How to Configure SSO for SMP 3.0 using Cookie Based Authentication
After all the struggle and trial and error i finally figured out the way on how to configure SSO for SMP 3.0. SSO is quite required as well know for role based authorization for SAP. Earlier during MBO it was quite simple to do this but this isnt the case with SMP 3.0.
I am writting this blog post so that who ever tries this in the future doesnt undergo so much pain.
For this blog post i m using the latest version of SMP 3.0 SP6.
So lets get started.
Log in to you SAP GUI and run the transaction STRUST.
Select the SNC note and download the SAP ECC Systems Certificate
Export the file by clicking on “Export Certificate”, click on “Base 64” to save the certificate file on a directory and copy the same on the SMP Server Console
Once you have the certificate file exported, log in to the SMP Server Console and copy this file on that machine. Download Portecle from this site. We will use Portecle to import the above exported certificate into our SMP Key Store. Once downloaded , launch Portecle(its just a jar file so no need for installation) and open the SMP Keystore file.
File–>Open KeyStore File
Go the SMP KeyStore path. Its located in ~Installation Directory/SAP/MobilePlatform3/Server/configuration with the name smp_keystore.jks. It will prompt you for a password. Give the password that you used during installation of SMP Server or use the default password changeit.
Once you log in you would see something like this.
Go to Tools–>Import Trusted Certificate to import the SAP ECC Certificate we exported using STRUST.
Click on Import. It will show you the details of the certificate and then click on Next. Give an Alias for the Certificate and click on Finish.
So we have added the SAP ECC Certificate to SMP Key Store.
Next Step would be to create a Destination on Gateway Cockpit and also to create an Application on Management Cockpit
I would assume for this that you have already deployed an application on SMP. If you are not sure how to develop an SMP OData based application with SAP Netweaver Gateway i would request you to follow this blog written by my friend Jitendra Kansal
Please follow the steps from the blog post to create an Eclipse based Project, Deploying the project on SMP Server, Creating a Destination in Gateway Cockpit, Importing the IWBEP Service under the destination to our SMP Server and Assigning the Destination to the Deployed Service.
(Plz note for the above blog he is using the SAP Netweaver Demo Service from the cloud. If you do not have an account and have an on premise Netweaver Gateway and Do not know how to proceed to creating your own Service I will write a blog post for that soon 🙂 . You can now check it under this blog post on how to create a Netweaver Gateway Project for on Premise)
So now we have a Gateway Destination already built.
Go to the same tab of Destination under Gateway Cockpit and open the destination in change mode
Make the changes as below.
Under SSO Mechanism, Add SSO, Edit the Technical User(Basic) and change the password to some wrong password and Save it
1. My Destination URL here is different from the one in the blog post as I am using an onpremise url of the netweaver Gateway
2. Changing the password for the Technical User(Basic) is very important else the supplied credentials will not over ride the user credentials and everytime you call the service even with SSO it will always call the backend service with the user you configured in Technical User (Basic).
So now we are done with the Gateway Configuration for the Destination to support SSO.
Next Thing that we would be doing is to configure an Application on Management Cockpit and then give it an Authentication Mechanism.
Login to the Management Cockpit using http://localhost:8083/Admin
Click on the Settings Tab and click Security Profiles
Click on New to create a new Security Profile.
We will name it as SAP_SSO2
Give the Authentication Provider as HTTP/HTTPS Authentication and provide the same URL that we used while defining the Gateway Destination
For the Cookie Name give it as MYSAPSSO2
Click Save to save this security Config. We will assign the same security config to our application connection.
Create a new application connection by clicking on new under the Application Tab
Under Backend Connection give the URL of the Service Document of your Deployed Application on Gateway Cockpit.
It would be something like https://localhost:8083/gateway/odata/SAP/<NameofyourdeployedApplication>;v=1
Check the Internal checkbox.
Go to the Authentication Tab and Select the authentication mechanism we just created SAP_SSO2
Click on Save to save all the configuration.
Now we are all done with our configuration.
Time for Testing
You can use the Advanced Rest Client Extension of Google Chrome for this. You can use any other rest client for this purpose.
Go the the rest client and give the url for registration of user
URL : http://<hostaddress>:8080/odata/applications/latest/<applicationid we created>/Connections
Give the Headers
Content Type : application/xml
Operation : POST
And post this under the Request Body
<?xml version=’1.0′ encoding=’utf-8′?>
<d:DeviceModel m:null=”true” />
It should look something like this
Click on Send to post it. It will prompt you for credentials. Give the credentials to authenticate you against the URL that we configured for the security configuation. It will return with a status 201 which will create your user in Admin cockpit. You can check it against the application id that you should now have one registration.
Things to note are the cookies that are returned back. We have a cookie by the name X-SMP-APPCID.
Next we will test if we can now retrieve the data against that user to check if SSO is configured and SAP Returns on data for this user
With the same Rest Client give the below addres
URL : http://localhost:8080/<applicationid>/<AnyEntitySet>
In the header specify the cookie
X-SMP-APPCID and the value you got from the previous registration call
Operation : GET
Note : user GET if you entityset is used for reading operation. If there is a post operation involved you would also need an additional token of x-csrf-token.
Click on Send and you should receive Data for that particular user itself.
Hope this helps all of the people who were facing difficulty in configuring SSO.