Connector for SAP Business Suite - SAP Trust Manager SSO configuration
General
With the Trust Manager module of the Connector for SAP Business Suite, Single Sign On (SSO), and therefore an automatic authentication for Intrexx users, can be implemented in SAP. To do this, the module generates an SSO ticket per user session based on a cryptographic process. Intrexx uses this SSO ticket to authenticate the portal user for accessing SAP. In the same way, SAP users can access Intrexx without having to log in again. In the following, the setup for the Trust Manager module in Intrexx and SAP will be described. Further information on this topic can also be found in the developer manual part 1.
Installation
For the Trust Manager SSO configuration, an application is delivered with Intrexx that you can easily import into your portal. You will find the import file "sap-business-suite-connector.zip" in the installation directory "adapter/sap". The prerequisite for using the application is the installation and configuration of the connector for SAP Business Suite.
This image shows the homepage of the application in the browser. To start the Trust Manager module, click on "SAP Trust Manager (SSO)".
PSE keystore
A PSE keystore with the certificate for signing the SSO tokens with the destination "internal/cfg/security/system.pse" in the portal directory is required. Keystore properties:
-
Type: JKS
-
Provider: SUN
-
Type: Key Pair
-
Public key: DSA (1,024 bits)
-
Signature Algorithm: SHA1withDSA
The keystore can be created here by clicking on "New entry" or alternatively with the Java key tool.
PSE
Enter the title here.
Organisation
Enter the organisation here.
Organizational unit
Enter the organization unit here.
Country
Enter the country code here.
Password
Enter the password for the keystore here.
Click "Save".
Click here on "Select data record".
Click on "Certificate" to download the certificate.
SSO parameter
Click here on "SSO parameters".
Click here on "New parameter".
Parameters
Enter "SYSID" here.
Value
Enter the SID of the SAP system. Click "Save".
Activate SSO
Click here on "Activate SSO".
Set the "Activate SSO" setting here and click on "Save".
Login
For an Intrexx user to log in to the SAP system with SSO, the Intrexx username must correspond to the SAP username. Alternatively, the SAP user name can be stored in the Intrexx session with the key "sapsso_user". If this is not defined, the "xia_sec_user_mapping" table is checked for a mapping for the user. If none is found, the Intrexx user name must match the SAP user name. In order for the SSO ticket for SAP to be generated automatically when a user logs in to Intrexx, the login process must be activated in the "SAP Business Suite Connector" process.
The "SAP Trust Manager" action checks whether the user exists in SAP and then generates the SSO ticket, which is stored in the session for further access.
SAP configuration
-
To allow RFC connections between Intrexx and SAP, the profile parameter "gw/acl_mode" must be set to 0 or the corresponding ACL files must be maintained in SAP. The parameter can be defined or changed via transaction "RZ10". The SAP system needs to be restarted afterwards.
-
Now, the certificate downloaded earlier by Intrexx needs to be uploaded to SAP. To do this, transaction "STRUSTSSO2" must be called up.
-
Call up "Certificate / Import" and select the certificate file.
-
The certificate should now be displayed under "Certicifate".
-
Click "Add to Certificate List" and then "Add to ACL".
-
The certificate should now be in the certificate list as well as under "Logon Ticket" under "ACL". Check whether the SID and Client ID match.
-
Leave the transaction.
-
Call up the transaction "SM59" to test the TCP connection from SAP to Intrexx.
-
Among the TCP/IP connections, there must be a suitable connection to the SAP system and Intrexx portal (here, for example, portal "SAP70" and SID "UP1").
-
Double-click on the connection and then click on "Connection test". The result should look something like the following:
-
Leave the transaction.
-
Test the SSO ticket with the "SSO2" transaction.
-
Select the RFC connection to Intrexx under "Destination" and run the test.
-
The result should look something like the following:
In the event of an error, follow the instructions in the protocol.
More information
SAP Trust Manager SSO configuration
API Description Part 1 - Overview
API Description Part 2 - SAP Portal Plugin
API description part 3 - Implementation of own processing modules
API description part 4 - sample coding
Developer's Guide Part 2 - Integration scenario SAP external data group
Developer's Guide Part 3 - Scripting integration scenario
Developer Manual Part 4 - Personalized SAP Access / Single Sign On (SSO)