First, thank you RK for your thoughtful response. If there is any way to speak with the developer who did the redirect, that would be great (we are looking for someone to do this).

In regards to Vamshi's question, ISA is indeed on a standalone Java stack. We are not using SAP's Portal (for better or worse), we are using a 3rd party, java-based web development tool to construct a custom portal.

The custom portal will have a user store and R3 will have the ISA users (SU01 accounts). We would like to avoid having to maintain users in 3 places (custom portal, J2EE, ABAP). RKu2019s solution for the J2EE authentication is LDAP via SPNego butwe would like to avoid LDAP if possible. One idea we've considered (and haven't had success with yet) is where the J2EE authentication is against the ABAP user store and of course ISA is against ABAP as well. The prototype will have the following (some parts untested at this point):

Initial set-up:

1. Establish SAML-based SSO between custom portal and J2EE.

2. Establish SAP login ticket SSO between J2EE and ABAP (this would be used by the ISA application).

3. Set the UME data source in the J2EE system to ABAP.

4. User accounts exist in custom portal and ABAP. No user accounts are created directly in J2EE; instead J2EE users would be authenticated against the ABAP stack.

5. Configure a Logon Module stack for the custom redirect application. This Logon Module stack would generate an SS02 ticket after successful logon to J2EE.

Process flow:

1. User logs into custom portal. A SAML-based token/ticket/cookie is generated.

2. In custom portal, user clicks on a link to access ISA. As RK describes it, this link will initially access a custom application so that the customer can be authenticated in the J2EE (in our case via the SAML token/ticket). The key differentiator is the J2EE itself would use ABAP-based users for its authentication (whereas RK uses LDAP u2013 forgive me for repeating this but itu2019s key).

3. If J2EE authenication (via ABAP user store) is successful, create an SSO2 ticket.

4. Using SS02 ticket, ISA application also authenticates user against ABAP (SU01).

And apologies to Alessandro as Iu2019ve hijacked your post.

Hello RK,

A couple of follow-up questions:

Our scenario is somewhat similar to yours except the non-SAP portal itself does the initial authentication which in turn SSO's to the Java Stack*. The initial design has the Java Stack with Java database users for Java Admin, Shop Admin, etc.. and ABAP UME via Java for our B2B customers.

1. In the XCM applcation config, which user type did you specify (r3_umesu01user)?

2. Can you describe the custom redirect application?

3. Did you need to change any SAP delivered ISA code?

4. Did you need to set up a trust between the Java stack and the R3 backend?

5. In the security provider, did you change the b2b login module stack and if so, what sequence did you use in the Login Module and did this need to create an SAP logon ticket?

6. Do you see any reason why using the ABAP DataSource (e.g., in place of LDAP) for initial Java Stack authentication would be problematic? (i.e., the users initially authenticate in Java via ABAP UME and subsequently login to R3 using the same user).

I realize there are a lot of questions here. Would you be available to speak with us? Of couse any information you could provide is most appreciated.

Kind Regards,

Joni

• LDAP is really not an option so we are trying out a 3rd party app which uses a proprietary SAML based "token" for SSO between the non-SAP portal and the Java Stack.

Hi

Kindly refer to the help page below, it details the things you would need to do to perform SSO.

Single Sign-On with Logon Tickets

http://help.sap.com/saphelp_nw70/helpdata/EN/4d/dd9b9ce80311d5995500508b6b8b11/frameset.htm

In case you face any difficulty with the same, please post.

Thanks,

GLM

Edited by: GLM on Jul 31, 2008 11:57 AM