Skip to Content
Author's profile photo Rohit Makkar

SSO between MDM and Portal

In order to achieve SSO between SAP Netweaver MDM and SAP portal trusted connection needs to be set up. A trusted connection is the only authentication type supported in this version. A trusted connection is useful when the user has already logged on to the application and does not have to provide yet another password just for MDM.

The NetWeaver Web AS user must also exist as an MDM User (defined in the MDM repository). You can authenticate a session by using a trusted connection between the server where the MDM Java API is deployed, and the server where the MDM server is running.

You establish a trusted connection between the environment running the API and the MDM server by modifying a configuration file located in the MDM server installation directory. In this way the server is aware of which clients to trust.

Procedure to define trusted connection.

Trusted connection to the MDM server can be defined as follows.

1.    allow.ip file : Create a flat text file with the name allow.ip, this file contains IP addresses of trusted partners.  For each connection there is a separate entry.  IP address can be fully specified address e.g. or it’s also possible to use wild card to signify the entire subnet.

For instance 10.17.79.* indicates that any address within the 10.17.79 network is considered to be trusted. Other possible variants: {10.17.*|10.*}, but not just {*}.

Comments can be inserted by placing a number character (#), in the first column.

2.    deny.ip file: Create the deny.ip file if required, to allow an entire network while specifying some exceptions, create a deny.ip file according to the same rules as the allow.ip file:

For example, if 10.17.79 is to be trusted, with the exception of the address

  1., insert 10.17.79.* for the allow.ip file, and for the
  2. deny.ip file.

If an entry is found in the deny.ip file, the server defines it as not trusted.

The same behavior is defined for all IP addresses that are not found in allow.ip.

For example, a consumer with IP requests data from the server. If the IP is not found in allow.ip, then the request is refused.

Only if the IP address is found in the allow.ip file and not restricted in the deny.ip file,  is the caller categorized as a trusted partner.

Comments can be inserted by placing a number character (#), in the first column.

3.    Location of ip files:

By default the allow.ip and deny.ip files should be located in {MDM Server root}\exe.

In other words these files have to be stored in the folder in which the executable is located.

For example, if the MDM system ID is M01, the location of the trusted configuration files is usr\sap\M01\MDS01\exe.

Alternative location for these files can be specified by entering a line in the mds.ini file.

For example, TrustFiles Dir={folder path}, indicating that both the allow.ip and deny.ip files are in the folder, {folder path}.

When the MDM server runs on an AIX platform, the mds.ini file must contain the parameter, TrustFiles Dir = {folder path}.

After the initial configuration, the trusted partners are configured, enabling trusted cooperation between the Web AS servers and the MDM server.

After making above changes its mandatory to restart MDM server instance.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Umit Toptas
      Umit Toptas

      Hi Rohit,

      I want to use sso-like feature configuration, could you explain me how can i do sso-like feature between MDM and BPM? 


      Author's profile photo Rohit Makkar
      Rohit Makkar
      Blog Post Author

      Hi Umit,

      You can use same approach to achieve SSO between MDM and BPM, Let me know if you are facing any issue.