Quick Guide for setting up SSO between EP and R/3
To setup SSO to help users access different SAP systems under consideration with a single log in.
EP6.0 SP6 + Guided Procedures + Composite Application Framework installed on WebAS 640 + Web Dynpro applications on the same host. At the backend a R/3 472. Since the WebAS installation used is the same there is only a single UME (User Management Engine). This I think is the simplest configuration where in there is a mapping between one UME to the R/3 system.<br><br>
To put it simply we need to take a certificate from the WebAS or EP and then put that
into R/3 System. Then we need to configure the R/3 so that they start accepting the
logon tickets from the WebAS. Also we need to set up the ACL (Access Control List) to mention the host. Find the detailed step-by-step procedure below.
1.Set the profile parameter login/accept_sso2_ticket = 1. Set login/create_sso2_ticket = 0 unless the server should also be able to issue tickets. (Use DEFAULT.PFL). Remember you need to talk to the ever helpful basis person to get this done.
2.Download certificate from the Web AS (OR) Enterprise Portal. (Talk to your Web AS administrator or the EP System Administrator)<br>
In the Visual Administrator, press on “Export” button
“Server -> Services -> Key Storage -> Ticket Keystore -> SAP Logon Ticket Key Pair-Cert”
Press on button “Download verify.der File” – navigate using link given below.
“System Administration -> System Configuration -> Keystore Administration-> SAP Logon Ticket Key Pair-Cert”
3.Go to transaction “STRUSTSSO2”, add the certificate (Talk to your ABAP Basis person again)
4.Add to the ACL. You have to enter the WPS System and the WPS Client.
WPS System: <Instance Name> – click on the certificate and take the “Issued By” value
WPS Client: Enter this as “000” (3 Zeroes)
5.If you want to allow access to more than one client using the digitally signed certificates then you need to log into the R/3 system in that client and add to ACL alone again.
6.Create the equivalent user IDs in WebAS/EP as in the R/3. If you don’t want to create as many equivalent users then do “User Mapping” (Refer to Help portal). But then to begin with I suggest you to create corresponding users even if you are enabling SSO for many users.
7.In the “Webdynpro Content Administrator”
Change JCO connection settings accordingly:
I. Set Model data logical destination to UseSSO.
II. Set Metadata logical destination to DefinedUser (because metadata is common for all users)
During runtime only the user IDs in the UME and the R/3 are verified. If they are the same then it would allow access as per the authorization for that user in the R/3 system. So the passwords can be different.
Search for “User Authentication and Single Sign-On” in the sap.help.com for complete information.
Also recommended is this excellent article