Skip to Content
avatar image
Former Member

SSO to non SAP Application using SAP Logon Ticket

Hi Experts,

I Have EP 7 SP 15 using SPNego Wizard to SSO with Active Directory and SSO between EP and ECC using SAP Certificates.

Now I have a demand to SSO some JAVA based applications (non SAP) to my portal using the SAP Logon Ticket.

I Have followed some blogs that directed me to use SAPSSOEXT (some libs) to read the MYSAPSSO2 cookie. The problem is that I didn't found this cookie, I even executed the command javascript:document to look for this cookie but the browser just show me the JSESSIONID info.

Does anybody knows where I can find this cookie or if there's a better way to set up this SSO? It´s necessary to say that I cannot SSO these application to the kerberos protocol because some security reasons on my company.

Thanks

Armando

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Oct 01, 2008 at 07:21 AM

    Hello Armando,

    If you haven't taken a look at the SAP Java Demo application yet, take a look at this first:

    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/ec82ec90-0201-0010-72bc-88ef150211ff

    Your standard options to achieve SSO without SAP in windows are NTLM (outdated) or Kerberos. Since you mentioned neither are an option due to 'security' reasons, you are left with reading out the SSO ticket. However, this means that you will always have to redirect users over the Portal. A ticket "dispenser" so to say.

    I don't know why you were unable to read the MYSAPSSO2 cookie. Have you tried downloading a 3rd party plugin for firefox or internet explorer that lets you read the cookies? You should be able to see it there after you sign into the portal. If not, then I would check your logon stack of your EP and make sure the CreateLogonTicket module is included.

    We've set up the same scenario here at our company and it works really well. Let me know if you have any further questions.

    Cheers,

    Hermann

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Experts,

      To check what cookies EP is generating I installed the IE plugin IEWatch. I figured out that the cookie MYSAPSSO2 have been created but just on the server side. Does anybody knows how to bring this cookie to the client side?

      Regards

      Armando Martines Neto

  • avatar image
    Former Member
    Oct 01, 2008 at 07:24 AM

    Hi,

    I dont have much info related but i can giv u hint

    refer OSS Notes 442401 and 723896.

    When using SAP logon tickets for non-SAP applications, two different implementation options are available. The difference lies in where the ticket verification takes place.

    In the first case, the SAP logon ticket is submitted to the web server filter located on the web server. The web server filter verifies the portal serveru2019s public key

    certificate using its local Personal Security Environment (PSE) and then populates the HTTP header field with the user ID for SSO to the non-sap web application.

    In the second case, the SAP logon ticket is sent to the non-SAP application, which then verifies it using the ticket verification DLL and submits the user ID to the application for SSO.

    You can refer following link :-

    http://help.sap.com/saphelp_nw70/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm

    user authentication and SSO

    http://help.sap.com/saphelp_nw70/helpdata/EN/8f/ae29411ab3db2be10000000a1550b0/frameset.htm

    Authentication Using a Directory with SSO Integration Using Logon Tickets

    http://help.sap.com/saphelp_nw70/helpdata/EN/f8/3b514ca29011d5bdeb006094191908/frameset.htm

    SSO

    SAP Logon Ticket-based Single Sign-On

    http://help.sap.com/saphelp_nwce10/helpdata/en/45/b6af743753003ae10000000a11466f/frameset.htm

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 13, 2008 at 02:03 PM

    Hi Experts,

    Problem solved! (in fact it was a beginner mistake) , I was looking for the cookie MYSAPSSO2 on the local drives, but it is a httponly cookie that is stored only on the session.

    How I was developing my system on a different windows browser, the cookie wasn't able to be read.

    Thank for all the help

    Armando Martines Neto

    Add comment
    10|10000 characters needed characters exceeded