cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Fiori Launchpad SSO

Go to solution
ArcherZhang
Advisor
Advisor

on ‎06-14-2016 4:55 PM

0 Kudos

Hi experts,

I know this is a old question, but did not found my wanted from others threads.

My case is, after login SAP GUI of Gateway Hub system(abap server), i open TCODE '/UI2/FLP',

popup the logon webpage asking my type the username&password.

But i do not wanna type the username&password again(SSO).

How to achieve this?

From SAP HELP page, it only ask me execute task "SAP_SAP2GATEWAY_TRUSTED_CONFIG",

but it not works. The version of hub system is 740 SP14.

Any advise? thanks.

BRs,

Archer

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

LutzR
Active Contributor
‎06-14-2016 5:35 PM
0 Kudos

Hi Archer, this is all about SICF service  /sap/public/myssocntl working or not. It bridges the gap between GUI and IE using the HTTP-Control.

You should check this:

  • Is this service active in SICF?
  • Is the system configured to issue assertion tickets (login/create_sso2_ticket > 0)?
  • Does it accept SSO tickets for login (login/accept_sso2_ticket = 1)?
  • Systems need to generate a proper absolute URL for the system and often fail. E.g. this functionality does not take table HTTPURLLOC into account which is sometimes needed when working with multiple hostnames.
    E.g. i have one system that is not able to determine the hostname at all. Another system uses the technical datacenter hostname and not the public hostname, etc.. FLP runs fine on both when run directly without this transaction. Setting some breakpoints in report /UI2/START_URL might shed some light
  • This will only work with IE

So: you will probably get this working. But I personally see it as a nice to have and would never invest in cleaning it up or give this to a common user.

If you do not want to rely on this and need SSO you would need to start a larger project, e.g. configure kerberos based SNC SSO to the GUI and SPNego (also Kerberos) based SSO to web applications, or loads of alternatives (other buzzwords: MYSAPSSO2-Ticket, Assertion Tickets, SAML2, X.509 client certificates, SAP Single Sign-On, ...)

Regards,

Lutz

Show replies
Show replies
ArcherZhang
Advisor
Advisor
‎06-15-2016 4:18 PM
0 Kudos

Hi Lutz,

Thanks your reply, i checked all you mentioned points, and it works for one GW Hub system. But not works for another system, we have two test GW Hub systems.:)

Through some web tools, i notice that one hub server will send out the MYSAPSSO2 cookie to broswer(that`s why it can logon without password), but another one not send cookie out.Please check the screenshots(The first one is from works server, the second one is not works server).

(P.S.Do not mind the Chrome browser, it`s also not works in IE).

I also checked many things, STRUSTSSO2, SSO2, RZ10, all things is same.

I missed something which the second server did not send out the cookie?

thank you.

BRs,

Archer

j18r
Explorer
‎06-15-2016 10:26 PM
0 Kudos

Hi Archer,

here is a link to page, providing SSO and troubleshooting Information: https://wiki.scn.sap.com/wiki/display/EP/Single+Sign-On+and+Cookies

Rather old but still valid!

Hope that helps you finding your issue.

Best regards,

Johannes

ArcherZhang
Advisor
Advisor
‎06-16-2016 8:25 AM
0 Kudos

Wow, two sever both works now. thank you very much. All you mentioned was absolutely right!!!

Thank you.

BRs,

Archer

ArcherZhang
Advisor
Advisor
‎06-16-2016 8:31 AM
0 Kudos

uh, why this tcode can not open Chrome browser even i changed the register table on my laptop?

LutzR
Active Contributor
‎06-16-2016 9:05 AM
0 Kudos

Glad to read that you are making progress,

It will only work in IE. This is due to technology. Somehow login session information needs to be transferred securely from GUI to browser. This is done by embedding the HTML-Control into the gui. This HTML-Control splits off a new browser window in the same session as the HTML-Control and this way shares session information.

But this HTML-Control in GUI is provided by Internet Explorer regardless of your standard browser configruation. And IE can only start IE in the same session. So no SSO with Chrome - not this way.

Regards,

Lutz

Answers (0)

Ask a Question