Skip to Content
avatar image
Former Member

SSO Error on Fiori Launchpad

Hi Friends,

We have a Fiori Launchpad set up to host custom UI5 apps. This is a embedded architecture with Gateway and ECC on the same box. We are often facing an issue with Client cache and cookies in browsers where the users get the below error. " SSO Logon not possible ,logon ticket cannot be accepted. Clearly this is an issue with the browser cache since if the session is opened in an Incognito mode or if the cache is cleared manually then this error is gone. But there are more than 10,000 users accessing the fiori launchpad and its not feasible to ask them to clear the cache and Incognito is not recommended practice.

Can any one suggest any resolution for such type of issue ?

image-3.png (822.1 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Apr 10 at 07:01 PM

    Hello Santosh Kumar Adapa,

    You better start your investigation looking from link below.

    Wiki page: https://wiki.scn.sap.com/wiki/display/NWTech/SSO+logon+not+possible+-+issue+with+logon+tickets

    Thank you

    Yogesh

    Add comment
    10|10000 characters needed characters exceeded

    • Hello Santosh Kumar Adapa,

      Please look in to your EWA what you have setup...

      I am pasting content from EWA as below

      ------------------------------

      SAP Fiori Cache Buster Activation

      Recommendation: Activate the service /sap/bc/ui2/flp in transaction SICF to activate the cache buster for SAP Fiori.
      Please note that to use the cache buster mechanism, you need to call the SAP Fiori launchpad with one of the
      following URLs:
      https://<server>:<port>/sap/bc/ui2/flp/
      https://<server>:<port>/sap/bc/ui2/flp/index.html
      https://<server>:<port>/sap/bc/ui2/flp/FioriLaunchpad.html

      It is also possible to maintain a custom URL (via SICF external alias) as described here: Customize the Launchpad
      URL

      Background:

      Web browsers store static resources like JavaScript files, stylesheets, and images in the browser cache. When these
      resources are changed on the server in a software upgrade, you want the browser to load the new resources from the
      server rather than from the cache, without having to manually clear the browser cache.
      Cache buster techniques cause Web browsers to load content from the server rather than from the browser cache
      when new resources are available on the server.
      You can find the latest information about the cache buster for SAP Fiori components in SAP Note 2043432.

      ------------------------------

  • Apr 13 at 02:08 PM
    Add comment
    10|10000 characters needed characters exceeded

  • Apr 17 at 12:51 PM

    Hi Santosh Kumar Adapa,

    I think this is a typical problem when hopping from DEV to QA to PRD system in one browser session. In this case MYSAPSSO2-Cookie from DEV is sent to QA and PROD and the other way round.

    Since you seem to have a single system scenario, try to set profile parameter to login/ticket_only_to_host = 1. This will prevent the MYSAPSSO cookie from being sent to all systems of your DNS-domain and will bind it to the original host only.

    If there are other systems in your DNS-Domain (SolMan, Portal, ...) issuing MYSAPSSO2 tickets, try to limit the cookie domain the same way if possible. Or think about trusting each other's logins and configure trust on transaction STRUSTSSO2 level. Or make one of the system the SSO master everybody has to authenticate to (classic portal scenario style). This very much depends on your landscape.

    Regards, Lutz

    Add comment
    10|10000 characters needed characters exceeded