Skip to Content

Connecting SAP systems to Enterprise portal with SSO.

I think a lot of people after installing SAP Enterprise portal, look at how to connect it to existing SAP systems (BW, R/3, CRM etc.). Me too. I spent a lot of time searching for a guide, that describes it in detail. And in one piece also. There’s a lot of documents on activities in backend systems, portal itself, sap-help on configuring J2EE. But I couldn’t find The-One-Full-How-To. So I wrote it.  It’s quite small and brief, I do not have time to make screenshots, because it’s my live system :o) But it seems quite clear for me, and I hope for you. You will need basic knowledge of J2EE tools, SAP basis and portal.  Please note. These steps worked for me. But they could not to work for you, it depends on landscape. If so, try to contact me via e-mail (klim at I’m also not to-much-experienced guru, and could be wrong somewhere. Please use this document at your own risk! :o) I will not cover process of providing content from backend systems in portal. At least not in this article. Probably later.  So here they are, 10 simple steps :o)  1) Export certificate from portal (verify.der and verify.pse) ….. a) Navigate to ‘System Administration’ >> ‘System configuration’ >> ‘Keystore Administration’. ….. b) in ‘Content’ select “SAPLogonTicketKeypar-cert” and press’n’save “Download verify.pse file” and “Download verify.der file”.  2) Check existence of SAPJSF user in target system ….. a) Create if necessary using transaction SU01. ….. b) User should have two roles: SAP_BC_JSF_COMMUNICATION and SAP_BC_USR_CUA_CLIENT_RFC (if you have CUA in place). ….. c) Probably you will have to generate profiles for those roles in target system (transaction PFCG).  3) Check profile parameters ….. a) use transaction RZ10 ….. b) choose instance profile, ‘extended maintenance’, then ‘Change’ ….. c) make sure that “login/create_sso2_ticket” is set to “2” and “login/accepte_sso2_ticket” set to “1” 4) Export certificate from target system (the system to which you want to connect using SSO from portal) ….. a) use transaction STRUSTSSO2 ….. b) double-click on “Own Certif.” on “CN=…” part. ….. c) press on “Export certificate” button in the middle of the screen and provide file name and path, where to save certificate file. 5) Import portal certificate to target system ….. a) Use transaction STRUSTSSO2 in target system ….. b) push “Import certificate” button in the middle of the screen ….. c) in ‘File path’ field enter path to *.der file, you created in step 1 (or point at it via ‘Browse’ button) ….. d) Press “Enter” ….. e) Press ‘Add to certificate list’ button and then ‘Add to ACL button 6) Create an JCo RFC provider in J2EE engine of portal system. ….. a) Logon to J2EE using J2EE Admin tool (go.bat) ….. b) navigate to ‘Server’ >> ‘JCo RFC provider’ node ….. c) On the right side of the screen choose any entry in ‘Available RFC destinations’ area. ….. d) Enter information about new destination: ….. ….. – Program ID: name of the program (you will need it later) – sapj2ee_port, for example ….. ….. – Gateway host – FQDN of target system –, for example ….. ….. – Gateway service – sapgw00 for example ….. e) in ‘Repository’ section enter: ….. ….. – Application server host – FQDN of target system –, for example ….. ….. – system number – 00, for example ….. ….. – client – 100, for example ….. ….. – logon language – EN ….. ….. – user – SAPJSF (from step 2) ….. ….. – password (from step 2) ….. f) press ‘Set’ 7) Add target system to Security providers list ….. a) Open J2EE Admin and navigate to ‘Server’ >> ‘Services’ >> ‘Security Provider’. In components select ‘Ticket’. Enter edit mode (button with pencil above) ….. b) select ‘Login module’ “” and press ‘Modify’ ….. c) ensure that “” is set to “true” ….. d) enter following info: ….. ….. – Name – ‘trustedsysN’ (there should be a number instead “N”, if target system is the first one you implementing SSO with, there should be ‘trustedsys1’). Enter , as a value (C11,100 for example) ….. ….. – Name – ‘trustedissN’ (there should be a number instead “N”, if target system is the first one you implementing SSO with, there should be ‘trustediss1’). Enter CN= as a value (CN=C11 for example) ….. ….. – Name – ‘trusteddnN’ (there should be a number instead “N”, if target system is the first one you implementing SSO with, there should be ‘trusteddn1’). Enter CN= as a value (CN=C11 for example) ….. e) Press ‘OK’ ….. f) Do substeps b,c,d,e in ‘evaluate_assertion_ticket’ view for “” login module. 8) Import target system certificate to J2EE of portal system (from step 4) ….. a) Open J2EE Administrator and logon to portal instance ….. b) Navigate to ‘Server” >> ‘Services’ >> ‘Key storage’ ….. c) in ‘Ticket keystore’ view press ‘load’ and select certificate of target system, you exported in step 3. 9) Restart J2EE instance. 10) Create RFC connection in target system ….. a) use transaction SM59 ….. b) Point to TCP/IP connections and press ‘New’ ….. c) Enter name for new connection (“RFC_to_portal”, for example), enter connection type “T” (external TCP/IP application) and description. Save. ….. d) in ‘Technical settings’ choose “Registered server program” and enter application name from step 6d in “Program ID” field. Provide ‘Gateway host’ and ‘Gateway service’ same as in step 6d. Save. Test connection. RFC connection ready.  If You had to change or add parameters in RZ10 (in step 3), do not forget to restart target system.  Also double-check that portal server and target system are in a same domain, this is important for ticket issuing. This thing is always mentioned in various documents.    Now SSO is configured. Try to test it by creating simple iView, that launches WebGUI. Or just simply by going to System Admin – > Support -> SAP Application (thanks, Pankaj Kumar!)  P.S. I tested it on systems, which are based on WebAS 6.20 and 6.40 (BW, XI, CRM). Hope all above is true for older releases.
P.P.S. Some more SAPs documentation links (thanks Karsten Stombrowski!!!):
Single Sign-On with SAP Logon Tickets on
Security Guide:
User Authentication and Single Sign-On:
Perform Cross Domain Single Sign-On with SAP Logon Tickets on service marketplace:
You must be Logged on to comment or reply to a post.
  • Dennis

    Kudos for collecting comprehensive info about SSO. No offence intended but in my humble opinion I think there are quite few steps over here which are redundant. Typically this is the sequence and you have all of them in your post

    1. Get the verify.der file
    2. Verify using RZ10 the parameters in the source system.
    3. Is the system is<4.7 check for portal plugin
    4. Import cert using STRUSTSSO2 tx. Add to ACL. Don’t forget to press save.
    5. Create a System entry in portal system landscape with an Alias and you are done.

    A good way to check without creating an iview is by going to System Admin – > Support -> SAP Application.


    • Hi,
      Nice weblog!! But ive got to fo SSO on my ESS on EP6SP2 (using ITS) and R/3 4.7 Ent landscape. Can someine please share the steps for that.


      • Hi Shobhit,
        pretty much the same deal, you have to provide the backend system with the certificate from your portal and your ITS has to be configured as a ticket receiving system in the global.svrc file. Once your system template is configured and the Iview is pointing to your backend system it will log you in. Just in case consider your domain extensions ought to be the same, just use aliases on you DNS and make watch backend traces as well as ITS logfiles. Make sure you can telnet the ITS at the http/s port….
        • Hi Bodo,
          Thanks for the prompt help. I need some more help.

          I need to get the ESS users (tcode: PA30) to be able to logon to the portal through ITS.

          I performed the following steps.

          a) Downloaded the verify.der file from the   portal.
          b) Imported the certificate in my backend R/3 system using STRUSTSSO2.
          c) Added “~mysapcomusesso2cookie 1” in the global.srvc file in the ITS.
          d) In RZ10, added the parameters:
          login/create_sso2_ticket 0
          login/accept_sso2_ticket 1

          My EP and my ITS are on different domains. What additional steps I have to take apart from the steps I have already mentioned.

          Thanks & Regards,

          • Hi Shobhit!
            Do you really mean different main domains such as and
            As far as I remember does cross-domain SSO with Portal (SAP Logon Ticket) not work. But here I may be wrong.
            Did you restart the SAP backend system after importing the portal certificate and changing the system parameters?
            Are your landscape paranmeters in the Portal System Landscape maintained correctly and completely? There are special ITS-relevant attributes in the System Landscape Definitions. Have a look at category “Internet Transaction Server (ITS)” or choos “All” and scroll down to attributes “ITS Host Name”, “ITS Path” and “ITS Protocol.”
          • Hello There,

            I too could use some (more) help. I have followed the guide that Dennis wrote, and try to have a single signon to ESS (via ITS) as well. I have performed steps a-d in Shobhit’s post, and the EP, R/3 and ITS systems are all in the same (DNS-domain).

            However, when opening an iView containing ITS information, the logon prompt appears.

            Any further hints?

            Kind regards,

          • Shobhit,

            Did you ever determine what additional steps were needed?

            I completed the steps above and have also identified the R/3 system and ITS server in my portal landscape.

            Is there really need to import R/3 certificate into the portal as well?

    • hi together,

      had everyone an idea to logon on different web-clients? the idea is: we had different clients in sap, and different web-frameworks. the login with SSO works fine for one client, because we definied the sapjsf connection in configtool to client A. but wenn i will login to client B the jaas login connect to client A to create ticket.

      is there a solution?
      thanx a lot.

      • Hi!
        Probably you need different system definitions (in PCD), JCo destinations etc. for different clients.
        For Example in jaas you can have:
        trustedsys1 – ID1,100
        trustediss1 – CN=ID1
        trusteddn1 – CN=ID1
        trustedsys2 – ID1,200
        trustediss2 – CN=ID1
        trusteddn2 – CN=ID1
  • Hi Dennis,

    this Weblog is rearly a great summary of the steps setting up SSO. Can you check the formating because of the many blank lines. It would save paper :-).


    • Hi, Gregor!
      Thanks for worm welcome! I’m just newbie :o)
      I tried to change some formatting, but strange things happening. So I left it as is :o(
      Unfortunately I do not have time today, because I’m leaving town for vacation.
      I’ll try to change someth. uppon arrival.
      Thanks again!


  • Hi,

    I have been looking for some  comprehensive document like this ! I would like to know if just importing ceritficate portal and adding in ACL of R/3 will be sufficient..

    Or are we supposed to make it both ways…

    Whats the difference..?

    Would be nice if u could help me on this issue !


  • Hi Dennis,

    Good info/work.  Just to add that if the SAP system has application instances, you need to distribute the certificate to those instances. (This is if you also want users to access those application instances)

    On a 46c/d system, it is best to shutdown the application instances before doing these (and basically do the work only on the CI).  As with any SAP version, the application instance will automatically be updated with the new certificate once it is brought-up assuming there’s no certificate yet.  You will also need the transaction PSEMAINT in a 46c/d environment to verify that the certificates are valid (on 610, 620 and 640 the PSE status is on transaction STRUST and STRUSTSSOS at the left panel).

    One last thing, if possible have the latest RFC library to avoid potential issues and stick to the procedures mentioned (since deviating on these may corrupt the PSE/certificate table and you’ll end up losing other certificates that you might already have defined on an SAP system — and then you have to redo the whole thing again!).


  • As this blog got pushed to the top of the list (congratulations), I just want to add some links to the official documentation (which is -in my eyes- even simpler). Not that anybody thinks SAP hasn’t documented it before 😉

    Single Sign-On with SAP Logon Tickets on

    Security Guide:

    User Authentication and Single Sign-On:

    Perform Cross Domain Single Sign-On with SAP Logon Tickets on service marketplace:

  • Hi Dennis & Forum,

    Following my earlier posts, I decided to run through the article again, and got SSO working! I would like to add the following hints to the article:

    – step 4c; choose ‘binary’ format when exporting the certificate (I had trouble reading certificates that were exported as Base64)

    – step 5e; when adding the EP certificate to the ACL, enter the EP-SID as ‘WPS system’ and 000 as ‘WPS client’ (actually, the client can be configured with the UME property login.ticket_client, but it defaults to 000).

    – step 7; make sure that you enter correct information! (if you created a certificate that expands beyond “CN=SID, ..”, you still only need enter the common name “CN=SID”. Remember, the UME configuration is very specific!

    Setting up SSO is a fairly complex issue, but I hope that you can get it to work with this excellent article!


  • Hi there,

    Great blog – very useful … but I have one problem:

    I’ve managed to set up my EP and BW backend system with SSO authentication. The “Connection test” works fine, but unfortunatelly the test via “System Administration -> Support -> SAP Application -> Test and Configuration Tools -> SAP Transaction” makes me trouble.
    The test works only with using “SAP GUI Type = SAP GUI for Windows”. In this case SAP WinGUI opens with defined transaction (using su3).
    But when I choose “SAP GUI Type = SAP GUI for HTML” (it’s ITS), the SSO doesn’t seem to be working, becasue standard ITS logon window appears and waits for username and password.

    I tried to play with settings of ICF service /sap/bc/gui/sap/its/webgui in SICF transaction, but no success till now.

    My question is – is this normal behavior or do I have to set up any particular fields on ITS (in SICF transaction).

    Thank you for any reply in advance.

    • Fast guess…
      Try to implement SSO with ITS server.
      It’s just a guess, but it can work.
      Another thing – are portal and ITS located in same domain?
      Try to obtain some HTTP sniffer (like HTTPwatch) and take a look at http traffic during request to ITS, is there sso2 ticket?
  • I have a situation where SSO needs to be implemented between 3 WEB AS servers in same domain, Portal should not be used at all.

    I have figured out that following steps to implement SSO need you to verify it for me.

    Pre-requisities – User ID should be same in all systems.

    Issuing server:

    1. Configure a single Web AS server for issuing tickets by chnaging the system parameters. Lets say this Server has “A”
    2. Replace the Servers SSO PSE.

    Accepting server:

    1. Configure the remaining Web AS server for accepting the logon tickets using the system parameters. lets say these servers has “B & C”
    2. SAP Library needs to be installed.
    3. create an RFC destination to the issuing Web AS.

    Now the configuration is over & system is ready for the SSO testing.

    So now if the user just logons into a system “A” using SAP GUI with the correct user id & password then logon ticket is created.
    Now to login to Server “B or C” the user just clicks in the SAP GUI, the menu screen appears using already created logon ticket.

    My Questions.
    1. Is my implementation steps correct or needs some thing else also.
    2. What if the Users password is different in other systems, will the logon into Server “B or C” be successfull.
    3. What if another user needs to login from the same computer which has already got a logon ticket created by another user.

    Your answers will greatly help me in leading this project.
    Will surely reward you for any light you can throw on this post.

    Best wishes
    Naveen Murthy

    • Hi!
      Actually I do not know, how it’s working in SAP GUI for Windows 🙁
      There should be the way to configure ‘pure’ SSO when user is authenticated only in Active Directory, and then transparently log on to SAP systems. But I do not know full answer.
      Try searching SDN and
  • Hi Denis and congratulations for your blog,

    in step number 3, these 2 parameters do not appear in transaction RZ10. Does anybody know why ?


  • Hi guys, I have searched the SAP notes and the note 1257108 says SAPGUI always requires Secure Network Communications (SNC) for SSO. Do you have the same experience? Any hints for a manual to do SSO from ABAP AS (R/3 4.7 Enterprise) to JAVA AS (nw2004s).
    Cheers, Petr

    @Joan Ayala – first choose the profile (Instance profile with your SID); then – when selecting the profile, you choose “extended maintenance”. You should see it afterwards.

  • Hello Dennis,
    This is a really good documentation on the process. I noticed this was published in 2005. Is the process the same today, similar or different?
    • Hi Dean!
      Actually I don’t know, as I’m now in a kind of management position, so I haven’t had hands-on experience for couple of years 🙂