Skip to Content
Author's profile photo Former Member

Quick Guide for setting up SSO between EP and R/3


To setup SSO to help users access different SAP systems under consideration with a single log in.


<b>System Landscape:</b><br>

EP6.0 SP6 + Guided Procedures + Composite Application Framework installed on WebAS 640 + Web Dynpro applications on the same host. At the backend a R/3 472. Since the WebAS installation used is the same there is only a single UME (User Management Engine). This I think is the simplest configuration where in there is a mapping between one UME to the R/3 system.<br><br>


To put it simply we need to take a certificate from the WebAS or EP and then put that

into R/3 System. Then we need to configure the R/3 so that they start accepting the

logon tickets from the WebAS. Also we need to set up the ACL (Access Control List) to mention the host. Find the detailed step-by-step procedure below.


1.Set the profile parameter login/accept_sso2_ticket = 1. Set login/create_sso2_ticket = 0 unless the server should also be able to issue tickets. (Use DEFAULT.PFL). Remember you need to talk to the ever helpful basis person to get this done.



2.Download certificate from the Web AS (OR) Enterprise Portal. (Talk to your Web AS administrator or the EP System Administrator)<br>

Web AS:<br>

In the Visual Administrator, press on “Export” button

“Server -> Services -> Key Storage -> Ticket Keystore -> SAP Logon Ticket Key Pair-Cert”

Enterprise Portal:<br>

Press on button “Download verify.der File” – navigate using link given below.

“System Administration -> System Configuration -> Keystore Administration-> SAP Logon Ticket Key Pair-Cert”


3.Go to transaction “STRUSTSSO2”, add the certificate (Talk to your ABAP Basis person again)


4.Add to the ACL. You have to enter the WPS System and the WPS Client.

WPS System: <Instance Name> – click on the certificate and take the “Issued By” value

WPS Client: Enter this as “000” (3 Zeroes)


5.If you want to allow access to more than one client using the digitally signed certificates then you need to log into the R/3 system in that client and add to ACL alone again.


6.Create the equivalent user IDs in WebAS/EP as in the R/3. If you don’t want to create as many equivalent users then do “User Mapping” (Refer to Help portal). But then to begin with I suggest you to create corresponding users even if you are enabling SSO for many users.


7.In the “Webdynpro Content Administrator”

Change JCO connection settings accordingly:

     I.     Set Model data logical destination to UseSSO.

    II.     Set Metadata logical destination to DefinedUser (because metadata is common for all users)


During runtime only the user IDs in the UME and the R/3 are verified. If they are the same then it would allow access as per the authorization for that user in the R/3 system.  So the passwords can be different.


Search for “User Authentication and Single Sign-On” in the for complete information.


Also recommended is this excellent article


Assigned tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member
      Jot, Is is possible to map a group of Webdynpro users to R/3 without portal?


      Author's profile photo Former Member
      Former Member
      Hi Elaine,

      What exactly do you mean by webdynpro users?
      All the users get created in the User Management Engine(UME) of the Web Application Server. Portal is another application that uses the UME.


      Author's profile photo Former Member
      Former Member
      It seems the weblog haven't adapted to the changes in formatting methods for weblog in sdn.


      Author's profile photo Former Member
      Former Member
      Hi Karunakar,

                 it's good weblog, buti have one dout regarding this sso. is this steps are enough to see R/3 screen in portal. please reply to this mail ASAP. if u don't mine please give me your perosnal mail id: i mail to u sir.

      Jagadish Babu Kanikanti.

      Author's profile photo Former Member
      Former Member
      I have a situation where SSO needs to be implemented between 3 WEB AS servers, Portal should not be used at all.

      I have figured out that following steps to implement SSO need you to verify it for me.

      Pre-requisities - User ID should be same in all systems.

      Issuing server:

      1. Configure a single Web AS server for issuing tickets by chnaging the system parameters. Lets say this Server has "A"
      2. Replace the Servers SSO PSE.

      Accepting server:

      1. Configure the remaining Web AS server for accepting the logon tickets using the system parameters. lets say these servers has "B & C"
      2. SAP Library needs to be installed.
      3. create an RFC destination to the issuing Web AS.

      Now the configuration is over & system is ready for the SSO testing.

      So now if the user just logons into a system "A" using SAP GUI with the correct user id & password then logon ticket is created.
      Now to login to Server "B or C" the user just clicks in the SAP GUI, the menu screen appears using already created logon ticket.

      My Questions.
      1. Is my implementation steps correct or needs some thing else also.
      2. What if the Users password is different in other systems, will the logon into Server "B or C" be successfull.
      3. What if another user needs to login from the same computer which has already got a logon ticket created by another user.

      Your answers will greatly help me in leading this project.
      Will surely reward you for any light you can throw on this post.

      Best wishes
      Naveen Murthy

      Author's profile photo Former Member
      Former Member
      How about setting up of SSO between R/3 and CRM.since my ITS is running on CRM.Defined the suggested values in Default.pfl .Any step by step process.

      Please clarify me