Dear All,

After all the struggle and trial and error i finally figured out the way on how to configure SSO for SMP 3.0. SSO is quite required as well know for role based authorization for SAP. Earlier during MBO it was quite simple to do this but this isnt the case with SMP 3.0.

I am writting this blog post so that who ever tries this in the future doesnt undergo so much pain.

For this blog post i m using the latest version of SMP 3.0 SP6.

So lets get started.

Log in to you SAP GUI and run the transaction STRUST.

Select the SNC note and download the SAP ECC Systems Certificate

Screen Shot 2015-02-27 at 11.17.26 AM.png

Export the file by clicking on “Export Certificate”, click on “Base 64” to save the certificate file on a directory and copy the same on the SMP Server Console

Screen Shot 2015-02-27 at 11.21.05 AM.png

Once you have the certificate file exported, log in to the SMP Server Console and copy this file on that machine. Download Portecle from this site. We will use Portecle to import the above exported certificate into our SMP Key Store. Once downloaded , launch Portecle(its just a jar file so no need for installation) and open the SMP Keystore file.

File–>Open KeyStore File

Screen Shot 2015-02-27 at 11.26.28 AM.png

Go the SMP KeyStore path. Its located in ~Installation Directory/SAP/MobilePlatform3/Server/configuration with the name smp_keystore.jks. It will prompt you for a password. Give the password that you used during installation of SMP Server or use the default password changeit.

Once you log in you would see something like this.

Screen Shot 2015-02-27 at 11.33.54 AM.png

Go to Tools–>Import Trusted Certificate to import the SAP ECC Certificate we exported using STRUST.

Screen Shot 2015-02-27 at 11.34.59 AM.png

Screen Shot 2015-02-27 at 11.38.24 AM.png

Click on Import. It will show you the details of the certificate and then click on Next. Give an Alias for the Certificate and click on Finish.

So we have added the SAP ECC Certificate to SMP Key Store.

Next Step would be to create a Destination on Gateway Cockpit and also to create an Application on Management Cockpit

I would assume for this that you have already deployed an application on SMP. If you are not sure how to develop an SMP OData based application with SAP Netweaver Gateway i would request you to follow this blog written by my friend Jitendra Kansal

Please follow the steps from the blog post to create an Eclipse based Project, Deploying the project on SMP Server, Creating a Destination in Gateway Cockpit, Importing the IWBEP Service under the destination to our SMP Server and Assigning the Destination to the Deployed Service.

(Plz note for the above blog he is using the SAP Netweaver Demo Service from the cloud. If you do not have an account and have an on premise Netweaver Gateway and Do not know how to proceed to creating your own Service I will write a blog post for that soon 🙂 . You can now check it under this blog post on how to create a Netweaver Gateway Project for on Premise)

So now we have a Gateway Destination already built.

Go to the same tab of Destination under Gateway Cockpit and open the destination in change mode

Make the changes as below.

Under SSO Mechanism, Add SSO, Edit the Technical User(Basic) and change the password to some wrong password and Save it

Screen Shot 2015-02-26 at 3.40.28 PM.png

Note :

1. My Destination URL here is different from the one in the blog post as I am using an onpremise url of the netweaver Gateway

2. Changing the password for the Technical User(Basic) is very important else the supplied credentials will not over ride the user credentials and everytime you call the service even with SSO it will always call the backend service with the user you configured in Technical User (Basic).

Screen Shot 2015-02-26 at 4.20.41 PM.png

So now we are done with the Gateway Configuration for the Destination to support SSO.

Next Thing that we would be doing is to configure an Application on Management Cockpit and then give it an Authentication Mechanism.

Login to the Management Cockpit using http://localhost:8083/Admin

Click on the Settings Tab and click Security Profiles

Click on New to create a new Security Profile.

We will name it as SAP_SSO2

Give the Authentication Provider as HTTP/HTTPS Authentication and provide the same URL that we used while defining the Gateway Destination

Screen Shot 2015-02-27 at 11.01.16 AM.png

For the Cookie Name give it as MYSAPSSO2

Screen Shot 2015-02-27 at 12.13.02 PM.png

Click Save to save this security Config. We will assign the same security config to our application connection.

Create a new application connection by clicking on new under the Application Tab

Under Backend Connection give the URL of the Service Document of your Deployed Application on Gateway Cockpit.

It would be something like https://localhost:8083/gateway/odata/SAP/<NameofyourdeployedApplication>;v=1

Check the Internal checkbox.

Go to the Authentication Tab and Select the authentication mechanism we just created SAP_SSO2

Screen Shot 2015-02-27 at 12.19.38 PM.png

Click on Save to save all the configuration.

Now we are all done with our configuration.

Time for Testing

You can use the Advanced Rest Client Extension of Google Chrome for this. You can use any other rest client for this purpose.

Go the the rest client and give the url for registration of user

URL : http://<hostaddress>:8080/odata/applications/latest/<applicationid we created>/Connections

Give the Headers

Content Type : application/xml

Operation      : POST

And post this under the Request Body

<?xml version=’1.0′ encoding=’utf-8′?>

     <entry xmlns=”http://www.w3.org/2005/Atom

               xmlns:d=”http://schemas.microsoft.com/ado/2007/08/dataservices

               xmlns:m=”http://schemas.microsoft.com/ado/2007/08/dataservices/metadata“>

     <title type=”text”/>

     <updated>2012-06-15T02:23:29Z</updated>

     <author>

     <name/>

     </author>

      <category
          term=”applications.Connection”
          scheme=”http://schemas.microsoft.com/ado/2007/08/dataservices/scheme“/>

     <content type=”application/xml”>

     <m:properties>

     <d:DeviceType>IOS</d:DeviceType>

     <d:DeviceModel m:null=”true” />

     </m:properties>

     </content>

     </entry>

It should look something like this

Screen Shot 2015-02-27 at 12.25.27 PM.png

Click on Send to post it. It will prompt you for credentials. Give the credentials to authenticate you against the URL that we configured for the security configuation. It will return with a status 201 which will create your user in Admin cockpit. You can check it against the application id that you should now have one registration.

Things to note are the cookies that are returned back. We have a cookie by the name X-SMP-APPCID.

Next we will test if we can now retrieve the data against that user to check if SSO is configured and SAP Returns on data for this user

With the same Rest Client give the below addres

URL : http://localhost:8080/<applicationid>/<AnyEntitySet>

In the header specify the cookie

X-SMP-APPCID and the value you got from the previous registration call

Operation : GET

Note : user GET if you entityset is used for reading operation. If there is a post operation involved you would also need an additional token of x-csrf-token.

Click on Send and you should receive Data for that particular user itself.

Screen Shot 2015-02-27 at 12.34.16 PM.png

Hope this helps all of the people who were facing difficulty in configuring SSO.

Reference from Tejesvi DVR, Suma S

Thanks,

Rakshit Doshi



To report this post you need to login first.

15 Comments

You must be Logged on to comment or reply to a post.

  1. billy shen

    Hi Rakshit Doshi,

       thanks for sharing, i really interesting in this article. seems this can solve the lacking of lincense thing. anyway, the first step on this article is exporting the crt from sap and import to smp. However after i have done this step , i testing the destination, failed.Connection test failed – No SSO context associated with the context.

       i did lots of searching, seems before the first step, we should use SAPCRYPTOLIB to generate the crt from smp. but all the post i found is working for sup. not smp 3.0

       what have done about the SSO configuration steps? can you provide more detail about the first steps?

    thanks,

    Billy

    (0) 
  2. Seenu Katha

    Hi Rakshit,

    I followed all your steps. I also looked into Suma & Jitendra blogs.

    Is  https://XXXX:8083/gateway/cockpit step required?

    While configuring the application,we do not mention gateway destination anywhere correct?

    When I create a new Service using SEGW, it is always going to name space sap instead of IWBEP. So when I try to register the service using gateway cockpit, it fails.

    May be that is the reason, when I test using rest client to get cookie id, authentication fails when I enter my gateway service userid & password.

    Can you pls help?

    Thanks

    seenu

    (0) 
      1. Seenu Katha

        Hi Rakshit,

        1. Imported the certificate successfully from my ABAP system where GW is installed into smp keystore.

        2. Configured GW destination in SMP gateway cockpit. Here I am giving complete URL including the service name. In example, https://sapes1.sapdevcenter.com:443/sap/iwbep?sap-client=520, we are not giving service name in the URL, but in my case, I could not end at iwbep as my name space is sap/opu/odata/sap/. If I enter sap/opu/odata/sap?sap-client=100 it does not configure destination correctly.

        3. So I could not register the service properly. I thought these settings will be overwritten by the application anyway. Mine is on-premise GW system.

        4. Configured security profile in SMP admin console.

        5. Configured SMP application and security profile with Internal check box checked.

        6. Then I try URL, it asks for userid & pwd. I enter my ABAP system GW user id & pwd. There the authentication fails.

        http://localhost:8080/odata/applications/latest/com.orders.ed1/Connections,

        or

        https://localhost:8083/gateway/odata/SAP/ZED1_SRV_ORDERS_SRV;v=1

        Could it be a problem with my ABAP system certificate? Pls help.

        Thanks

        seenu

        (0) 
            1. Michael Appleby

              Seenu,

              Private information should only be shared by DM (Direct Message) or by making it publicly available in your Profile.  Your email address was removed because it violates the Rules of Engagement (see Getting Started link at the top right).

              Regards, Mike (Moderator)

              SAP Technology RIG

              (0) 
      1. Basis Support Tech

        Hi Rakshit,

        I have done as you suggested, imported back end system certificate into SMP and creating destination with SSO2 and Technical user basic with wrong password, while saving getting error 403 forbidden.

        Attaching screen shot, please help me to solve this.

        Regards

        Chandrasso2.JPG

        (0) 

Leave a Reply