Skip to Content
Author's profile photo Former Member

SSO from enterprise portal to SAP eSourcing 5.1

  Set the following properties for the directory configuration

   Please check the pre-requisites before you start the SSO configuration steps

0.1. E-Sourcing using the NetWeaver Java stack as the application server

0.2. Patched to E-Sourcing release 5.1 ( minimum SP05 , however it will work  SP04 also)

0.3. Enterprise Portal 7.0 SP 15

0.4. User id’s between the Enterprise Portal and ESO are identical.

0.5. Cookies enabled within browser.

0.6. IE6 or IE7.

0.7. Per note 1275398 , the user ids should be in small case


Here are the basic steps invloved in configuring the SSO between EP and ESO:


Export certificate from NW Enterprise Portal0.1.

Create the keystore directory in eSourcing server and put the portal certificate there0.1.

Generate the keystore in eSourcing server from the NW EP certificate0.1.

Set the fcisystem properites to adapt to the keystore settings0.1.

set the directory configuration in esourcing0.1.

Restart the ESO application0.1.

Test the SSOThe details provided below are from EP 7.0 and ESO  5.1 . 


Export certificate from NW Enterprise Portal 

Log on to the EP  , go to system Administration–> System Configuration –> Keystore Administration

Select SAPLogonTicketKeypair-cert




Download the verify.der file .  Extract the zip file and rename the certificate as verify.crt


2.  Create the keystore directory and copy the portal certificate to that location


In the  esourcing server, set up the keystore directory under the FCI home directory.


Eg : let the FCI_HOME is /usr/sap/esourcing51 , set up the directory with name keystore under this . So the keystore location is /usr/sap/esourcing51/keystore.


This directory can be used to store certificates from multiple systems.

Now copy the verify.crt  certificate to the keystore directory




3. Generate the keystore in eSourcing server from the NW EP certificate


Go to the Java Home directory and in the bin folder you will see the utlilty keytool which can be used to generate the keystore.

Suppose your JAVA_HOME is /usr/j2se  , navigate to /usr/j2se/bin and execute the utility as follows:</p><p>keytool -import -alias <alias name>  -file /< FCI_HOME>/keystore/verify.crt -keystore <name of keystore file></p><p> </p><p>The standard JDK keytool utility is used here to generate the keystore, it will prompt for the keystore password during generation and upon completion of the generation you will see the keystore file added to the keystore directory</p><p>!|height=319|alt=image|width=653|src=|border=0!” </p><p> </p><p> </p><p>4. Set the fcisystem properites to adapt to the keystore settings 5. Set the directory configuration in esourcing



To configure the local buy-side directory to activate the SSO ,lauch SAP E -Sourcing and go to  setup -> Configuration-> Directory Configuration

Choose the active buy side configuration and Set the driver as ‘basic’





Enter the following in the  authenticator field:


Also check the following features :

Changeable password, expired passwords, New accounts, Browsing


In the controls , check  ‘Browse using Stored Credentials’




Set the following properties for the directory configuration


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Tridip Chakraborthy
      Tridip Chakraborthy
      Hey Arun
      I would say that you have solutionized on a long standing issue that had a lot of problems.
      Several threads on SDN E-SOurcing Group need this information desperately.
      i suggest that you cross-link this blog on some of the threads.
      This is a mine of information and a very clearly and easily understandable articulated approach laid out in your blog, cheers tridip
      Author's profile photo Former Member
      Former Member
      The authenticator that should be used is the:

      None of the selected checkboxes of the heatures should be selecetd nor will they matter.

      The bypass_error_block and ext_login_page properties should be edited after SSO has been set up.

      No-where do you mention how to enable the enterprise user to login which is causing issues for other customers, who are disabling their Buyside login page.
      Nothing is mentioned of how to set up and test the iView sending the request from the portal.

      Unfortunately due to the customizability of the process and the way that e-sourcing consumes SSO logins the documentation for this is somewhat complex.  We are in the process of developing a formal document for this and I will post a link ot it and perhaps a seperate blog entry on how to set this up.

      Best regards,


      Author's profile photo Former Member
      Former Member
      Blog Post Author
      Paul, thanks for your feedback.
      We had a tough time in establishing the SSO between Enterprise portal and e-srourcing 5.1 . There was no cleanr documentations/instructions in the guides. So most of the information provided is based on our experience and which anyway worked for us.
      Coming to points one by one:

      1. SAP installation guide clearly says to put and this did work for us.

      2. We did check the boxes and I will try whether the SSO will work without those checks

      3.the properties were set after import of certificate/after activating the SSO in directory set up as mentioned in the blog . What exactly you mean 'after the SSO has been set up' ?

      4.We are also looking for SAP document on enterprise login , this is an issue for us also

      5. testing SSO using a url iview is a basic netweaver knowledge, I dont think that needs more explanation . What we were looking was specific to eso application .

      Appreciate you still considering to develop/release a formal document , looking forward for that.



      Author's profile photo pablovel79 pablovel79
      pablovel79 pablovel79
      Hi Paul!

      I hope you can help me please!!! where can I found the authenticator class, could you share it whit me please.

      thank you very much.

      best regards!!

      Author's profile photo Former Member
      Former Member
      Hi Paul,
         were you able to write a blog on this?


      Author's profile photo Former Member
      Former Member
      Hello Gaurav,
      It took me a little while to get around to writing it, but its here.

      I'm working on a series of them at the moment.  LDAP, HA/Scaling, and some Wave 7 stuff.



      Author's profile photo Former Member
      Former Member

      Thanks for the useful blog. We have problem and we are stuck up since long with out any help.
      We are trying to integrate E-Sourcing(Running in JBOSS) in Enterprise Portal.  We have followed the below steps:

      1. Deploy the E-SOURCING SINGLE-SIGN-ON SCA file

      2. Import/Export the Certificate in SAP CLM

      3. Import the NetWeaver certificate for the specific system into the SAP E-Sourcing server key store

      4. Activate SSO in SAP CLM

      5. To configure the local buy-side (internal) directory to activate the SSO, launch SAP E-Sourcing and did Directory Configuration.

      6. In the Authenticator field, we put

      8. Changed bypass_error_block to TRUE.

      9. Configured ext_login_page according to the given format.

      We have the below problem:
      1. When we try to login into portal, we are redirected to e-sourcing page, where it asks us for username and password.

      2. At the same time, when we are unable try to login directly into E-sourcing to0.

      We are not sure, what is missing, where to check and completly clue less.

      Kindly help us on this.

      Thanks in Advance.


      Author's profile photo Former Member
      Former Member

      We have configured SSO between E-Sourcing with Portal.  We are having problem with some userids.

      1. E-Sourcing is deployed on JBoss Application stack
      2. E-Sourcing version eSO 5.1 SP08
      3. Portal is at version 7.0 EHP1 SP6

      We are facing problem in SSO with few userids. Below is the case:
      1. ESO --> User exists with UPPER CASE, where as in AD it is in LOWER CASE:
      2. ESO --> everything is fine, if ESO=AD=Lowercase.

      we tried the below settings,
      SETUP SYSTEM PROPERTY upp.extservletauthenticator.username_regex
      but nothing worked.

      Any solution or ideas are most welcome.


      Author's profile photo Former Member
      Former Member
      The setting s/\S+\\(\S+)/\L$1/ would work to convert the following:

      "SAPPHLEX065745\PWagner30" into "pwagner30"

      I take it that from the dumpallheader.jsp or the http tracer that you have used to capture the username being passed that it looks like somethings else.  From your known starting value what conversion do you wish to make?  Are there numbers or aspecting of the CN being passed over or is it a simple change of case?
      I suggest doing some research into java based regular expressions to find out what parameters will work.