Connector for SAP Business Suite - Developer's Manual part 4 - Personalized SAP access / Single Sign On (SSO)

More information In some scenarios, it is necessary to use a personalized SAP access. At least the system user stored in the SAP data source is used for access to SAP. However, it is also possible to use a user-dependent SAP user to then observe the permissions defined in the SAP system or avoid logging in to SAP again. This section will explain how requirements such as

  • Password check by SAP

  • Access to SAP with the real SAP user

  • Calling SAP websites (WebDynpro, BSP applications) with Single Sign On (SSO)

  • Starting SAPGUI transactions with the transfer of parameters

can be implemented.

Login mode

The login mode plays a role in many places with SAP access. The following login modes are used by the Connector for SAP Business Suite:

Login mode

Use

system

Use the system user defined in the SAP data source

user

Exclusive use of the personal login information of the logged-in portal user. This information is determined without login information being determined. If this information is incorrect, access to SAP is not possible. This information is determined without login information being determined. If this information is incorrect, access to SAP is not possible.

mixed

Intrexx attempts to make access in the user mode. If this is not successful, the system mode is used.

The login information for each portal user can be defined as an external login in the Intrexx User Manager.

The external login used to log in to the SAP system can be specified in the SAP data source.

Alternatively, a portal login with a password check against the SAP system is possible. Here, the password entered is checked against the specified SAP system. Intrexx needs to have an identically named user base for this. Parallel password maintenance / replication is not necessary in this case. This login method also enables Single Sign On scenarios via SAP logon tickets. Via the script API of the Connector for SAP Business Suite, you can deliberately influence the personalized access to enable further login scenarios in projects.

SAP login modules

Intrexx login modules enable authorization to the portal from external positions. The check against an external LDAP server is included in the standard login modules, for example. The portal login can be configured to run different login modules one after the other until one of the login modules has authorized the portal user. Intrexx must have a user master for each possible portal user. This does not have to contain a password check but needs to be able to be replicated via Intrexx tools. The Connector for SAP Business Suite comes with its own login modules that implement the password checks from SAP for SAP users, SU05 internet users or SAP business partners. The portal login and the login module to be called are managed in the configuration file "LucyAuth.cfg" of the portal. A login configuration that first checks the SAP user master, then the SU05 Internet users of the customer master and then the Intrexx standard login is shown here: 

SapUserAuth
{
	net.initall.ixapi.auth.IxSAPLoginModuleUser sufficient
		instance="saperp"
		mapuser=false
		initjco=false
		debug=false;

	net.initall.ixapi.auth.IxSAPLoginModuleIUser sufficient
		instance="saperp"
		logintype="KNA1"
		initjco=false
		debug=false;

	de.uplanet.lucy.server.auth.module.intrexx.IntrexxLoginModule sufficient
		debug=false;

	de.uplanet.lucy.server.auth.module.anonymous.AnonymousLoginModule sufficient
		debug=false;
};

This configuration is then activated via the User menu / Configuration / Authentication in the Users module of the Portal Manager.

The SAP login module used here is the prerequisite for generating SAP logon tickets that are used in Single Sign On scenarios. When the portal user successfully logs in to the SAP system, such a ticket is automatically generated, which can then be used later to integrate SAP internet pages or SAP shortcuts.

Single Sign On with SAP logon tickets

Single Sign On (SSO) or avoiding unnecessary multiple logins is achieved with Intrexx via SAP logon tickets. For more information, see SAP Note 304450, for example. The SAP server must issue and accept SSO tickets (RZ10 parameters "login/accept*" and "login/create*"). Transaction "TRUSTSSO2" must also be initialized. The portal generates a ticket using the SAP function module "SUSR_CHECK_LOGON_DATA" in the specified SAP system, which is later available for SSO scenarios. This procedure is provided by the SAP login modules. The SAP System must be configured to use logon tickets (see SAP Note "612670"). Currently, there is only support for authorization with an SAP user name/alias and password (function module "SUSR_CHECK_LOGON_DATA: AUTH_METHOD ="P""). Further tests may be made available at a later date or can be implemented in projects.

More information

General

Installation

Creating a connection

Integration in applications

SAP Script Generator

SAP Trust Manager SSO configuration

API description Part 1 - Overview

API description Part 2 - SAP Portal Plugin

API description Part 3 - Implementing custom processing modules

API description Part 4 - Sample coding

Developer's Manual Part 1

Developer's Manual Part 2 - Integration scenario, SAP external data group

Developer's Manual Part 3 - Scripting integration scenario

Developer's Manual Part 5 - Add-ons

Developer's Manual Appendix

Developer's Manual - Example Coding