This procedure shows step by step how to make your SAP EP to issue Logon Ticket for multiple domains.
By default SAP EP is configured to issue the SAP Logon Ticket for the same domain where portal is associated. For example SAP EP is in domain tcs.com thus the SAP Logon Ticket will be by default created and sent along with request from portal to target server of same domain tcs.com. Many a times it is required to sent the SAP Logon Ticket to server in another domain i.e. tcs.in. Follow the following steps to make Portal issue ticket for another domain tcs.in.
Prerequisite:
There need to be a web server in target domain (tcs.in in our example). The supported web servers are
Microsoft Internet InformationServer (IIS) 5.0 / 6.0 on Windows 2000
Apache Web Server 1.3 Windows 2000, Linux
iPlanet Web Server FastTrack / Enterprise Edition4.0 Windows 2000, Linux
How it works:
There need to be a hidden iView in SAP EP which sends request to a web server (MS IIS in our example) in target domain along with the SAP Logon Ticket as an argument. The target server has a component (asp/jsp/php) which receives this request from portal and creates another SAP Logon Ticket for this new domain. The new ticket is sent to users browser as a cookie. When the request from portal goes to any application of another domain, the newly issued SAP Logon Ticket for that domain is sent by Portal.
1. Prepare IIS server to accept and issue new Logon Ticket request
a. Download “iis6_sso.dll” (for MS IIS 6.0) “iis_sso.dll” (for MS IIS 5.0) and wpsso_v3.dll from SAP Note 442401.
b. Place these dlls in root folder of IIS (C:\Inetpub\wwwroot).
c. Open IIS -> default web site -> properties -> ISAPI filters. Click on add button and browse to C:\Inetpub\wwwroot\iis6_sso.dll. Give a filter name (IIS6 in example) and save it. Restart the IIS server.
d. Again open Open IIS -> default web site -> properties -> ISAPI filters. It should show IIS filter up and green.
e. If you don’t see the green please refer to SAP Note 684106 for further required dlls.
f. On SAP edit the UME property ume.login.mdc.hosts to
ume.login.mdc.hosts=http:// myiisserver.tcs.in/sendSSO2Cookie.asp. See link for further details on how to update UME properties.
4. Integrate this iView with SAP EP so that this is called at every time when user logs in
a. Open the framework page which is used for your portal users. By default it is at content administration -> Portal content -> portal content -> Portal user -> Standard portal user -> Default framework page.
b. Add your provider iView (SSO2Provider) to the page.
c. Save the framework page
The above example is valid for using IIS as the web server to issue another ticket to portal. This document can be used as a reference for achieving the multi domain ticket issuing for other web servers as well.
Reference:
1. help.sap.com
2. How to guides
3. Service market place notes
Good Blog…
I have came across an error.
I am working on Microsoft-IIS/5.0.
01] I copied the files iis_sso.dll & wpsso_v3.dll to c:/Inetpub/wwwroot directory.
02] Also installed the DLL’s as per note 684106.(msvcp71.dll & msvcr71.dll at C:\WINNT\system32)
The IIS filter is not turning Green..
Do u have any idea what could be the reason?
Regards
Sunil Kulkarni
Do u have a working iis_sso.dll file..if yes..could you please sent it to me at s.d_kulkarni@yahoo.co.in
What should be autorization on IIS web server? We tried Basic and Windows Authentication, but it keeps on asking us for username and password from SAP Portal whenever we logon in Portal. Do we need to do anything extra on IIS side to avoide uname/passsword pop-up?
Thanks
JS
Nice blog, just the perfect information.
I am implementing SSO over cross domains.
While doing so, SSO2Provider Iview has been added to Default Page Layout in Visible mode.
Now while entering the portal, the control shifts between selected IView and back to home-page…the SSO2Provider Iview which is added to default framework page.
This has made almost impossible for users to log into portal.
I am trying to remove the iview from the default page, but in navigating to the page, the navigation to next screen takes roughly 5-7mins with 100% CPU utilization. I just reach the layout page in some 20mins.
Is there an alternate way I can remove the iview from page / revert changes ?
Request your guide me in this matter. Atleast point out a probable correction which I need to carry out.
Ragerds,
Chandani Shah
Initialization done.IISPlugin checks Access.
Can’t find MYSAPSSO2 ticket cookie for URI “/sendSSO2Cookie.aspogram ” on host “/sendSSO2Cookie.asp”.
IISPlugin checks Access.
Can’t find MYSAPSSO2 ticket cookie for URI “/sendSSO2Cookie.asp” on host “/sendSSO2Cookie.asp”.
PSEPath: C:\Inetpub\wwwroot\verify.pse
RealPath:
URL: /sendSSO2Cookie.asp
No redirect.
i find this sendSSO2Cookie.asp file, but i can’t foud :-(, can anybody give me this file as soon?
many thanks
regards,
ghochi