Skip to Content

In my Blog Setup data encryption between RFC Client and Web AS ABAP with SNC I showed how SNC can be setup for RFC Connections. Here’s the promised use: Single Sign On with External ID implemented in Ruby. This is possible with the Function Module SUSR_CHECK_LOGON_DATA.

SUSR_CHECK_LOGON_DATA is able to return a SAP SSO2 Ticket for an external ID when the RFC Call is encrypted by SNC. Due to the great support from Piers Harding the Ruby connector to SAP (saprfc) since Version 0.30 supports Strings. This made it possible to use the connector with SUSR_CHECK_LOGON_DATA which returns the Ticket in a String type export variable.

Preparation: Map External ID to SAP User

Before we start implementing the client a Mapping between an External ID and a SAP User has to be maintained. This is done in Transaction SM30 with the View VUSREXTID. I’ve used an External ID of type NT which is a Domain User consisting of domainuser in my example

Don’t forget to activate the User:

Proof of concept

As the Ruby connector is based on the RFC SDK it also supports SNC. So we have to setup the system exactly as I’ve described in my Blog Setup data encryption between RFC Client and Web AS ABAP with SNC. Done that we can implement a proof of concept script for the command line:

require "lib/SAP/Rfc"   SAP::Rfc.useCache = false   # Establish first connection using a X.509 Certificate rfc = SAP::Rfc.new(:ashost => "zappod.csw.local", :sysnr => 00, :lang => "EN", :client => "800", :x509cert => "Base64 Encoded Certificate in one line", :snc_mode => 1, :snc_qop => 3, :snc_myname => "p:CN=RFC, OU=IT, O=CSW, C=DE", :snc_partnername => "p:CN=IDS, OU=IT, O=CSW, C=DE", :snc_lib => "/usr/sap/IDS/SYS/exe/run/libsapcrypto.so", :trace => 0)   # get the connection ID puts "Connection id: " + rfc.connection.to_s   # test the connection puts "Are we connected: " + rfc.is_connected().to_s   # look up the interface definition for SUSR_CHECK_LOGON_DATA irep = rfc.discover("SUSR_CHECK_LOGON_DATA") # Set the Import Parameters required for external authentication irep.AUTH_METHOD.value = "E" irep.AUTH_DATA.value = 'SITECOG.WOLF' irep.EXTID_TYPE.value = "NT" rfc.call(irep)   # What User have we logged in to? puts "USER_ID: " + irep.USER_ID.value.to_s   # Establish a second connection with Ticked from "SUSR_CHECK_LOGON_DATA" call ticket = irep.TICKET.value.to_s rfc2 = SAP::Rfc.new(:ashost => "zappod.csw.local", :sysnr => 00, :lang => "EN", :client => "800", :mysapsso2 => ticket, :trace => 1 ) # get the connection ID puts "Connection id: " + rfc2.connection.to_s   # test the connection puts "Are we connected: " + rfc2.is_connected().to_s   # Get the interface of function module created for the Blog # Authenticate from PHP to a Web Service using X.509 Certificates # Authenticate from PHP to a Web Service using X.509 Certificates irep = rfc2.discover("Z_HELLO") irep.NAME.value = "Gregor" rfc2.call(irep) puts "GREETING: " + irep.GREETING.value.to_s   # close connection #2 print "close connection 2: ", rfc2.close(), "
"   # close connection #1 print "close connection 1: ", rfc.close(), "
"

I call this script from the command line and got the following result:

/usr/local/src/saprfc-0.30# ruby test/ext-logon.rb Connection id: 1 Are we connected: true USER_ID: G.WOLF Connection id: 2 Are we connected: true GREETING: Hello Gregor , you are logged in as G.WOLF close connection 2: 1 close connection 1: 1

We see that it’s possible! In the next step we create a Ruby on Rails Application which runs on Apache Web Server. Apache will handle the Authentication i.e. via NTLM, Kerberos, LDAP or any other supported Authentication module. The Rails Application get’s the ID of the user and forwards it to SUSR_CHECK_LOGON_DATA for authentication. A Ticket is retrieved and this can be set as a Cookie. With that Cookie the User can also access BSP Applications, the SAP Enterprise Portal or BW Web Reports. To be continued.

To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. Venkat Raman
    This is an excellent Blog – neat way to extract a SSO2 cookie – question – we have 2 NW04 portals (Windows & Unix) connected to our development SAP system. WHen you use the function module – SUSR_CHECK_LOGON_DATA to generate the cookie – for which Portal the cookie will be generated!!

    Thanks
    Venkat

    (0) 
    1. Gregor Wolf Post author
      Hello Venkat,

      I think it should be possible that both Portals accept the SSO Cookie. You have to import the Certificate of the Web AS to the Portals.

      Regards
      Gregor

      (0) 
      1. Venkat Raman
        Thanks for the prompt reply …
        I have another interesting scenario – if I just create an external id and map it to the SAP user id (table VUSREXTID) without the SNC setup?
        What I am trying to do is after a user logs into the backend (with the R/3 userid and pwd) then execute an iview within the portal – for this scenario can I use the function module SUSR_CHECK_LOGON_DATA by passing AUTH_METHOD = “E” and AUTH_DATA = External ID for TYPE NT and generate mysapsso2 cookie ?

        Thanks for your help and happy holidays!
        Venkat

        (0) 
          1. Venkat Raman
            Hello Greg,

            Happy New Year – I think I did not explain my question correctly – in our scenario – the user has already logged into R/3 with SAPGUI – in this case there is no need for SNC (since the user has already logged on). If we maintain the entries in table VUSREXTID with type – NT and the user id is mapped to the external ID – then can we call the function module SUSR_CHECK_LOGON_DATA to create the SSO ticket on the fly and then call the iView ?
            Thanks
            Venkat

            (0) 
  2. Venkat Raman
    Hi Gregor:

    Using the example you have provided generates only the MYSAPSSO2 cookie , but doesn’t the Portal also needs the J2EE cookie – which is the JSESSIONID cookie – with the SSO cookie generated from the function module SUSR_CHECK_LOGON_DATA I am not able to execute the iviews on the NW04 Portal.

    Thanks
    Venkat

    (0) 
    1. Gregor Wolf Post author
      Hello Venkat,

      I think it sould be possible that the Portal accepts the MYSAPSSO2 cookie created by the ABAP System when you import the ABAP System’s certificate to the Portal.

      Regards
      Gregor

      (0) 
      1. Kenneth Moore
        And I have no experience with Ruby.  So here we are.  Actually, I’m an ABAPer with a little .Net experience, but I don’t think I could provide a .Net example with my limited experience.

        I want to create a weblink in SharePoint to an SAP web service utilizing SSO.  The link works, but I am asked to logon to SAP.

        (0) 

Leave a Reply