Connector for SAP Business Suite - SAP Trust Manager SSO configuration

General

With the Trust Manager module of the Connector for SAP Business Suite, Single Sign On (SSO), and therefore an automatic authentication for Intrexx users, can be implemented in SAP. To do this, the module generates an SSO ticket per user session based on a cryptographic process. Intrexx uses this SSO ticket to authenticate the portal user for accessing SAP. In the same way, SAP users can access Intrexx without having to log in again. In the following, the setup for the Trust Manager module in Intrexx and SAP will be described. More information about this topic can also be found in the Developer's Manual Part 1.

Installation

To configure the Trust Manager SSO, an application is provided with Intrexx that you can import into your portal as usual. You can find the import file "sap-business-suite-connector.zip" in the installation directory adapter/sap. In order to use the application, the Connector for SAP Business Suite must be installed and configured.

This image shows the homepage of the application in the browser. To start the Trust Manager module click on "SAP Trust Manager (SSO)".

PSE keystore

A PSE keystore with the certificate for signing the SSO ticket with the target "internal/cfg/security/system.pse" in the portal directory is required. Keystore properties:

  • Type: JKS

  • Provider: SUN

  • Type: Key Pair

  • Public Key: DSA (1,024 bits)

  • Signature Algorithm: SHA1withDSA

The keystore can be created by clicking on "New entry" or alternatively with the Java Keytool.

PSE

Enter the title here.

Organization

Enter the organisation here.

Organizational unit

Enter the organization unit here.

Country

Enter the country code here.

Password

Enter the password for the keystore here.

Then click on Save.

Here, click on "Select data set".

The certificate can be downloaded by clicking on "Certificate".

SSO parameter

Click on "SSO parameters".

Here, click on "New parameter".

Parameters

Enter the "SYSID" here.

Value

Enter the SID of the SAP system. Then click on Save.

Activate SSO

Here, click on "Activate SSO".

Activate the setting "Activate SSO" and then click on "Save".

Login

For an Intrexx user to log in to the SAP system with SSO, the Intrexx username must correspond to the SAP username. Alternatively, the SAP user name can be stored in the Intrexx session using the key "sapsso_user". If this is not defined, a search will be performed in the table "xia_sec_user_mapping" for the mapping for the user. If a mapping is not found, the Intrexx username must match the SAP username. So that the SSO ticket is generated automatically when an Intrexx user logs in, the login process "SAP Business Suite Connector" must be activated in the Processes module.

The action "SAP Trust manager" checks whether the user exists in SAP and then generates the SSO ticket that is stored in the session for further accesses.

SAP configuration

  1. So that RFC connections between Intrexx and SAP are permitted, the profile parameter "gw/acl_mode" should be set to 0 or the corresponding ACL files should be adjusted in SAP. The parameter can be defined or modified via the transaction "RZ10". The SAP system needs to be restarted afterwards.

  2. Now, the certificate downloaded earlier by Intrexx needs to be uploaded to SAP. The transaction "STRUSTSSO2" needs to be called for this.

  3. Open "Certificate / Import" and select the certificate file.

  4. The certificate should now be shown under "Certificate".

  5. Click on "Add to Certificate List" and then "Add to ACL".

  6. The certificate should now be in the certificate list as well as under "Login Ticket" under "ACL". Check whether the SID and Client ID match.

  7. Leave the transaction.

  8. Open the transaction "SM59" to test the TCP connection from SAP to Intrexx.

  9. There needs to be an appropriate connection to the SAP system and Intrexx portal under TCP/IP connections (here: Portal "SAP70" and SID "UP1").

  10. Double-click on the connection and then click on "Connection Test". The result should look something like the following:

  11. Leave the transaction.

  12. Test the SSO ticket with the transaction "SSO2".

  13. Select the RFC connection to Intrexx under "Destination" and then perform the test.

  14. The result should look something like the following:

If errors occur, please view the log file.

More information

General

Installation

Creating a connection

SAP Script Generator

SAP Trust Manager SSO configuration

API description Part 1 - Overview

API description Part 2 - SAP Portal Plugin

API description Part 3 - Implementing custom processing modules

API description Part 4 - Sample coding

Developer's Manual part 1

Developer's Manual Part 2 - Integration scenario, SAP external data group

Developer's Manual Part 3 - Scripting integration scenario

Developer's Manual Part 4 - Personalized SAP Access / Single Sign On (SSO)

Developer's Manual Part 5 - Add-ons

Developer's Manual Appendix

Developer's Manual - Example Coding