Skip to Content
Author's profile photo Former Member

How to…. SSO between SUP and SAP in a CUA

Background: It was quite a struggle to get single sign on to work between Unwired Server (SUP) and SAP. Though it is very easy to configure, it is the lack of a complete “How To with rationale” that let me down. So I felt the need to pen it down for everyone’s use.

Landscape: I have an Enterprise Portal through which users log in to the SAP ERP system using single sign on. The Enterprise Portal uses an ABAP user store which works as a CUA {All users, roles and groups are created in this ABAP system}. The ERP system is allowed to trust the SAP Logon Tickets from the Portal. This is very common among SAP customers.

In terms of pictures this is what I mean

  CUA.PNG                   SSO.PNG              

We introduced an other way to access SAP transactions other than the portal – An iOS app which will connect to SAP ERP via SUP and allow users to perform the same activities they would do in the portal.To manage this, we introduced SUP and continued to maintain Portal as the issuer of tickets and ERP/HR as trusted systems.

Note that ERP and HR systems have password disabled in my case, which means I can not login to them using SAP GUI.

                        SSO with SUP.PNG

This definitely works well in the SAP world, all who have used Kerberos and SPNego will know what I am talking. Any third party http based server can be set up with a single sign on as depicted above. So we maintain access via portal and devices (my case iOS) now. This does not disturb the existing set up but allows single sign on from a device. The unwired server connects to SAP ERP using JCo.

What does this mean to the unwired server then:

1. Note that the unwired server does not have a user store.

2. When a user attempts to login via the mobile device he is expected to provide his/her portal credentials.

3. Unwired server first looks up the portal via a http link that returns a popup based challenge and returns 401 on failure.

4. On success, the unwired server receives the MYSAPSSO2 ticket from the portal and tells the device that it is succesfully registered.

5. You can now see the user id used to login under application users in Sybase Control Center.

6. The next call from the device would be a synchronise/subscribe. Set for all MBOs in your package the runtime personalisation parameters: username and password.

7. The unwired server knows the user from the runtime credentials and passes the corressponding ticket to SAP ERP and authenticates successfully.

You would also see the user listed under subscriptions inside the package in SCC.

How do I achieve this:

0. Set the portal server up with this note 1250795. The note asks you to deploy a EAR file. The EAR only contains an application which satisfies step 3 in the list above. Follow the link for details


1. Create a security profile and set up HttpAuthenticationLogin module in SCC like this.


2. Assign this security profile to your package

package security.PNG

3. Set up the JCo connection used in the package as follows:

JCo for sso.PNG

4. Set up runtime credentials for your MBO and also set the same in your app.

MBO Runtime credentials.PNG

5. Test your app, it just works!


1. The SAP ERP password can be enabled or disabled, it does not have an effect on this single sign on.

2. The password expiry response could not be captured very well. WIP.

3. When a wrong portal user is supplied from the device, registration will fail for the first time. If the app is already registered, you will get a login failed. Handle user experience accordingly.

4. This should apply to 2.1.3 using RBS as well.

5. The GetSAPSSO should be set to 1 when you want SUP to be the issuer, AFAIK it is available only from SUP 2.2.

Sys Environment:

SUP: 2.1.2; ERP: ECC 6.0; iOS: 5.1 {iPad & iPhone}; Technique: MBS.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Uday Kumar Kanike
      Uday Kumar Kanike

      Nice blog..! 

      Author's profile photo Former Member
      Former Member


      Very nice blog, it helped us to do our SSO config, but now we are facing another challenge, in our environment we use user mapping, basically the userID in Active Directory are different that the users ID we use in the ABAP backend systems and we use the portal user mapping to solve this in our normal web scenarios, how can we accomplish this user mapping in SUP, using Internet Explorer works out of the box, but in SUP tries to login using the AD user ID (it does not exist) to the backend systems instead of the SAP ID that is in a attribute in the AD and part of the MYSAPSSO2 cookie.

      Any hint will be appreciate it.

      Zareh Vazquez

      Author's profile photo Former Member
      Former Member

      Hi Zareh

      Thanks. Which user do you use to login to the portal? The AD user? Which user is contained in the MYSAPSSO2 ticket given by the portal on successful login?



      Author's profile photo Former Member
      Former Member

      Hi Lakshminarayanan V,

      Thanks for your post! Could you confirm that I've understood correctly:

      1. For example, we have SAP users xyz1/1234 and xyz2/1234 on portal and same users on ERP system with different passwords for exaple  xyz1/5678 and xyz2/5678.

      2. After implementing instruction's steps, mobile device users will be able to login to ERP system by setting portal's credentials (xyz1/1234 and xyz2/1234)  into SUP special personalysation keys 'Login' and 'Password' on their mobile devices.

      3.SUP users (for example supAdmin/s3pAdmin) do not take into account.

      Thanks in advance,

      Serg D.

      Author's profile photo Syambabu Allu
      Syambabu Allu

      Hi Lakshminarayanan V,

      Good Blog.