Skip to Content

How to make Single Sign-On work for PI 7.1

When you open the PI start page and click ‘Enterprise Services Builder’, and logon.

And then there is a logon window again.

I’m tired of it. Why not Single Sign-On? Just follow the steps to make it happen.

Modify Instance Profile

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 2

icm/host_name_full = hostname.domain

Add Login Module to J2EE Engine

NetWeaver Administrator, Configuration Management, Security, Authentication:

Click Edit, add EvaluateTicketLoginModule and save.


Change Authentication template for the Web components

NetWeaver Administrator, Configuration Management, Security, Authentication:

Select each component and change the referenced authentication template from basic to ticket.




Modify PI Exchange Profile 


Note: After changed the Exchange Profile, you don't need to restart system for PI 7.1.



Application like Alert Configuration  in Runtime Workbench is based on the ABAP application server. We need to configure sso between ABAP AS and J2EE stack. There are some additional steps:


  1. Export ABAP certification, and import it to J2EE.
  2. Export Java certification, and import it to ABAP.

NetWeaver Administrator, Configuration Management, Security, Certificates and Keys: 


At last, restart the PI system and SSO will work. 

If you didn’t change the instance profile, and didn’t perform the additional steps, SSO will become effective immediately, without restart. I have double check in my systems, you can trust me.

You must be Logged on to comment or reply to a post.
  • I followed your steps and after restarting the system, I logged onto PI ABAP(7.1) and executed SXMB_IFR. From there when I clicked on ESB, I still get the prompt but this with the below message.

    “Single Sign-On failed”.

    Any ideas what went wrong? I’ve double checked the settings with yours..


      • Thanks for checking. I tried that one too but didn’t work. I’ll undo everything and redo the config and post the result back here.

    • Please use the NWA useradmin tool, Role perspective, and             
      assign all 3 ‘keystore-view.TicketKeystore’ actions to Role ‘Everyone’
      UME keystore-view.TicketKeystore entry-actions.all.all               
      UME keystore-view.TicketKeystore property-actions.all.all            
      UME keystore-view.TicketKeystore view-actions.all.all                
      to the role Everyone in UME.  
  • We are upgrading to the latest version of PI next week. If this means I can then follow your instructions and not have to enter my password every two seconds then that is the best news I’ve had all year. BW used to be the same i.e. entering password constantly. However since PI is predominantly intended as middleware i.e. to let different systems COMMUNICATE with each other, yet the two halves of PI cannot talk to each other without password verification, that is just embarassing for SAP.
  • Did all the steps you outlined.
    1. Added 3 profile parameters.
    2. Changed the auth template to tick for all the listed PI components.
    3. Create Login cert in j2ee VA and imported into abap.
    4. enabled sso in exchangeProfle
    5. rebooted the system.

    Still no joy. Any advice, I am using PI7.1_Ehp

    • Did you miss this part ‘add EvaluateTicketLoginModule to SAP J2EE Engine’?

      There is NO VA in PI 7.1x.

        • add EvaluateTicketLoginModule to SAP J2EE Engine


          different from

          change the auth template to “ticket” for all the listed PI components

          • Sorry for the confusion, yes I add EvaluateTicketLoginModule to SAP J2EE Engine

            On logon I get the error and the security log shows this message..

            #2.0 #2010 06 09 11:11:03:176#0-700#Warning#/System/Security#
  [RMI/IIOP Worker [3],5,Dedicated_Application_Thread]#Java##
            Keypair for signing not found in keystore view [{0}] under alias [{1}]. Authentication stack: [{2}]. The default kestore view is [{3}]. The default keypair alias is [{4}]. Check the login module options and UME properties.#5#TicketKeystore#SAPLogonTicketKeypair#service.naming#TicketKeystore#SAPLogonTicketKeypair#

            #2.0 #2010 06 09 11:11:03:176#0-700#Info#/System/Security/Authentication#
  [RMI/IIOP Worker [3],5,Dedicated_Application_Thread]#Plain##
            User: N/A
            Authentication Stack: service.naming

            Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
            1.   SUFFICIENT  ok          false                 false     
            2.             SUFFICIENT  ok          exception             true       Signing key pair not found.#