Skip to Content
Author's profile photo Former Member

How to include Logon Ticket into SAP Shortcut – SSO from ABAP Web to SAP WINGUI

I saw there are wiki pages posted recently introducing how to launch SAP GUI for Windows transaction from SAP ABAP Web application but they refer to “decent” SSO solution for SAP GUI for windows if you want to void initial logon screen.

It recalls me a tiny job I did together with my colleague Rikardt couple of months ago. We found the way to get rid of initial logon screen using standard Logon ticket.

To be honest, it’s really very simple if you ever look into the content of SAP shortcut file generated by SAP Netweaver Portal Transaction launcher. I did that using http sniffer tool like HTTPWatch.

The following screenshot is an example of such shortcut file, and you should immediately identify the trick is just about assigning SAP logon Ticket to an undocumented shortcut parameter “at”.

image

 

ABAP FM CREATE_RFC_REENTRANCE_TICKET can be used to generate logon ticket, and please remember it generate assertion ticket only valid for 120 seconds. You also should notice that this function module was introduced from SAP Basis support package SP14. The sample code is here.

  CALL FUNCTION ‘CREATE_RFC_REENTRANCE_TICKET’
    IMPORTING
      ticket                 = lv_ticket
    EXCEPTIONS
      ticket_logon_disabled  = 1
      ticket_creation_failed = 2
      kernel_too_old         = 3
      OTHERS                 = 4.
  IF sy-subrc <> 0.
  ENDIF.

Clearly, the next step is to compose the shortcut file using your own code rather than function module SWN_CREATE_SHORTCUT, so you can include generated ticket for “at” parameter, example:

  DATA: l_crlf     TYPE char2.
  l_crlf = cl_abap_char_utilities=>cr_lf.

  CONCATENATE
*   System
    ‘[System]’                                              “#EC NOTEXT
    l_crlf
    ‘Name=’ sy-sysid                                        “#EC NOTEXT
    l_crlf
*   SAPLOGON_ID to be used for callbacks
    ‘Description=’ i_saplogon_id                            “#EC NOTEXT
    l_crlf
*   Client
    ‘Client=’ i_client                                      “#EC NOTEXT
    l_crlf
*   user section
    ‘[User]’                                                “#EC NOTEXT
    l_crlf
*   User
    ‘Name=’ i_user                                          “#EC NOTEXT
    l_crlf
*   Logon Ticket
    ‘at=”MYSAPSSO2=’ lv_ticket   ‘”‘                 
    l_crlf
*   Langu
    ‘Language=’ l_langu                                     “#EC NOTEXT
    l_crlf
*   Function section
    ‘[Function]’                                            “#EC NOTEXT
    l_crlf
*   Title
    ‘Title=’ i_title                                        “#EC NOTEXT
    l_crlf
*   Command
    ‘Command=’ l_command                                    “#EC NOTEXT
    l_crlf
*   Configuration section
    ‘[Configuration]’                                       “#EC NOTEXT
    l_crlf
*   window size
    ‘GuiSize=’ i_windowsize                                 “#EC NOTEXT
    l_crlf
    INTO l_shortcut.

And then you send the shortcut as MIME object in BSP or Webdynpro response , which you refer to the wiki http://wiki.sdn.sap.com/wiki/display/CRM/CRM+WebUI+-+Launching+transactions+in+GUI+for+Windows or http://wiki.sdn.sap.com/wiki/display/ABAP/ZAPP_INTEGRATOR

 Job is done though you still need to make sure the following profile parameters are activated.

login/accept_sso2_ticket  =  1
login/create_sso2_ticket  =  2

Assigned Tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Gregor Wolf
      Gregor Wolf
      Hi Denny,

      thank you for pointing to my ZAPP_INTEGRATOR project. It does exactly what you've described here. When you specify the pareameter Technique=SSF you will get a SAP Shortcut File that contains also the SAP Logon Ticket.

      When you use Microsoft Internet Explorer you can also use the Technique=SSD which has the benefit that the SAP GUI for Windows is started in the browser window.

      Best regards
      Gregor

      Author's profile photo Former Member
      Former Member
      Gregor,

      Sorry, I didn't read your code through, otherwise I would give more clear reference within my blog.

      However, I'm not a developer but a platform guy, I'd share more technical information like SP level of the FM, assertion ticket etc in my blog.

      Thanks,
      Denny

      Author's profile photo Former Member
      Former Member

      Hi,

       

      The FM CREATE_RFC_REENTRANCE_TICKET is just generating a so called Re-Entrance ticket for the current system. If you want to use it for winGUI SSO than it won't work as stated above.

      The Re-Entrance  ticket is not the same as the logon ticket but the similiar to the assertionticket used by the RFC infrastructure (Assertion tickets are valid only for one system and one client and requires authentication before issuing it!).

      Re-Entrance ticket can only be created for the current user, and no reauthentication is required!

      Usually it is used to enter into the same system again (i.e. a call back scenario).

       

      So what you need to do is to make a trusted RFC connection between the issuer system (you are currently logged in) and the receiver system (where you want to login via SSO).

      Then use the same, only add the RFC destination of the target system:

      CALL FUNCTION ‘CREATE_RFC_REENTRANCE_TICKET’

      DESTINATION <RFC_DEST_TARGET_SYS>
      IMPORTING
      ticket                 = lv_ticket
      EXCEPTIONS
      ticket_logon_disabled  = 1
      ticket_creation_failed = 2
      kernel_too_old         = 3
      OTHERS                 = 4.
      IF sy-subrc <> 0.
      ENDIF.

      This way your user executes the reentrance ticket in the receiver system, so it will accept it in the generated tx.sap file!

       

      Br

      Richard