How to…. SSO between SUP and SAP in a CUA

Background: It was quite a struggle to get single sign on to work between Unwired Server (SUP) and SAP. Though it is very easy to configure, it is the lack of a complete “How To with rationale” that let me down. So I felt the need to pen it down for everyone’s use.

Landscape: I have an Enterprise Portal through which users log in to the SAP ERP system using single sign on. The Enterprise Portal uses an ABAP user store which works as a CUA {All users, roles and groups are created in this ABAP system}. The ERP system is allowed to trust the SAP Logon Tickets from the Portal. This is very common among SAP customers.

In terms of pictures this is what I mean

We introduced an other way to access SAP transactions other than the portal – An iOS app which will connect to SAP ERP via SUP and allow users to perform the same activities they would do in the portal.To manage this, we introduced SUP and continued to maintain Portal as the issuer of tickets and ERP/HR as trusted systems.

Note that ERP and HR systems have password disabled in my case, which means I can not login to them using SAP GUI.

This definitely works well in the SAP world, all who have used Kerberos and SPNego will know what I am talking. Any third party http based server can be set up with a single sign on as depicted above. So we maintain access via portal and devices (my case iOS) now. This does not disturb the existing set up but allows single sign on from a device. The unwired server connects to SAP ERP using JCo.

What does this mean to the unwired server then:

1. Note that the unwired server does not have a user store.

2. When a user attempts to login via the mobile device he is expected to provide his/her portal credentials.

3. Unwired server first looks up the portal via a http link that returns a popup based challenge and returns 401 on failure.

4. On success, the unwired server receives the MYSAPSSO2 ticket from the portal and tells the device that it is succesfully registered.

5. You can now see the user id used to login under application users in Sybase Control Center.

6. The next call from the device would be a synchronise/subscribe. Set for all MBOs in your package the runtime personalisation parameters: username and password.

7. The unwired server knows the user from the runtime credentials and passes the corressponding ticket to SAP ERP and authenticates successfully.

You would also see the user listed under subscriptions inside the package in SCC.

How do I achieve this:

0. Set the portal server up with this note 1250795. The note asks you to deploy a EAR file. The EAR only contains an application which satisfies step 3 in the list above. Follow the link for details http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc01703.0212/doc/html/fre1296856525862.html

1. Create a security profile and set up HttpAuthenticationLogin module in SCC like this.

2. Assign this security profile to your package

3. Set up the JCo connection used in the package as follows:

4. Set up runtime credentials for your MBO and also set the same in your app.

5. Test your app, it just works!

Observations:

1. The SAP ERP password can be enabled or disabled, it does not have an effect on this single sign on.

2. The password expiry response could not be captured very well. WIP.

3. When a wrong portal user is supplied from the device, registration will fail for the first time. If the app is already registered, you will get a login failed. Handle user experience accordingly.

4. This should apply to 2.1.3 using RBS as well.

5. The GetSAPSSO should be set to 1 when you want SUP to be the issuer, AFAIK it is available only from SUP 2.2.

Sys Environment:

SUP: 2.1.2; ERP: ECC 6.0; iOS: 5.1 {iPad & iPhone}; Technique: MBS.