cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authentication using SSO between SUP and SAP

Go to solution
Former Member

on ‎07-15-2014 2:14 PM

0 Kudos

Hi all,

I'm working on a mobile app in SUP (Sybase Unwired platform).

I have a scenario where I need to authenticate using SSO between SUP and the SAP server for an MBO based app.

While configuring the Sybase Controle Center for the security settings with the Authentication provider as HttpAuthenticationLoginModule, it is asking for a Provider URL which will basically validate and provide the SSO2 tokens. But I'm unable to resolve the url which should be supplied to the Provider URL.

I'm using following portal url: <http/https>://<AS_Java_hostname>:<HTTP_port>/nwa/key-storage

and SSO  cookie name as: MYSAPSSO2

Can somebody please let me know what all steps I need to follow in order to authenticate the user from the mobile device on SAP server ?

I've taken reference from below links,

http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc01703.0212/doc/html/fre12...

http://scn.sap.com/community/developer-center/mobility-platform/blog/2012/08/10/how-to-sso-between-s...

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-16-2014 10:19 AM
0 Kudos

Hi,

Is there a way so that I could create a SICF service in the SAP system that would authenticate the username and password been passed in the request url from the app in the user's device.

Basically in my case I need to provide our custom GUI in the device and when user enters his/her credentials and hits the Login button than I need to call the SICF service on the SAP system with the supplied user credentials. The SAP system should then validate the credentials and provide the SUCCESS/FAILURE response to the device.

Kindly reply asap.

Regards,

Serveshwar Mishra

Show replies
Show replies
midhun_vp
Active Contributor
‎07-16-2014 10:49 AM
0 Kudos

The authentication is based on the security profile you select while deploying the MBO to SUP server. Ex. If you configured HTTPAuthenticationLoginModule and deploy the MBO to that security profile, when you pass the credentials from device it authenticates against the configured authentication mechanism. These are built-in security providers that removes the complexity of authentication from device coding. Later if the requirement is to authenticate against an LDAP server that too have options.

More details on security providers:

SyBooks Online

If you want to authenticate against SAP you can use HTTPAuthenticationLoginModule as I suggested before. Your basis consultant can help you get the ping url of your SAP system.

Midhun VP

Former Member
‎07-16-2014 11:07 AM
0 Kudos

Ok thanks for the reply.

I got your point, so using HTTPAuthenticationLoginModule do I need to pass the userId and password in each MBO or simply I can create an MBO for login process and pass the user id and password in that and if its validated than use all other MBOs with out passing user credentials.

Regards,

Serveshwar Mishra

midhun_vp
Active Contributor
‎07-16-2014 11:18 AM
0 Kudos

You don't need to create a MBO for authentication. The authentication will be taken care by SUP. You only need to configure HTTPAuthenticationLoginModule in SCC and deploy the MBO package to it. And while creating MBO, you will find option "Dynamic credentials" in the input/output selection screen, you need to choose username and password as given in the blog I mention in my previous comments.

Midhun VP

Jitendra_Kansal
Product and Topic Expert
Product and Topic Expert
‎07-16-2014 11:19 AM
0 Kudos 

so using HTTPAuthenticationLoginModule do I need to pass the userId and password in each MBO


While creating each and every MBO (and its operation as well), you have to select "Runtime Data Source Credentials and connection properties" option and have to choose username and password from the drop down menu option as per given in my blog.


Rgrds,

JK

Virinchy
Active Contributor
‎07-16-2014 11:30 AM
0 Kudos

while deploying the MBO select the already configured HTTPAuthenticationModule and deploy it as in screeenshot.

Former Member
‎07-16-2014 12:00 PM
0 Kudos

Ok, thanks Virinchy

Former Member
‎07-16-2014 12:13 PM
0 Kudos

Hi Jitendra,

As mentioned in your blog, "Runtime Data Source Credential and Connection properties does not support MBO's that belong to a cache group that uses a Scheduled cache policy."

I'm actually using MBOs that belong to the cache group but with an On Demand cache policy.

I hope Runtime Data Source Credentials and Connection properties will work in my case.

Kindly reply asap.

Regards,

Serveshwar Mishra

Jitendra_Kansal
Product and Topic Expert
Product and Topic Expert
‎07-16-2014 12:40 PM
0 Kudos 



I'm actually using MBOs that belong to the cache group but with an On Demand cache policy.




I hope Runtime Data Source Credentials and Connection properties will work in my case.

I can confirm it. It should work.

also, you can select the option "Partition by Requester and Device Identity only"

Rgrds,

JK

Former Member
‎07-17-2014 11:43 AM
0 Kudos

Hi Virinchy,

The newly created security configuration is not displayed in the drop down of security configuration while deploying the project.

Kindly help.

Regards,

Serveshwar Mishra

midhun_vp
Active Contributor
‎07-17-2014 12:15 PM
0 Kudos

You have to add the newly created one in the security under default domain from SCC.

Answers (7)

Answers (7)

Former Member
‎12-07-2015 5:06 PM
0 Kudos

This message was moderated.

Show replies
Show replies
Former Member
‎07-28-2014 6:02 AM
0 Kudos

Thanks for the responses guys, but now we have opted for a different authentication mechanism.

Regards,

Serveshwar Mishra

Show replies
Show replies
Former Member
‎07-17-2014 12:49 PM
0 Kudos

Hi,

May I know how should I pass the username and password (run-time data source credentials) from my native code. Please bare with me as I'm a novice to SUP.

Regards,

Serveshwar Mishra

Show replies
Show replies
midhun_vp
Active Contributor
‎07-17-2014 12:51 PM
0 Kudos

Is this helpful to start with Native app, http://scn.sap.com/community/developer-center/mobility-platform/blog/2014/02/11/developing-sap-andro...

Former Member
‎07-17-2014 1:00 PM
0 Kudos

I've done all those things, and my application is also working properly i.e. I'm able to perform all CRUD operations and successfully synchronize my app with the SAP.

     The only thing in which I'm confused is about authenticating the request with login credentials. Following above helpful answers I'm able to create security configuration in SCC and on the MBO level.

I just need to inquire about how should I pass the username and password (run-time data source credentials) from my native code. Because the runtime credentials aren't mapped to any field in MBO. So in which parameters should I set the username and password while synchronizing app with the server.

Regards,

Serveshwar Mishra

Virinchy
Active Contributor
‎07-17-2014 1:35 PM
0 Kudos

Hi serveshwar ,

In Native app development this might help you ..

SyBooks Online

SyBooks Online

midhun_vp
Active Contributor
‎07-17-2014 1:42 PM
0 Kudos

There is nothing like mapping credentials with MBO parameters from app. As I mentioned earlier the authentication is taken care by SUP. When you make a sync from app, automatically the credentials passed during registration will be used. Ex. in the case of authentication with SAP from mobile app, you will be passing the SAP credentials to the app for registration, same credentials will be used for sync. If you logged in as Serveshwar from app, you will get only specific data that is related to you in the device when you sync.

Midhun VP

Former Member
‎07-18-2014 11:17 AM
0 Kudos

Hi Midhun,

According to your suggestion, when I'm passing the SAP credentials from the app while registration, its giving following error:

ERROR: "Exception : SUPApplicationRuntimeException: error @ registerApplication 578 SUPApplicationError_REGISTRATION_WRONG_DEVICE_USER".

Kindly reply asap

Regards,

Serveshwar Mishra

Jitendra_Kansal
Product and Topic Expert
Product and Topic Expert
‎07-18-2014 11:45 AM
0 Kudos 


According to your suggestion, when I'm passing the SAP credentials from the app while registration, its giving following error:


ERROR: "Exception : SUPApplicationRuntimeException: error @ registerApplication 578 SUPApplicationError_REGISTRATION_WRONG_DEVICE_USER".

May i know how exactly you are passing sup credentials in the device? through manual registration (creating a user in sap control center) or some automatic way?

Please share steps and screenshots as well.

Regards,

JK

Former Member
‎07-18-2014 12:26 PM
0 Kudos

Hi Jitendra,

When I'm registering the app with the user existing in SCC, the app registers successfully. But when I'm trying to register the app with the users existing in SAP portal but not in SCC then it gives such error.

     Should all the SAP portal users must be registered in Sybace Control Center as well ?

Regards,

Serveshwar Mishra

Jitendra_Kansal
Product and Topic Expert
Product and Topic Expert
‎07-18-2014 2:43 PM
0 Kudos 
But when I'm trying to register the app with the users existing in SAP portal but not in SCC then it gives such error.Should all the SAP portal users must be registered in Sybace Control Center as well ?

In typical scenarios, there should be LDAP security also available at SUP/SMP server level so that all windows user can be reachable/registered to sup server.

now, to register with SAP backend users, there should be mapping between LDAP users and backend users. That's how Single sign on plays a role.

Rgrds,

JK

midhun_vp
Active Contributor
‎07-19-2014 7:07 AM
0 Kudos

The error says wrong device user. ie you already registered a user with the same device. Can you delete the users from SCC and try.



Serveshwar Mishrawrote:





But when I'm trying to register the app with the users existing in SAP portal but not in SCC then it gives such error.

Make sure you are using right ping URL that supports MYSAPSSO2 token. When you run the ping URL in browser it pops up asking username and password. Are you trying to authenticate app with Portal server or SAP server ? If it is a portal server you can't use SAP servers ping URL, you should get a authentication URL that supports the SSo token.

Are you developing HWC app or native app ?

Midhun VP

midhun_vp
Active Contributor
‎07-19-2014 7:10 AM
0 Kudos

Jitendra,

LDAP is a good option if we have multiple systems like Microsoft exchange server, SAP server etc. But its not mandatory to user LDAP. There are customers who don't have a LDAP server, so they  can choose HTTPAuthenticationLoginModule to do an SAP SSO from App.

Midhun VP

Former Member
‎07-16-2014 11:23 AM
0 Kudos

Ok, thanks Midhun and Jitendra.

Show replies
Show replies
Former Member
‎07-16-2014 4:49 AM
0 Kudos

Thanks Midhun and Virinchy, will definitely try your suggestions.

Show replies
Show replies
Virinchy
Active Contributor
‎07-15-2014 2:38 PM
0 Kudos

HI Sarveshwar Mishra,

Please check if this blog can help you.It explains how single sign on is configured in SUP in HWC.

URL looks similar to this

hostname:port/sap/bc/ping?sap-client=800

Show replies
Show replies
midhun_vp
Active Contributor
‎07-15-2014 2:34 PM
0 Kudos

You should use SAP ping URL. Follow the below blog:

Midhun VP

Show replies
Show replies
Ask a Question