Now, the parsing error doesn't show up anymore in the log.
However, the problem hasn't been resolved. Instead of decoding user O from the logon ticket, the system extracts user DEV from the logon ticket. From the log:
26 Mar 2013 08:37:33 INFO com.nakisa.Logger - com.nakisa.framework.login.Credentials_SapSso : Information extracted: TicketDecoder [backendUser=DEV, portalUser=LMOREELS]
The backendUser (DEV) is sent to the backend to determine the roles in the ABAP system. The field portalUser contains the correct username.
Any clues? We're also creating an OSS message in parallel.
Best regards,
Luk
User | Count |
---|---|
92 | |
9 | |
9 | |
5 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.