Solved: ICF Logon with EP SSO functions

Former Member · ‎01-12-2008

We have Enterprise Portal 7.0 running SSO over AD. ABAP Stack is accepting JAVA logon ticket.

To access BSP applications via SSO and direct ICF link i created a URL-IView redirecting to the ABAP URL witch is given trough an URL Pamarameter.

In ICF I use Logon via URL Redirect with URL:

http://javaep.xx.net:50000/URLIVIEW?sap-url=https://abap.xx.net:44302<%=PATHTRANS%>%3F<%=FORMFIELD%>;

This works fine, but I'm running into problems with initial and expired Passwords in ABAP.

Are there any solutions to Logon to ICF over the JAVA logon functions?

Thank you for your answers

Daniel

Former Member · ‎01-12-2008

This works fine, but I'm running into problems with initial and expired Passwords in ABAP.

Do the users still need a password in addition to the SSO solution? If not, have you tried to deactivate the password on the ABAP side? (There is an option to do this to the user on the selection screen of transaction SU01).

Cheers,

Julius

Former Member · ‎01-12-2008

This works fine, but I'm running into problems with initial and expired Passwords in ABAP.

Do the users still need a password in addition to the SSO solution? If not, have you tried to deactivate the password on the ABAP side? (There is an option to do this to the user on the selection screen of transaction SU01).

Cheers,

Julius

WolfgangJanzen · ‎01-13-2008

[SAP Note 869218|https://service.sap.com/sap/support/notes/869218] might be helpful.

Cheers, Wolfgang

Former Member · ‎01-14-2008

Some useres need the password at the SAPGUI or the BEX Analyzer side.

We cannot deactivate Passwor on ABAP side.

Thank you,

Daniel

WolfgangJanzen · ‎01-14-2008

Well, if you can split the users into two groups (one which needs to be able to logon to the ABAP system using UID/PWD and a different one which always logs onto the system using a SSO mechanism) then you would be able to resolve the problem by deactivating the password of those users which logon to the system using SSO.

However, if the users need to be able to perform both (direct logon using ABAP UID/PWD and also ability to use SSO) you have to decide whether to want to enforce the password change policy or not. Actually the user should be forced to change his/her password if the password change policy is demanding this (e.g. when the password was set by the admin and not by the user himself/herself, or when the system is demaning regular password changes and the number of days gone since the last password change date is exceeding the defined threshold).

Cheers, Wolfgang

tim_alsop · ‎01-14-2008

Daniel,

We are very familiar with this issue, as many companies we work with who use SAP have need for both SAP GUI and Web access to their systems. Using our SNC library the password can be deactivated in ABAP engine and the authentication to ABAP will then work using external authentication (Kerberos) and the portal and/or Web access will also work with deactivated passwords.

Thanks,

Tim

Former Member · ‎01-14-2008

Hello Tim,

We cannot use the SAPGUI features because of other SAP Systems. If I want to deactivate password at the ABAP side I have to do this in all Systems. This can't be done because other Systems do not allow this.

Thanks,

Daniel

tim_alsop · ‎01-14-2008

Daniel,

Why do you need to change all systems ? Are you using CUA to manage the user store across multiple systems ?

Can you explain why you cannot deactivate password in all systems and use a product such as our SNC product for SAP GUI SSO on all systems ?

Thanks,

Tim

Former Member · ‎01-14-2008

Hello Daniel,

Have you read the SAP note suggested by Wolfgang above?

That (on good authority) appears to be the solution.

Cheers,

Julius

Former Member · ‎01-15-2008

The Problem is that I don't use the standart passwort authentification in ICF. If I use the standard Password authentification it works fine, as described in OSS 869218.

To use the the EP SSO Ticket I use URL Redirect in ICF and redirect to

"http://javaep.xx.net:50000/URLIVIEW?sap-url=https://abap.xx.net:44302<%=PATHTRANS%>%3F<%=FORMFIELD%>"

witch gets the SSO authentification and shows the 'sap-url' parameter in URL.

Are there any possibilities to use JAVA SSO in the ICF without using a Portal URL?

WolfgangJanzen · ‎01-15-2008

Are there any possibilities to use JAVA SSO in the ICF without using a Portal URL?

No, that's not possible. NWAS ABAP does not provide the ability to deploy custom login modules (unlike NWAS Java, providing the ability to deploy own JAAS login modules).

Therefore, the approach based on (twofold) http redirects (which you've already described) is the only way to (virtually) extend the set of authentication schemes for an ABAP system: the NWAS Java is performing the authentication and issuing a SAP Logon Ticket which is then evaluated by the NWAS ABAP.

Still, SAP Note 869218 can be useful for you.

Regards, Wolfgang

Former Member · ‎01-15-2008

Thank you for the Ansewer Wolfgang,

I will use the "(twofold) http redirects " method, I know it's not the pefect solution but for us it is the best way to implement SSO on the ABAP side in the moment.

To solve the expired or initial password problem I am extending the standard authentification with a redirect in the logon dialog ( works quite well! ). I do that in the extension class from the authentification.

Before showing the ICF logon dialog I do the redirect thing. If I get the SSO Ticket the system checks the initial or expired password. If I don't get an SSO Ticket I show the standard ICF logon dialog.

Now Users can use the ICF standard Authentification with EP Java SSO.

I have read the OSS 869218. The way described works only with the standard authentification but not with the redirect method. In case of that I found the way to extend the Logon Dialog.

Thank you,

Daniel

WolfgangJanzen · ‎01-15-2008

I'm glad to hear / read that you've managed to implement a working solution.

Cheers, Wolfgang