MII 15.1 SP3 Patch 16 / NetWeaver 7.5 AS JavaIs there a way to generate a MYSAPSSO2 cookie from MII?
Business scenario: Users log into the MII web client. There is a MII web application that has a URL link to an application running on SAP Gateway server. The user should not be required to enter log in credentials when loading the application hosted on the gateway server. Users exist in both systems. Both systems are on the same domain.
Cookies:
Cookies with MYSAPSSO2:
Both MII and Gateway servers have security certificates imported into the ticket keystore from the other client. The Gatway server creates a MYSAPSSO2 cookie. We need MII to create this cookie also.
Additional information (NetWeaver Authentication and Single Sign-On: Authentication):
- NetWeaver is not configured to support SAML 2.0
- ume.login.context = ticket
- ume.login.auth_method = FORM
- ume.login.basicauthentication = 1
- ume.logonAuthenticationFactory = com.sap.security.core.logon.imp.SAPJ2EEAuthenticator
- ume.logon.security.local_redirect_only = true
- ume.logon.force_password_change_on_sso = true
- ume.logon.userpwd_automatic_logon = true
- ume.logon.apply_logon_policies = false
- ume.logon.allow_cert = false
- ume.logon.show_failed_login_attempts = false
- ume.logon.client_certificate_enroll = Disabled
- login.authschemes.default = default
- login.authschemes.definition.file = authschemes.xml
Component ticket Policy Configuration:
- EvaluateTicketLoginModule: SUFFICIENT
- SPNegoLoginModule: SUFFICIENT
- BasicPasswordLoginModule: REQUISITE
- CreateTicketLoginModule: OPTIONAL
- SAP Managed Tags:
Accepted Solutions (1)
I was able to get it to create the MYSAPSSO2 cookie.
- Changed logging to All for /System/Security/Authentication
- Logged into MII web client to create a record in the log file
- Opened log file on MII server .\log\system\security_0#.log
- Found a record:
- After the SPNegoLoginModule check passed, it did not proceed to CreateTicketLoginModule, so I had to change the ticket policy configuration in NetWeaver Administrator to:
-
After the ticket policy change, I logged back into MII and checked the log file and the cookie:
In Chrome, I see the cookie is created.
-
I am still seeing a security prompt when trying to access the Gateway application, but it is most likely due to it having the same system ID of 001. I will change this value and update this answer with my findings.
UPDATE:
After changing the system ID in Java System Properties > Services > User Management Engine > login.ticket_client to 002 and updating the respective client number in the other systems (ACL) it is working as needed. I did have to change the sap.com/xapps~xmii~ear*XMII policy configuration so the MYSAPSSO2 cookie would be created if someone went to the application URL directly bypassing the sap.com/tc~wd~dispwda*webdynpro_dispatcher.
UPDATE 8/14/2018:
I changed the sap.com/xapps~xmii~ear*XMII login policy to use the ticket template and changed the ticket template to the following so the BasicPasswordLoginModule would work. I verified both automated Windows authentication and user / password worked after this change and created the MYSAPSSO2 cookie. Scheduled transactions that use credential stores were also holding onto user sessions, this change resolved the issue.
Answers (0)
| User | Count |
|---|---|
| 11 | |
| 6 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.