cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO enabling check

Go to solution
Former Member

on ‎05-10-2005 10:36 AM

0 Kudos

Users will access my BSP application using a link . All users will use a default user to log on , they may not have individual users id . The security check will be done on basis of SSO( Single Sign On ) .

I want to check that whether that user has logged on to SSO or not ; before allowing him to access to application .

During runtime , How i can check whether that user has logged on to SSO or not ?

Any help will be appreciated .

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Private_Member_9643
Active Contributor
‎05-11-2005 1:07 PM
0 Kudos

hi ashok,

With the release of WAS 6.40 SAP included some restriction on login procedure.

Now whoever is trying to login for any BSP Application, the only possible solution is SSO. The only other way to login using Baisc Authentication is, when user like to change password, or for some system specifc message display.Otherwise deafult logon is only using SSO.

Regards,

kamaljeet

Show replies
Show replies
Former Member
‎05-17-2005 11:41 AM
0 Kudos

Hi Kamaljeet,

where did you get the info

> Now whoever is trying to login for any BSP Application,

> the only possible solution is SSO

from ? According to the docs, the following is possible.

http://help.sap.com/saphelp_erp2004/helpdata/en/da/2eb168b228bd47a5715c387d8b3393/frameset.htm

In addition,using the error handler you can also delegate the authentication to the J2EE engine (or an other system) which then will lead to an SSO integration using SAP Logon tickets.

Regards,

Patrick

Private_Member_9643
Active Contributor
‎05-20-2005 1:41 PM
0 Kudos

hi patrick,

Whenever u call one BSP Application from another BSP Application, u will never see the password verification window, if user logged in using SSO setting.

and in general the concept is that if no SSO setting is set then while going from one Application to Another u have to give password again.

but u try this with SAP, while going from one BSP Application to another, and if ur SSO setting is not set , then u can't go to next BSP Application using normal aunthtication procedure, as it will give u error that set ur SSO seting first then try to login again.

so its better first u try it ( some time giving refernces is better then giving solution with practical approach), and if still have doubt then u can reply any time.

Regards,

kamaljeet

Former Member
‎05-23-2005 8:45 AM
0 Kudos

Hi kamaljeet,

> hi patrick,

>

> Whenever u call one BSP Application from another BSP

> Application, u will never see the password

> verification window, if user logged in using SSO

> setting.

correct.

> and in general the concept is that if no SSO setting

> is set then while going from one Application to

> Another u have to give password again.

correct.

> but u try this with SAP, while going from one BSP

> Application to another, and if ur SSO setting is not

> set , then u can't go to next BSP Application using

> normal aunthtication procedure, as it will give u

> error that set ur SSO seting first then try to login

> again.

sorry this is not correct. This is what I tried to point out in the above. You can configure the system (actually the services) to accept any of the supported authentication types. Be it password, X.509 or something else, authentication based on the SAP Logon Ticket is only one of the options. In case you limit a service to only accept SAP Logon Ticket based authentication, you even can configure the system to redirect the user automatically to the ticket creating system, have him be authenticated there and let the other system redirect the user back to your service. You can find some info in note 517860 (https://websmp205.sap-ag.de/~sapidb/012006153200000162132002/) on the SAP Service Marketplace, related on how to catch these logon errors. This is also stated in the weblog referenced by you (/people/thomas.jung3/blog/2004/08/03/bsp-150-a-developer146s-journal-part-viii--user-authentication-single-sign-on). In addition, the SAP WebAS ABAP itself can create a SAP Logon ticket, if instructed to do so. You just have to adjust some profile settings (http://help.sap.com/saphelp_nw04/helpdata/en/5c/b7d53ae8ab9248e10000000a114084/frameset.htm).

Additional information may be found in an excellent paper from Brian McKellar at https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webas/abap/bsp confusion between stateless stateful and authentication .

> so its better first u try it ( some time giving

> refernces is better then giving solution with

> practical approach), and if still have doubt then u

> can reply any time.

Could you please be more specific, what will not work ?

> Regards,

> kamaljeet

Sorry if my previous post was not clear enough.

Regards,

Patrick

Answers (4)

Answers (4)

Former Member
‎05-11-2005 10:09 AM
0 Kudos

Hi Ashok,

as far as I can understand your question, you want to have different areas of code:

- one area, where anonymous access is possible

- a second area, where this is not the case

For ABAP you can't implement this with one service to my knowledge. Instead you would need to move all the anonymous accesible stuff into one service, which then will run under a technical user ( I guess, that's what you mean by guest account) and a second service, which would require authentication would be used to provide the remaining features. For the second service, you could use the failed logon handler to redirect the user to the ticket creating system, if you do not want to do the authentication within your own system.

You can check wether a user already has a logon ticket but you can only check wether it is valid by having him authenticated.

Regards,

Patrick Hildenbrand

Show replies
Show replies
Former Member
‎05-11-2005 11:57 AM
0 Kudos

Basically , What i want to know is , the way by which a user has logged on to the system . Possible scenarios are By SSO ( Automatically without providing user id , password ) Else by giving ID and password in that system.

How i can find out in my BSP application , the way by which user has logged on ? And if user has logged on using SSO , then how to get Client ticket details like Subject name ?

athavanraja
Active Contributor
‎05-11-2005 12:22 PM
0 Kudos

check out

class CL_BSP_LOGIN_APPLICATION its got a property called

TXT_ERROR_NO_SSO2 . May be further exploration of this class we could find some info.

Regards

Raja

Private_Member_9643
Active Contributor
‎05-10-2005 12:20 PM
0 Kudos

hi ashok,

u can also refer to this weblog:give u more idea abt <b>SSO.</b>

<b>/people/thomas.jung3/blog/2004/08/03/bsp-150-a-developer146s-journal-part-viii--user-authentication-single-sign-on

regards,

kamaljeet

Show replies
Show replies
Private_Member_9643
Active Contributor
‎05-10-2005 10:56 AM
0 Kudos

hi ashok,

when user login using SSO <b>logon ticket</b> for that user is generated by system.

The logon ticket is only issued after the user has been authenticated, for example, using user ID and password. It is then sent to further systems when the user accesses the system's services. Instead of prompting the user for user ID and password, these systems verify the validity of the logon ticket to allow the user access to its services.

The <b>logon ticket</b> is stored in a non-persistent <b>HTTP cookie</b> in the user’s Web browser.Complex cryptographic operations are used to create and verify tickets.

New and verified tickets are stored in a cache memory located in the shared memory on the SAP Web Application Server. When a user attempts to log on to SAP Web Application Server using a <b>logon ticket</b>, the system searches the cache memory. If the system finds a cache entry for this logon ticket, it simply reads the logon information from the cache memory and does not carry out a signature check. The cache entry stays in the cache memory until the expiry date of the new or received logon ticket. Thus, cache entries cannot be used after the ticket itself has expired.

So i think its better u check out the setting's of Logon Tickets, which will solve your problem.

Regards,

Kamaljeet

Show replies
Show replies
athavanraja
Active Contributor
‎05-10-2005 10:44 AM
0 Kudos

> Users will access my BSP application using a link .

> All users will use a default user to log on , they

> may not have individual users id .

<b>I understand up to this point .</b>

The security check

> will be done on basis of SSO( Single Sign On ) .

> I want to check that whether that user has logged on

> to SSO or not ; before allowing him to access to

> application .

>

> During runtime , How i can check whether that user

> has logged on to SSO or not ?

>

> Any help will be appreciated .

i dont get this part of your question?

do you want to check whether your BSP application is accessed by the default user which you set it up? (if yes its sy-uname).

SSO part you were talking is not clear. When you have used default user , where is the SSO part coming?

Regards

Raja

Show replies
Show replies
Ask a Question