Skip to Content
0
Former Member
Jun 04, 2010 at 08:43 AM

Where to find documentation on SSO issues ?

40 Views

Hi to all,

I 'm trying to use Windows Integrated Authentication for HTTP Abap applications (BSP or abap web dynpro).

For this I use a SAP portal (EP 7.01) where Kerberos SPNEGO IWA has been successfully setup.

I just want to do a transparent redirect from the ABAP system to the portal, get the saplogon ticket from the portal and redirect back to the abap system.

My difficulty is that the Portal system is in a different windows domain from the ABAP systems.

I could make it work successfully by using the trick of installing a SAP Web dispatcher for the abap system on the portal server.

Therefore, the abap system seems to be in the same domain as the portal system ans the saplogon ticket cookie genrated from the portal is valid for the abap system.

Even if this solution works perfectly, I don't want to use it because we have several abap systems (ECC, R/3, SRM, CRM) and it would be too complicated to maintain by the externalised support team.

The right solution (in my opinion) is to use domain relaxing because there is a common part (company.country) at the end of both domains.

Therefore I have setup the UME property ume.logon.security.relax_domain_level = 4 with configtool on the portal.

It works fine : the saplogon ticket is now generated for the "company.country" part of both windows domains.

The problem now : a classical redirect application does not take in account this UME configuration.

It seems that we have to use the standard SAP logon servlet with the redirect syntax.

Something like

http://portalserver.xxx.xxx.company.country:50000/logon/logonServlet?redirectURL=xxxxxxxxxxxxxxxxxxxxxxx

I get an error from the logon servlet telling that :

"cannot redirect to the requested application, the redirect parameter is invalid"

When looking at the source code, the logon servlet is not able to decrypt the redirect URL.

For this to work, I need to find out how to encrypt correctly the redirectURL and to setup the UME property

ume.logon.security.local_redirect_only = false

My problem is that I am not able to find any SAP documentation on the /logon/logonServlet application and neither on the ume.logon.security.local_redirect_only UME property.

I have checked with no success help.sap.com and OSS notes.

Does anyone know where to find documentation on these 2 subjects ?

Regards,

Olivier