<b>Objective:</b><br>
To setup SSO to help users access different SAP systems under consideration with a single log in.
<br><br>
<b>System Landscape:</b><br>
EP6.0 SP6 + Guided Procedures + Composite Application Framework installed on WebAS 640 + Web Dynpro applications on the same host. At the backend a R/3 472. Since the WebAS installation used is the same there is only a single UME (User Management Engine). This I think is the simplest configuration where in there is a mapping between one UME to the R/3 system.<br><br>
<b>Procedure:</b><br>
To put it simply we need to take a certificate from the WebAS or EP and then put that
into R/3 System. Then we need to configure the R/3 so that they start accepting the
logon tickets from the WebAS. Also we need to set up the ACL (Access Control List) to mention the host. Find the detailed step-by-step procedure below.
<br><br>
1.Set the profile parameter login/accept_sso2_ticket = 1. Set login/create_sso2_ticket = 0 unless the server should also be able to issue tickets. (Use DEFAULT.PFL). Remember you need to talk to the ever helpful basis person to get this done.
<br>
<br>
2.Download certificate from the Web AS (OR) Enterprise Portal. (Talk to your Web AS administrator or the EP System Administrator)<br>
Web AS:<br>
In the Visual Administrator, press on "Export" button
"Server -> Services -> Key Storage -> Ticket Keystore -> SAP Logon Ticket Key Pair-Cert"
Enterprise Portal:<br>
Press on button "Download verify.der File" - navigate using link given below.
"System Administration -> System Configuration -> Keystore Administration-> SAP Logon Ticket Key Pair-Cert"
<br><br>
3.Go to transaction "STRUSTSSO2", add the certificate (Talk to your ABAP Basis person again)
<br><br>
4.Add to the ACL. You have to enter the WPS System and the WPS Client.
WPS System: <Instance Name> - click on the certificate and take the "Issued By" value
WPS Client: Enter this as "000" (3 Zeroes)
<br><br>
5.If you want to allow access to more than one client using the digitally signed certificates then you need to log into the R/3 system in that client and add to ACL alone again.
<br><br>
6.Create the equivalent user IDs in WebAS/EP as in the R/3. If you don't want to create as many equivalent users then do "User Mapping" (Refer to Help portal). But then to begin with I suggest you to create corresponding users even if you are enabling SSO for many users.
<br><br>
7.In the "Webdynpro Content Administrator"
Change JCO connection settings accordingly:
I. Set Model data logical destination to UseSSO.
II. Set Metadata logical destination to DefinedUser (because metadata is common for all users)
<br><br>
During runtime only the user IDs in the UME and the R/3 are verified. If they are the same then it would allow access as per the authorization for that user in the R/3 system. So the passwords can be different.
<br><br>
Search for "User Authentication and Single Sign-On" in the sap.help.com for complete information.
<br><br>
Also recommended is this excellent article
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sapportals.km.docs/documents/a1-8-4/sso%2...
<br><br>