Connector for SAP Business Suite - SAP Trust Manager SSO configuration

General

With the Trust Manager module of the Connector for SAP Business Suite, Single Sign On (SSO), and therefore an automatic authentication for Intrexx users, can be implemented in SAP. To do this, the module generates an SSO ticket per user session based on a cryptographic process. Intrexx uses this SSO ticket to authenticate the portal user for accessing SAP. In the same way, SAP users can access Intrexx without having to log in again. In the following, the setup for the Trust Manager module in Intrexx and SAP will be described. Further information on this topic can also be found in the developer manual part 1.

Installation

For the Trust Manager SSO configuration, an application is delivered with Intrexx that you can easily import into your portal. You will find the import file "sap-business-suite-connector.zip" in the installation directory "adapter/sap". The prerequisite for using the application is the installation and configuration of the connector for SAP Business Suite.

This image shows the homepage of the application in the browser. To start the Trust Manager module, click on "SAP Trust Manager (SSO)".

PSE keystore

A PSE keystore with the certificate for signing the SSO tokens with the destination "internal/cfg/security/system.pse" in the portal directory is required. Keystore properties:

  • Type: JKS

  • Provider: SUN

  • Type: Key Pair

  • Public key: DSA (1,024 bits)

  • Signature Algorithm: SHA1withDSA

The keystore can be created here by clicking on "New entry" or alternatively with the Java key tool.

PSE

Enter the title here.

Organisation

Enter the organisation here.

Organizational unit

Enter the organization unit here.

Country

Enter the country code here.

Password

Enter the password for the keystore here.

Click "Save".

Click here on "Select data record".

Click on "Certificate" to download the certificate.

SSO parameter

Click here on "SSO parameters".

Click here on "New parameter".

Parameters

Enter "SYSID" here.

Value

Enter the SID of the SAP system. Click "Save".

Activate SSO

Click here on "Activate SSO".

Set the "Activate SSO" setting here and click on "Save".

Login

For an Intrexx user to log in to the SAP system with SSO, the Intrexx username must correspond to the SAP username. Alternatively, the SAP user name can be stored in the Intrexx session with the key "sapsso_user". If this is not defined, the "xia_sec_user_mapping" table is checked for a mapping for the user. If none is found, the Intrexx user name must match the SAP user name. In order for the SSO ticket for SAP to be generated automatically when a user logs in to Intrexx, the login process must be activated in the "SAP Business Suite Connector" process.

The "SAP Trust Manager" action checks whether the user exists in SAP and then generates the SSO ticket, which is stored in the session for further access.

SAP configuration

  1. To allow RFC connections between Intrexx and SAP, the profile parameter "gw/acl_mode" must be set to 0 or the corresponding ACL files must be maintained in SAP. The parameter can be defined or changed via transaction "RZ10". The SAP system needs to be restarted afterwards.

  2. Now, the certificate downloaded earlier by Intrexx needs to be uploaded to SAP. To do this, transaction "STRUSTSSO2" must be called up.

  3. Call up "Certificate / Import" and select the certificate file.

  4. The certificate should now be displayed under "Certicifate".

  5. Click "Add to Certificate List" and then "Add to ACL".

  6. The certificate should now be in the certificate list as well as under "Logon Ticket" under "ACL". Check whether the SID and Client ID match.

  7. Leave the transaction.

  8. Call up the transaction "SM59" to test the TCP connection from SAP to Intrexx.

  9. Among the TCP/IP connections, there must be a suitable connection to the SAP system and Intrexx portal (here, for example, portal "SAP70" and SID "UP1").

  10. Double-click on the connection and then click on "Connection test". The result should look something like the following:

  11. Leave the transaction.

  12. Test the SSO ticket with the "SSO2" transaction.

  13. Select the RFC connection to Intrexx under "Destination" and run the test.

  14. The result should look something like the following:

In the event of an error, follow the instructions in the protocol.

More information

General

Installation

Create connection

SAP Script Generator

SAP Trust Manager SSO configuration

API Description Part 1 - Overview

API Description Part 2 - SAP Portal Plugin

API description part 3 - Implementation of own processing modules

API description part 4 - sample coding

Developer manual part 1

Developer's Guide Part 2 - Integration scenario SAP external data group

Developer's Guide Part 3 - Scripting integration scenario

Developer Manual Part 4 - Personalized SAP Access / Single Sign On (SSO)

Developer's Guide Part 5 - Addons

Developer manual Appendix

Developer manual - Sample coding