Skip to Content
avatar image
Former Member

Principal Propagation - PIAFUSER in Assertion Ticket

Hi,

I configured PP in SAP XI (NW 04s) SP 11 as it is discribed in

/people/alexander.bundschuh/blog/2007/01/16/principal-propagation-in-sap-xi

My scenario is

<b>SOAP Client</b> -SOAP,synch-> <b>SAP XI</b> -RFC,synch-> <b>SAP R/3 4.6c</b>

Due to my SOAP client can't generate assertion tickets, i tried to configure SAP XI to generates it during SOAP channel activity.

I added CreateAssertionTicket Login module with flag SUFFICIENT to SOAP adapter login modules stack (in visual admin, security provider)

Then I created user in SAP XI with my R/3's user login name

and user SOAP_user in SAP XI (there isn't user SOAP_user in SAP R/3).

When i sends messages from SOAP client as R/3 user scenario works.

When i sends messages from SOAP client as soap_user scenario works too, but it couldn't!

In transaction SM20 of SAP R/3 system I see user PIAFUSER (user PIAFUSER was created in SAP R/3).

In <i>security.log</i> i see records:

LOGIN.OK
User: SOAP_USER
Authentication Stack: sap.com/com.sap.aii.af.soapadapter*XISOAPAdapter

Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   OPTIONAL    ok          true       true                  
com.sap.security.core.server.jaas.CreateAssertionTicketLoginModule      SUFFICIENT  ok          true       true                         
Central Checks                                                                                true 

LOGIN.OK
User: PIAFUSER
Authentication Stack: sap.com/com.sap.aii.af.ms.app*MessagingSystem

Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule    SUFFICIENT  ok          true       true                  
com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok                     false                 
com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok                     true                  
Central Checks                                                                                true                

In <i>defaultTrace.trc</i> i see records :

   Default pool:Principal is null (application: sap.com/com.sap.aii.adapter.rfc.app);

   Principal received is PIAFUSER (application: sap.com/com.sap.aii.adapter.rfc.app);

   PP Pool:Principal is PIAFUSER (application: sap.com/com.sap.aii.adapter.rfc.app).

It seems like Assertion Ticket created but User in ticket is PIAFUSER.

How can I check user in Assertion Ticket?

And how can I solve this situation?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    May 31, 2012 at 05:36 AM

    Hi Aleksey,

    We are having the exact same problem with a SOAP to XI scenario on PI 7.10. Did you solve the problem and how?

    Thanks for your reply in advance.

    Frank Classens

    Add comment
    10|10000 characters needed characters exceeded