Skip to Content

Update, 18.04.2013:

With the new NetWeaver SSO 2.0 it is now possible to configure the ABAP stack to support SPNego. So the workaround outlined in this blog is no longer required. If you want more information, please visit http://scn.sap.com/community/netweaver-sso and look at the videos here: http://scn.sap.com/docs/DOC-40178

————–

Single Sign On (SSO) to (BSP-) pages on an ABAP server cannot be achieved easily. One way to access these pages via SSO is to use X.509 certificate. Unfortunately this quite often cannot be done or is complicate. 

In the following steps I want to outline, how this can also be done using a SPNego-Configured J2EE Engine as a “gateway”.

Unlike the idea that is described in this blog all the links to BSP pages that you might have already sent out to your users do not have to be changed. The ABAP system itself will make sure that the user is authenticated automatically.

Let’s start with a BSP page that you have on your ABAP system:

http://abap-server:8000/sap/bc/bsp/sap/zsso2bsp/example.htm?sap-client=400&dummy=123

Right now when you call this page, you are prompted to enter a username and password:

01-Authenticate.gif

Only then can you see the content:

02-Result.gif


In order to get SSO to this BSP we are going to use SPNego which has to be configured on a J2EE Engine “somewhere” in your network. In order to do that, just follow the SPNego Wizard. Then make sure that you enable a trust between the J2EE Engine and the ABAP system (just import the J2EE certificate via STRUSTSSO2 on the ABAP side, see help.sap.com)

Now we come to the first important part: deploy a custom JSP on the J2EE Engine. I will use a new “redirect application” which contains this JSP (I like to have an extra application so that I can enable SPNego only/especially for this). This application is almost the same as mentioned and explained in this blog. The main difference is the JSP page main.jsp:

(you don’t have to use this redirectApplication: if your J2EE Engine is already configured for SPNego and you have for example assigned the SPNego Template already to the Ticket component, then you can put this JSP file directly on the filesystem. You could for example place it in the irj folder in a portal that is already configured for SPNego)

The lines IUser user are required to make sure that even if the location on the server (e.g. /irj/…) does not require authorization it still forces to user to authenticate and get a SAPLogonTicket.

Then assign the SPNego template to the RedirectApp Application…

03-SetSPNego.gif

…and assign the Group “Everyone” to the DefaultSecurityRole of the RedirectApp.

04-SetEveryone.gif

Now the redirect application uses SPNego to authenticate any calls. That’s it on the J2EE side.


Let’s take a look at the ABAP side. Go to transaction SICF and search for the BSP file we want to access via SSO:

05-SICF.gif

Double click on zsso2bsp:

06-SelectBSP.gif

On the Error Page tab enter “2” for the status (which means “this page has moved temporarily/permanently, HTTP Error code 307), paste the following redirect URL:

http://j2ee-server:50000/RedirectApp/main.jsp?PROT=HTTP&BACK2HOST=ABAP-SERVER:8000&TO=<%=PATHTRANS%> 

and select “Form Fields (Text form)”

07-ConfigureErrorRedirect.gif

(again a comment when using an already configured “SPNego-Portal”: the URL would be  something like http://j2ee-server:50000/irj/main.jsp?PROT=HTTP&BACK2HOST=ABAP-SERVER:8000&TO=<%=PATHTRANS%> )

n this rather long URL we pass several parameters to the JSP page:

PROT: this is the protocol used for calling the BSP. I found it easier to pass this independent from the “BACK2HOST” since otherwise I would have to urlencode “:” and “/”.
BACK2HOST
: This is the hostname of the BSP
TO
: this is the path to the BSP (available in the ABAP varaible PATHTRANS)

In addition to that by selecting “Form Fields (Text Form)” we get all the additional parameters that might be sent when the BSP was called in the sap-ffield. So in this example sap-client=400&dummy=123

We use these parameters in the JSP to compile a new URL

String newURL = prot + “://” + backToHost + to + “?” + sapField;

that we then use to redirect back to the calling ABAP server:

response.sendRedirect(newURL);

(to be honest, I tried to get all this information from the default header variables like “referer” in the HTTP stream and set it automatically on the JSP, but I was not able to do that…)

We are done! Now call the BSP page again:

08-ResultWithSSO.gif

Everything looks fine now. The page was displayed without any userinput.


As a final steps, let’s take a closer look to what just happened. I use HTTPWatch for this.

Overview:

09-HTTPWatchOverview.gif

Step 1:

10-HTTPWatch-Step01.gif

Here we call the BSP page. Since we configured it to response with a “Moved temporarily/permanently” in case of any Error the ABAP server returns a 307 and redirects the request to

http://J2EE-Engine:50000/RedirectApp/main.jsp?PROT=HTTP&BACK2HOST=ABAP-SERVER:8000&TO=%2fsap%2fbc%2fbsp%2fsap%2fzsso2bsp%2fexample%2ehtm&sap-ffield=sap-client%3d400%26dummy%3d123

Step 2:

11-HTTPWatch-Step02.gif

Now we are on the J2EE Engine. Of course here the authentication also does not work. But since we have configured SPNego the J2EE Engine returns an Error code 401 with WWW-Authenticate: Negotiate which asks the client for authentication

Step 3:

12-HTTPWatch-Step03.gif

The client returns a Kerberos token (YIIE8Q…) and the J2EE Engine sets a MYSAPSSO2 cookie and executes the JSP pages. In the last step of the JSP page we perform a response.sendRedirect(newURL); which returns us to the originally called URL of the BSP page (here you might encounter issues when the J2EE Engine and the ABAP system are not in the same domain, since cookies are not sent cross domains without additional configuration)

Step 4:

13-HTTPWatch-Step04.gif

We are back on the ABAP system. This time we have a MYSAPSSO2 cookie and since the ABAP system trusts the J2EE Engine we are logged on. We get a “session key” (…/sap(bD1kZSZjPTQwMA==)/bc/…) and are directed to the \ final target.

Step 5:

14-HTTPWatch-Step05.gif

Now we get an HTTP Return Code 200, meaning that everything is fine. In the next steps already cached content is loaded and the BSP page is displayed.


That’s it! As you can see the idea is pretty simple and the content of the JSP is also very simple. You can extend the JSP (for example if you are running a dual stack installation where ABAP and Java are on the same server you can remove quite a lot of parameters that are passed) — so there is a lot of room to improve.

If you want to take a deeper look, please also visit the following blogs:

For Configuring SPNego:

Configuring and troubleshooting \ SPNego — Part 1
Configuring and troubleshooting \ SPNego — Part 2
Configuring and troubleshooting \ SPNego — Part 3
Configuring SPNego with ABAP \ datasource
Configuring SPNego with ABAP \ datasource — Part 2

For the general redirect idea: \
Single Sign On to BSP pages from \ Duet’s Action Pane

To report this post you need to login first.

36 Comments

You must be Logged on to comment or reply to a post.

    1. Former Member Post author
      …because then you need a portal ๐Ÿ™‚
      Don’t get me wrong: if you have a portal and it makes sense to integrate these BSP in the portal, then of course that is the way to go.
      However, there are still several customers that have applications where dedicated BSPs are floating around and should not/cannot be integrated in a portal. That’s where this blog might be helpful.

      Regards,

      Holger.

      (0) 
      1. Former Member
        … and in your solution they need a NW AS Java that is configured for Kerberos. Your little trick will only work if:
        a) NW AS Java is around and (!!)
        b) NW AS Java is configured for Kerberos

        If AS Java is installed (ex: WebDynpro or BI), normally the portal is also installed. In this case: use the portal to integrate the BSP app.

        br, Tobias

        (0) 
        1. Kenneth Moore
          I would not make the assumption that SAP Portal is being used at most companies.  This is a very good solution for some of our .Net applications, we think.
          (0) 
  1. Kenneth Moore

    Holger,<br/><br/>Question.  Is it possible to have a parameter for the redirect server/port similar to how you used <%=PATHTRANS%>?<br/><br/>For example, instead of typing ‘http://j2ee-server:50000‘, I would type <%=PATH%> or something.<br/><br/>The reason I ask is that this server/port is different for each system for our setup.<br/>

    (0) 
  2. Former Member
    But you do not have to resort to Spnego tricks via JAVA systems (and logon tickets) and dual stack systems are anyways not officially supported by SAP any more either so the optimization there has another timestamp on it!

    SAML, buddy! SAML!!  ๐Ÿ™‚

    Cheers,
    Julius

    (0) 
    1. Former Member Post author
      Hi Julius,
      most companies do have a Java system “somewhere” that can be used (you don’t need a dual stack system for that). I agree, that it is not the perfect solution, but I am also not so sure how SAML would improve the situation here.
      Of course if you already have a STS configured (btw. how do you intend to authenticate to the STS? Will you not use Kerberos for that? :-)) than SAML would definetly be an option (if your ABAP system is on a high enough version to support it).

      Regards,

      Holger.

      (0) 
      1. Former Member
        Hi Holger,

        Sorry for the cheaky comment before.
        Yes Single-Sign-On means you have to authenticate somewhere first, and possibly re-use that authentication provider again (such as for authentication on the SAML provider using kerberos or an LDAP bind) but I am not a fan of creating complex infrastructural “trust chains” which are also host specific and issue tickets, cookies or session IDs for a myriad of others to use, and pass yet another one on as well.
        This sort of thing belongs in a central place, using the same “token” and supported by as much of the server infrastructure as possible. That way you can also authenticate the user as often as you want (lifetime of the SSO “token”). It also makes trouble-shooting easier and fail-over strategies less complex (e.g. switch the central authentication provider to a backup machine behind the web dispatcher).
        In the long run it is cheaper to run and maintain than a “homebrew” of technology and IP addresses maintained in connections, etc.
        Cheers,
        Julius

        (0) 
  3. Former Member
    Thanks for the very informative blog. Our portal is configured for SPNEGO (ticket module). I staged the main.jsp in the irj folder but was not able to make the SSO work from the BSP. Are there any security settings that I need to make ?
    (0) 
    1. Former Member Post author
      What do you want to do? What is currently working?
      When the main.jsp is called you should be redirected to the BSP page. Is this already working?

      If it is, then you probably just forgot to establish the trust between the J2EE Engine and the ABAP system. So export the certificate from the J2EE Engine and import it to the ABAP system via STRUSTSSO2. Then add the SID and client (usually 000 in a portal) to the ACL.

      Regards,

      Holger.

      (0) 
      1. Former Member
        I am trying to SSO make work for a BSP. The portal is already configured for SPNEGO and SSO to /irj/portal is working.
        When main.jsp is called, I am able to redirect to the BSP page (in the URL), however I get “page cannot be displayed”.
        I performed a HTTP trace and noted the following:
        1. In step 1, I get HTTP error 307 Temp Redirect.
        2. In step 2, I get HTTP 302 found instead of 401.
        3. In step 3, I again get the HTTP error 307. So this loops for around 5 times and I get the “Page cannot be Displayed”.
        (0) 
        1. Former Member Post author
          Hi,

          I guess there is either an issue with the main.jsp or the parameter that you pass to the jsp page (from the BSP).
          If you want, you can sent me a HTTPWatch trace file and the configuration you have done on the ABAP side.

          Thanks,

          Holger.

          (0) 
  4. Former Member
    Hi Holger,

    Thanks for the excellent blog!actually we followed the step to achieve this already.
    I have two questions for you, 1) when the backend user ID does not exist, due to the configuration of BSP’s error page, it will repeating redirect back and forth and at the end “The page cannot be displayed” will show, any ideas how we could show a better user friendly error page”; 2) i tried to use servlet to replace the jsp (I believe it’s much easier to detect the compiling errors) but it simplyly cannot work although i checked the redirect URL is exactly correct.
    any help are much appreciated.
    Shawn

    (0) 
  5. Former Member
    Hi Holger,

    we use read only corporate LDAP as UME datasource, in this case, is there a way for us to do user mapping, eg: NT user ID A maps to SAP ID B (without changing LDAP).

    any helps are highly appreciated.
    thanks and regards,
    Shawn

    (0) 
  6. Former Member
    thanks Holger

    thought you might be interested to know we are using this method to provide windows integrated auth to the Desktop NWBC, you need to put the redirect on the NWBC ICF entry and make sure it returns to the TicketIssuer (http://…/NWBC/TicketIssuer).

    To make it work for the HTML NWBC you need to return to NWBC (http://…/NWBC) not the TicketIssuer.

    thanks again
    john

    (0) 
      1. Former Member
        probably also worth mentioning that you need to pass the following parameters on the returning  TicketIssuer url…

        required_abap_runtime_version
        nwbc_runtime_version

        so our url looks as follows…
        http://…/Redirect4SSO/redirect4sso.jsp?to=…/sap/bc/nwbc/TicketIssuer?required_abap_runtime_version=3.1.0&nwbc_runtime_version=1.0.0

        (0) 
        1. Former Member
          Hi,

          First of all thanks to Holger about this article, it is really helpful. Also John thanks for the clarification how to do it for NWBC.

          Although, I’ve some strange behaviour with NWBC, while the redirection & SSO are working, when it comes to open transaction via NWBC, I get:
          check your SAP logon ticket (MYSAPSSO2 cookie) configuration in accordance with sap note 900000.
          with the current configuration, SAP GUI for windows will be replaced by SAP GUI for HTML

          Then SAPGUI ITS is opened instead of Windows SAPGUI.

          Any idea ?

          (0) 
  7. Former Member
    TO start with , your Blogs on SSO with SP Nego is Fantastic . It has helped me a Lot ๐Ÿ™‚

    Now , concerning this Blog ,I may have got this Wrong , But I can Succesfully Call a BSP Page or Web Dynpro in the Backend using the Standard BSP/Web Dynpro IViews .

    Simply , Uploading the ABAP Certificate on Portal would establish the Trust and then after creating a System in Portal I can Call the BSP Iview via Reference to the System Created in Portal using the Portal Alais .

    Or is this Just another Method to Achieve SSO to BSP Pages .

    Cheers ,
    Ashish .A. Poojary

    (0) 
    1. Former Member Post author
      Hi,

      thanks for the feedback!
      You are absolutely right. SSO from a NetWeaver Portal to a BSP is no problem. But sometimes you do not have a NetWeaver Portal or you want to access a BSP directly from a link (for example when you get a notification via Email). In this case you call directly the BSP on the ABAP server and normally you would be prompted for username and password.
      The steps outlined here are for exactly this scenario.

      Regards,

      Holger.

      (0) 
  8. Former Member
    Thanks for this blog, I am finding it very useful.  I am not going to create a ‘redirect application’ and want to store my main.jsp file in the irj folder.  Could someone please confirm the exact file location I shoudl save this?

    I tried ..\server0\apps\sap.com\irj and restarted the portal but when I try to browse to http://xxxxxx:50100/irj/main.jsp it says in cannot find the file.

    (0) 
    1. Former Member
      You are in the wrong location. The URL rarely combines with the file system path for J2EE application:
      /j2ee/cluster/serverN/apps/sap.com/com.sap.engine.docs.examples/servlet_jsp/_default/root

      br,
      Tobias

      (0) 
  9. Former Member

    Great blog Holger,

    I used this to setup SSO on our CRM7.0 Web UI. However once the user clicks the Logoff button in the CRM Web UI and then re-enters the Web UI url, SSO is not working. In turn, I am getting a Page cannot be displayed error. I think that CRM Log off is not clearing off the J2EE session and hence no SPNEGO/SSO login works. If I manually clear the user session on the J2EE side and then re-enter the Web UI url in the same browser after logoff, then SSO works again.

    Any idea how this can be fixed?

    Regards,

    (0) 
  10. Former Member

    I am investigating how to implement SSO for our BSP application, but since some screenshot pictures do not work, I am not sure how to configure everything. I hope the invalid links to the pictures can be repaired.

    (0) 
    1. Former Member Post author

      Hi,

      unfortunately I cannot fix the screenshots right now (but I had reported the issue already some time back…)

      If you send me an email (so that I have yours :-)) I would be happy to share a PDF document with you.

      Regards,

      Holger.

      (0) 
  11. Jens Koster

    Single Sign-On to an ABAP based system via Web (e.g. BSP) can now be done natively using the Product SAP NetWeaver Single Sign-On for ABAP releases 7.03/7.30 and above. 7.02 is planned for future SPs. The product also includes Single Sign-On using SAP Windows Gui / NWBC.
    You can get more information about this here: http://scn.sap.com/community/netweaver-sso

    (0) 

Leave a Reply