Skip to Content

Configuration of SSO and Its uses in SAP MII

Recently I am working on a scenario using JCo action block where at the time of sending any data to ECC I could not use credentialAlias to send the user info,but I have to fatch the user credentials used in the MII web page login. Then the concept of SSO comes to my mind and I am trying to implement it in MII. But to implement SSO between SAP MII and SAP ECC we have to follow few steps which I discuss here.  

SSO :  Single Sign-On is the subsequent automated authentication for additional systems after the user has logged on once. In this case, the authenticating system passes the user information to the subsequently called system. This is done in the background; that is, the user does not need to authenticate himself or herself again after his or her first logon.

SSO is possible between all SAP system and SAP to non-SAP system also.  

Here we use this SSO between SAP MII and SAP ECC.  

There are basically two parts in the configuration of SSO

  • Upload the certificate into ECC
  • Download Certificate from MII


  1. Download Certificate from MII:

To download the certificate follow the steps:  

  • Go to the NWA (Net Weaver Administrator)

        URL : http://<server>:<port>/nwa


                                                                     Figure-1 : Net Weaver Window  

  • Go to Configuration Management

                                                                     Figure-2 : Configuration Tab

  •    Go to Security


                                                      Figure-3 : Security Tab  

  • Go to Certificates and Keys



  •    Select TicketKeystore


  • Select SAPLogonTicketKeypair-cert
  • Click on Export Entry


  • Select Export Format.

          There are 2 type of format.

    • Base64
    • Binary

          Select anyone of it.



  • Click on Download



  • Save the Certificate.  


   2.Upload the Certificate into ECC:

     To upload the certificate into ECC, follow the steps :  

  • Run the transaction STRUSTSSO2



  • In the PSE status frame on the left, choose the system PSE.
  • In the Certificate section, Click Import Certificate


  • Select the path of the certificate file, and Select the File format.

           There are 2 types of format.

    • Base64.
    • Binary.

          Select the same file format as selected when the certificate downloaded.

  • Select Tick.


  • Click on Add to Certificate List
  • Click Add to ACL, to add the server to the ACL list.


  • Enter the SAP system ID and the client (default for J2EE installations is 000).
  • Click on Tick.


  • Save the entry.

The certificate is added to the list in ECC. Now we have to check the profile parameters in ECC.

Checking Profile Parameters:

  • Go to transaction RZ10


  • Select Extended maintenance under Edit Profile.
  • Select Profile and press Enter.
  • Select Instance profile from the pop up box.
  • Click on the tick.


  • Click on Change.


  •   Make sure that login/create_sso2_ticket is set to 2 and login/accept_sso2_ticket is set to 1.


  The profile parameters only take effect once the system is restarted  


How to Use SSO Logon Ticket in SAP MII: 

In the SAP JCO action block in SAP MII, we might need to use SSO to pass the user credentials for executing the RFC in the SAP backend system.

The SAP JCO interface action block and SAP JCO start session action block provides link parametersfro passing the SSO2 logo ticket from the MII to the ECC. It enables the user credentials used in the SAP MII web page to be passed on the JCO action block to execute the RFC at the time of executing the BLS/XacuteQuery via the iCommand applet only,then the user credentials pass as SSO2 ticket.  

Note : The log-in user name must be the same for the SAP MII and the ECC.    

Link configuration in JCO interface Action Block: 

  • Specify $MYSAPSSO2$ (within “”) in the link configuration of SAPUserName property
  • Define a Transaction Property named MYSAPSSO2 of data type string.
  • Link MYSAPSSO2 to the SAPSSO2Ticket.


When we put $MYSAPSSO2$ in SAPUserName property,it means we need to use the SSO logon ticket. It is then automatically passed the user credentials from the Web page that uses XacuteQuery to call the BLS transaction.

Checking the XacuteQuery Configuration:

  • Go to Data Servers to the Administrative menu of SAP MII.
  • Go to XacuteConnector.
  • Check AutoBind.

Here MYSAPSSO2 transaction property actually refers to an environmental variable of SAP MII, which sends the SSO2 logon ticket. So we have to check the Autobind  property in the XacuteConnector

The Illuminator URL to call the Xacute Query is :

http://<server>:<port>/XMII/Illuminator?QueryTemplate=<Xacute Query>

You must be Logged on to comment or reply to a post.