Single Sign On to BSP pages from Duet’s Action Pane
Not only in Duet, but also in other scenarios you will often want to access (SAP-) backend systems where you do not want to have the user to authenticate himself / herself again.
One example for that are the “You Can Also” links in the Duet action pane. With these links you can easily provide the users context related additional information. For example if you create a leave request via Duet one “You Can Also” link could point to the homepage of your HR department.
But you could also provide the user with more user-specific data coming from your HR backend. For example you could create a BSP page that shows all of your previously created leave requests, or an overview of the leave request taken by the members of your team, or …
Right now, if you implement such a link in the Action pane the user will get prompted for a username and password when he tries to access the BSP on the ABAP system. But there is a very simple workaround that you can use.
Instead of accessing the BSP pages on the ABAP system directly we will first contact the Duet J2EE Engine (which is already configured to accept SPNego tickets, see https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/8235 on how to setup SPNego). From the J2EE Engine we will get an SAPLogonTicket which we will then send to the BSP page on the ABAP system. Since the ABAP system already trusts the J2EE Engine the username contained in the SAPLogonTicket will be used and the user can access the BSP without having to enter his credentials again.
[Of course similar scenarios are possible in other NetWeaver installations where you have at least one J2EE engine that is already configured to work with SPNego. For example you could think of one “proxy” J2EE server that is configured to run with SPNego. All initial requests would go to this J2EE which then would redirect to some other J2EE Engine that trusts the proxy-J2EE.]
Let’s get started
As a first step we will have to create the redirect application that we deploy on the J2EE engine. Instead of providing the finished ear file out of the box I want to show you how easy it is to create this file by yourself — there is no magic behind it!
Create a Web Module Project
So install a NetWeaver Developer studio and create a Web Module Project, by clicking on File -> New -> Project. Select Web Module Project and enter a Project name.
This name will be part of the URL that you call each time you do a redirect. For this simple test I call the project SSORedirect.
Add a JSP
Now that a folder structure is created, we have to add a JSP file. Right click on webContent -> New -> JSP.
I will use the name redirect. Open the JSP and enter the following lines
<%@ page language=”java” %>
String redirectURL = request.getParameter (“to”);
response.sendRedirect (“http://” + redirectURL);
So all we are doing here is take the GET parameter “to” from the URL and do a redirect to this URL. If the URL is http://myserver:50000/redirect.jsp?to=www.duet.com the GET parameter for “to” would be www.duet.com, so the redirection would go to http://www.duet.com/.
Of course this is a very simply example. You could include any kind of logic, for example to check for http/https, to check for different GET parameter, to dynamically add different URL, …
Add Security constraints
Now we have to assign a Default Security Role to the Web Modul, so that we can configure the J2EE Engine to ask for authentication when users access the URL. Just open the Security Roles tabs of the web.xml file and click on Add.
Select the Security Tab, add a Security Constraint and select NONE on the Transport Guarantee.
On the next tab, Web Resource Collection, select URL patterns and click on Add. On the Auth Constraint tab click Add again and add the DefaultSecurity Role.
As a result the web.xml should look something like this:
<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE web-app PUBLIC “-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN” “http://java.sun.com/dtd/web-app_2_3.dtd“>
<description>WEB APP description</description>
Create Enterprise Application Project
As a last step we have to create an Enterprise Application Project to which we can assign the Web Modul we just created.
The name we use here will just appear in the Visual Admin. I will simply call it SSORedirectEA
Now we have to Add the module by right clicking on SSORedirectEA -> Add Modules
Select the SSORedirect Module
Compile and deploy
and click on Build Application Archive.
Finally we have an EAR file that we can deploy (directly from the Developer Studio or via SDM) to the J2EE Engine.
Add SPNego authentication to component
Once that is done open the Visual Administrator and from Server -> Services -> Security Provider assign the spnego authentication template to the EAR file we just created (I assume that you have already configured SPNego and used “Create template” when running the wizard; if not check the blog here):
Make sure to go to the Security Roles tab and for the DefaultSecurityRole add the Group Everyone to the Groups Mappings.
That’s it. You can easily verify that the redirection of the JSP is working by accessing the URL
Here the first request is fired to the J2EE Engine. The J2EE Engine checks whether a SAPLogonTicket is already part of the HTTP request. This is probably not the case and it will use the SPNegoLoginModul to authenticate you. If that worked fine, then a SAPLogonTicket will be created and you can access the JSP page redirect.jsp. Since we used the GET value www.duet.com the JSP will redirect us to http://www.duet.com/.
(if you get a 401 Error then there is something wrong with the authentication. Make sure that SPNego is working and also check if you did all the Security related steps while creating the EAR file. Compare the web.xml with the one mentioned above. Did you assign the Everyone Group to the DefaultSecurityRole in Visual Admin like mentioned above?)
And now the scenario in Duet
Now that we know that the application is working, we can use that to access any trusted backend.
A simple “You Can Also” link
For Duet you would probably want to adjust the You Can Also Region from http://duetserver:50000/duet. Here you can see how easy it is to add a new link to the Action Pane that points to the Duet homepage on http://www.duet.com/.
Enter the data in the Business Environment – User Interface Configuration section and add your URL.
As a result you will see your link in the Duet Action pane (either refresh your clients cache manually or wait until it gets refreshed automatically):
Link to a BSP page
This is all Duet standard. In the next example I want to modify the You Can Also link for the leave management scenario to access a very simple BSP page I have created on the backend system: http://backendserver:8000/sap/bc/bsp/sap/z_sdn/hello.htm.
One problem we have with our very basic JSP page is that there are problems with special characters like :, /, ?, &, …. If you want / have to use these characters then you have to encode the URL you submit to the redirect application (to encode just search on the net for “urlencode online” and you will get links like, http://www.functions-online.com/de/urlencode.html where you can encode your URL online).
So instead of calling the URL http://servername:50000/SSORedirect/redirect.jsp?to=backendserver:8000/sap/bc/bsp/sap/z_sdn/hello.htm?sap-client=220
you would submit the URL
(e.g. “:” is replaced by %3A, “/” by %2F, “`?” by %3F). Just enter this URL in your browser and you should be redirected to the BSP – without having to enter your credentials again.
After the data is committed on the server and fetched by client you will see the additional link in the Action Pane
and clicking on this link will result in the BSP page being displayed without the user having to authenticate again!
This BSP just shows you that the authenticated user really is the one I am currently using in Duet and it shows some more detailed leave request information. I could also extend this BSP with nicer looking tables, charts, …
I hope you got a first impression how easy it is to provide Single Sign On access to backend applications.
Please feel free to raise questions, concerns or to extend / modify the JSP or BSP here and post your results.
together with the RIMLoginModule that solution should also work to use SSO with a link you send to a BlackBerry via E-Mail.
thanks for the feedback. To be honest I didn't know about the RIMLoginModule.
From what I could find out the idea behind the RIMLoginModule is to look for a header variable: "Rim-device-email" which the BlackBerry MDS adds to to HTTP requests.
So if we extend the login stack for the redirect application with both SPNego and the RIMLoginModule users could probably use the links both from their BlackBerry and from their normal Windows environment to access content via SSO.
that's correct. Here is the Download Link for the RIM BlackBerry RIMLoginModule Installation Guide.
Is it possible to also use something like this SSO with a web service (RFC call) that retrieves data back? For example, I call a web service from my .NET application without having to pass credentials.
it should be possible. In your .net application you would then just call the URL on the J2EE Engine which then would redirect to your WebService on the ABAP side. Since you have a SAPLogonTicket and the ABAP trusts the J2EE Engine SSO would work.
it should be possible. Just direct your .NET application to the URL on the J2EE Engine which redirects to the ABAP side. Since the J2EE creates the SAP Logon Ticket and the ABAP trusts the j2EE it should work.
I have to check. With BSP pages there is a more "elegant" way (I am currently publishing a blog about that) so that the BSP itself (well, the ABAP server) is doing the redirect to the J2EE which then creates the SAP Logon ticket.
Maybe this would also work for web services.
Feel free to contact me and I can sent you a draft or we can discuss some options.
One of my colleagues says he has gotten it to work using the SAP Logon Tickets. I meet with him in a few days to see what it has done. Hopefully it works! Thanks.
you could use that approach to get a valid SSO Cookie and redirect the user back to your .Net Web application. Then you read the Cookie and use it to call the WebService in your .net Application.
thanks a lot for that. I'm just trying to use this to make a SSO connection to a CRM 7.0 which is using a BSP for Login.
SPNEGO with your Redirect-JSP is working well (I modified it to use HTTPS), but I cannot SSO to CRM: I'm getting the message "SSO logon not possible; browser logon ticket cannot be accepted".
And this one is driving me crazy. Anyone out there who knows to get rid of it?
did you import the Java certificate in the CRM system via STRUSTSSO2?
Remember that for Java systems the Client number is 000 by default.
(see also note 701205 for further details)
thanks for the fast reply. I just checked this and in my eyes this is OK. I'm still getting the error.
In the meantime I did SSO this way: http://wiki.sdn.sap.com/wiki/display/CRM/How+to+-+SSO+to+CRM+WebUI+via+SAP+GUI+for+Windows
But this Redirect-way I would really prefer.
Do I have to set something for the BSP-Service CRM_LOGIN in ABAP?
can you take a trace while reproing this issue:
From Note 701205
If these checks do not resolve the problem, and you configure SSO to an ABAP system, create an SM50 trace with only the security component
turned to trace level 2. In order to do so, run transaction SM50 and select some of the dialog work processes (around 5). Then choose 'Processes -> Trace -> Active components' from the menu (or use CTRL-SHIFT-F7). Set the trace level to 2 and select only the 'Security'
component. Reproduce the SSO problem, and note the time. Return to the SAP system to check the traces you just started (CTRL-SHIFT-F8 in SM50).
If you want you can sent me the results and I can take a look as well.
Hmm. You're right. Examining the trace it says:
Issuer found in the certificate doesn't match the one found in TWPSSO2ACL.
cert.issID = CN=VM-CRMLQSS_50000, OU=SAP-BASIS, O=company L=München, SP=Bayern, C=DE
TWPSSO2ACL.issID = CN=VM-CRMLQSS.demuc-esb.local, OU=I0020335797, OU=SAP Web AS, O=SAP Trust Community, C=DE
CheckSubject failed (rc=19). Verifying if ticket was issued by me.
*** ERROR => System ID and client from ticket are not the same than mine. [ssoxxkrn.c 1061]
Data from ticket: sysid=QC1 , client=000
My system data: sysid=QC1 , client=001
*** ERROR => Neither was ticket issued by myself nor can I find issuer in TWPSSO2ACL (see note 1055856). [ssoxxkrn.c 1067]
dy_signi_ext: ticket issuer not trusted
BUT: I did set the Certificate in STRUSTSSO2 yesterday --- but it is gone!
I will give it another try and set it up again and return with the result.
the most common problem is that the ICM was not restarted using transaction SMICM after the import of the certificate. I've used Holger's approach this week to use the Portal SSO to access our CRM 7.0 system. It just worked like a charm after the import of the Portal Certificate to the CRM 7.0 system.
I follow the step and work fine with the spnego in windows 2003, but... i try it in windows 2008, with the new spnego, and appear this error in the diagtool when i go to the url http://sv-
HTTP request processing failed. HTTP error  will be returned. The error is [You are not authorized to view the requested resource.No details available].
Any idea? My user is correct.
Thanks in advance,
Check this link:
Duet 1.5 SP3 Client on Windows 7
Great blog Holger,
I used this to setup SSO on our CRM7.0 Web UI. However once the user clicks the Logoff button in the CRM Web UI and then re-enters the Web UI url, SSO is not working. In turn, I am getting a Page cannot be displayed error. I think that CRM Log off is not clearing off the J2EE session and hence no SPNEGO/SSO login works. If I manually clear the user session on the J2EE side and then re-enter the Web UI url in the same browser after logoff, then SSO works again.
Any idea how this can be fixed?
as a possible solution I would suggest that you create a application on the Portal that get's called when the user logoff from CRM. If there is a functionality to trigger a Portal logoff it can use that or otherwise delete the cookies manually and forward the user then to another non Portal URL.
I've successfully used your SSORedirect application to access Abap webdynpros with SSO, on NW Java 7.0x.
I am stuck though when attempting to implement the same redirect solution on a NW 7.31 Java application server. The main obstacle is the section where you have to add SPNEGO authentication to the deployed component. I cannot seem to find the equivalent "Security Provider" section in NWA.
Can you perhaps assist?
after you have deployed the RedirectApp you can see from the Identity-Managment -> Actions that the "DefaultSecurityRole" is assigned to it.
In order to allow all the suers to call the RedirectApplication you have to assign the role Everyone to the DefaultSecurityRole.
Yes I saw it and I have assigned the Everyone role to the DefaultSecurityRole but I am receiving a ID and password prompt (from the Abap system) when executing my redirect URL.
I can access the Java system with SSO (i.e. /NWA) so I am sure the SPNEGO setup is working.
I am just not sure where to link/assign the login module to the redirect component.
have you imported the Portal Certificate into STRUSTSSO2 of your ABAP Stack? This is needed to check the signature of the Logon Ticket.
did you assign the spnego template to the Redirect application already?
If yes, can you take a look at the logs and check if you find something there?
Hi and thank you for a great blog,
I have a question regarding a link to BPC while trying to access link containing Task=Execute&AppsetId=BPCENV&ProcInstId=...
it works fine wile accessing /sap/bpc/proxy/index.html?
But if the Task=... is included in the link the browser only get blank with no error message or anything. While accessing the BPC server directly without the SSORedirect it works fine after login.
Thank you in advace!
it has been some time... I think you have to escape these characters -- otherwise they are dropped. An alternative could be to enhance the JSP file and get this information via some other predefined properties.
Thank you so much for the fast reply. I work as a basis consultant so I am a little bit lost here. Can you please specify what need to be included in that JSP to get it to work.
Thank you in advance!
Hi Daniel (are you working with another user as Daniel does not appear in your Username?),
please reach out to a Java develper to help you there.
thanks for the posting. Although the "workaround" is not required anymore since SPNEGO is also supported on AS ABAP, I would like to ask a question regarding the redirect logic. How does your solution works in case the end user has failed on authentication to the AS JAVA server? Can we somehow redirect the user back to AS ABAP and use password login as a fall back?
I have similar requirement for the redirect part in my current project and would like to know you how you solve this problem.
Thanks in advance and best regards