Skip to Content

Single Sign On with External ID implemented in Ruby

In my Blog Setup data encryption between RFC Client and Web AS ABAP with SNC I showed how SNC can be setup for RFC Connections. Here’s the promised use: Single Sign On with External ID implemented in Ruby. This is possible with the Function Module SUSR_CHECK_LOGON_DATA.

SUSR_CHECK_LOGON_DATA is able to return a SAP SSO2 Ticket for an external ID when the RFC Call is encrypted by SNC. Due to the great support from Piers Harding the Ruby connector to SAP (saprfc) since Version 0.30 supports Strings. This made it possible to use the connector with SUSR_CHECK_LOGON_DATA which returns the Ticket in a String type export variable.

Preparation: Map External ID to SAP User

Before we start implementing the client a Mapping between an External ID and a SAP User has to be maintained. This is done in Transaction SM30 with the View VUSREXTID. I’ve used an External ID of type NT which is a Domain User consisting of domainuser in my example

Don’t forget to activate the User:

Proof of concept

As the Ruby connector is based on the RFC SDK it also supports SNC. So we have to setup the system exactly as I’ve described in my Blog Setup data encryption between RFC Client and Web AS ABAP with SNC. Done that we can implement a proof of concept script for the command line:

require "lib/SAP/Rfc"   
SAP::Rfc.useCache = false
# Establish first connection using a X.509 Certificate 
rfc =
  :ashost   => "zappod.csw.local", 
  :sysnr    => 00, 
  :lang     => "EN", 
  :client   => "800", 
  :x509cert => "Base64 Encoded Certificate in one line", 
  :snc_mode   => 1, 
  :snc_qop    => 3, 
  :snc_myname => "p:CN=RFC, OU=IT, O=CSW, C=DE", 
  :snc_partnername => "p:CN=IDS, OU=IT, O=CSW, C=DE", 
  :snc_lib => "/usr/sap/IDS/SYS/exe/run/", 
  :trace => 0
# get the connection ID 
puts "Connection id: " + rfc.connection.to_s   
# test the connection 
puts "Are we connected: " + rfc.is_connected().to_s   
# look up the interface definition for SUSR_CHECK_LOGON_DATA 
# Set the Import Parameters required for external authentication 
irep.AUTH_METHOD.value = "E"
irep.AUTH_DATA.value   = 'SITECO\G.WOLF' 
irep.EXTID_TYPE.value  = "NT"   
# What User have we logged in to? 
puts "USER_ID: " + irep.USER_ID.value.to_s   
# Establish a second connection with Ticked from "SUSR_CHECK_LOGON_DATA" 
call ticket = irep.TICKET.value.to_s 
rfc2 =
  :ashost => "zappod.csw.local", 
  :sysnr => 00, 
  :lang => "EN", 
  :client => "800", 
  :mysapsso2 => ticket, 
  :trace => 1 
# get the connection ID 
puts "Connection id: " + rfc2.connection.to_s   
# test the connection 
puts "Are we connected: " + rfc2.is_connected().to_s   
# Get the interface of function module created for the Blog 
# Authenticate from PHP to a Web Service using X.509 Certificates 
# Authenticate from PHP to a Web Service using X.509 Certificates 
irep ="Z_HELLO") 
irep.NAME.value = "Gregor" 
puts "GREETING: " + irep.GREETING.value.to_s   
# close connection 2
print "close connection 2: ", 
rfc2.close(), "
# close connection 1 
print "close connection 1: ", 

I call this script from the command line and got the following result:

/usr/local/src/saprfc-0.30# ruby test/ext-logon.rb 
Connection id: 1 
Are we connected: true USER_ID: G.WOLF 
Connection id: 2 
Are we connected: true GREETING: Hello Gregor , you are logged in as G.WOLF 
close connection 2: 1 
close connection 1: 1

We see that it’s possible! In the next step we create a Ruby on Rails Application which runs on Apache Web Server. Apache will handle the Authentication i.e. via NTLM, Kerberos, LDAP or any other supported Authentication module. The Rails Application get’s the ID of the user and forwards it to SUSR_CHECK_LOGON_DATA for authentication. A Ticket is retrieved and this can be set as a Cookie. With that Cookie the User can also access BSP Applications, the SAP Enterprise Portal or BW Web Reports. To be continued.

You must be Logged on to comment or reply to a post.
  • This is an excellent Blog – neat way to extract a SSO2 cookie – question – we have 2 NW04 portals (Windows & Unix) connected to our development SAP system. WHen you use the function module – SUSR_CHECK_LOGON_DATA to generate the cookie – for which Portal the cookie will be generated!!


    • Hello Venkat,

      I think it should be possible that both Portals accept the SSO Cookie. You have to import the Certificate of the Web AS to the Portals.


      • Thanks for the prompt reply …
        I have another interesting scenario – if I just create an external id and map it to the SAP user id (table VUSREXTID) without the SNC setup?
        What I am trying to do is after a user logs into the backend (with the R/3 userid and pwd) then execute an iview within the portal – for this scenario can I use the function module SUSR_CHECK_LOGON_DATA by passing AUTH_METHOD = “E” and AUTH_DATA = External ID for TYPE NT and generate mysapsso2 cookie ?

        Thanks for your help and happy holidays!

  • Hi Gregor:

    Using the example you have provided generates only the MYSAPSSO2 cookie , but doesn’t the Portal also needs the J2EE cookie – which is the JSESSIONID cookie – with the SSO cookie generated from the function module SUSR_CHECK_LOGON_DATA I am not able to execute the iviews on the NW04 Portal.


    • Hello Venkat,

      I think it sould be possible that the Portal accepts the MYSAPSSO2 cookie created by the ABAP System when you import the ABAP System’s certificate to the Portal.


      • And I have no experience with Ruby.  So here we are.  Actually, I’m an ABAPer with a little .Net experience, but I don’t think I could provide a .Net example with my limited experience.

        I want to create a weblink in SharePoint to an SAP web service utilizing SSO.  The link works, but I am asked to logon to SAP.