Skip to Content
0
Jun 22, 2022 at 04:24 PM

SSO from BTP over CC to EP and from there to ERP: almost working

151 Views Last edit Jun 26, 2022 at 10:08 AM 3 rev

Hi, We have a rather complex SSO configuration problem. It is difficult to describe the problem without going into too many details (which would get a reallly long problem description). I therefore try to point ou some main pain points we have and hope that this allows you to give us some ideas what we could do.

System Landschape (only affected systems):

Systems in SAP Cloud (BTP):
- Success Factors (SF)
- SF Work Zone
- IPS to provision User from SF to SF Work Zone and IAS
- IAS used as proxy for AzureADS (enterprise IdP)

Systems on premise:
- Cloud Connector used for tunneling traffic and for providing principal propagation using dynamic certificates
- Enterprise Portal (EP)
- ERP (HANA S/4) as backend system for EP

In our problem context users log on to SF Work Zone using there AzureADS login name and password. This works fine. But when such an authenticated user tries to start a portal app he or she is getting an authentication error in the backend system of the EP.

error-cookie-missing.jpg

The portal apps are accessible as launchpad apps due to the import of portal apps/iviews/roles using the content provider functionality of EP and Launchpad.

The traces in EP show that the problem is a missing logon ticket for the request to the ERP. This is strange since the logon stack configuration uses the create ticket module for creating a sap logon ticket after correct authentication of the user using the generated certificats of the cloud connector.

Our logon stack looks like this:

EvaluateTicketLoginModule (trustedsys1 = T04,504)
com.sap.engine.services.security.server.jaas.ClientCertLoginModule ( Rule1.AttributeName = CN, Rule1.getUserFrom = SubjectName, Rule1.UserMappingMode = Email)
CreateTicketLoginModule (no attributes)

The security log of the EP shows that the user mapping using the dynamically created certificates from the CC is working fine. The log file even states that a new logon ticket (set-cookie: mysapsso2,...) for the respective user is created.

set-cookie.jpg

Howerver, this cookie doesn't make it to the browser. Of course, even if the cookie would shop up in the response header of the request, the browser would have to discard it since the domain of the cookie would be incorrect. Actually we intended to solve the multiple domain problem with one of the following possibilities:

- using the domain mapping functionality of the Cloud Connector
- using the http rewriting possibility of the ICM in EP (Modification Handler: icm/HTTP/mod_0)
- using a custom domain for our BTP apps (not sure if this is working)

But to be able to change a cookie in one way or another it is necessary to HAVE a cookie that can be altered. And although the logs state that there IS a MYSAPSSO2 cookie, we cannot find it.

If someone has some advice what we could still try out or where we could further investigate in, we would really appreciate it.

Best regards,

Patrick

Attachments

set-cookie.jpg (730.7 kB)