Connector for SAP Business Suite - Developer's Manual Part 4 - Personalized SAP access / Single Sign On (SSO)
More information In some scenarios, it is necessary to use a personalized SAP access. At least the system user stored in the SAP data source is used for access to SAP. However, it is also possible to use a user-dependent SAP user to then observe the permissions defined in the SAP system or avoid logging in to SAP again. This section will explain how requirements such as
-
Password check by SAP
-
Access to SAP with the real SAP user
-
Calling SAP websites (WebDynpro, BSP applications) with Single Sign On (SSO)
-
Starting SAPGUI transactions with the transfer of parameters
can be implemented.
Login mode
The login mode plays a role in many places with SAP access. The following login modes are used by the Connector for SAP Business Suite:
Login mode |
Use |
---|---|
system |
Use the system user defined in the SAP data source |
user |
Exclusive use of the personal credentials of the logged-in portal user. This information is determined without credentials being determined. If this information is incorrect, access to SAP is not possible. |
mixed |
Intrexx attempts to make access in the user mode. If this is not successful, the system mode is used. |
The login information for each portal user can be defined as an external login in the Intrexx User Manager.
Which external login is used for connecting to the SAP system can be specified in the SAP data source.
Alternatively, a portal login with a password check against the SAP system is possible. Here, the password entered is checked against the specified SAP system. Intrexx needs to have an identically named user base for this. Parallel password maintenance / replication is not necessary in this case. This login method also enables Single Sign On scenarios via SAP logon tickets. Via the script API of the Connector for SAP Business Suite, you can deliberately influence the personalized access to enable further login scenarios in projects.
SAP login modules
Intrexx login modules enable authorization to the portal from external positions. The check against an external LDAP server is included in the standard login modules, for example. The portal login can be configured to run different login modules one after the other until one of the login modules has authorized the portal user. Intrexx must have a user master for each possible portal user. This does not have to contain a password check but needs to be able to be replicated via Intrexx tools. The Connector for SAP Business Suite comes with its own login modules that implement the password checks from SAP for SAP users, SU05 internet users or SAP business partners. The portal login and the login module to be called are managed in the configuration file "LucyAuth.cfg" of the portal. A login configuration that first checks the SAP user master, then the SU05 Internet users of the customer master and then the Intrexx standard login is shown here:
SapUserAuth
{
net.initall.ixapi.auth.IxSAPLoginModuleUser sufficient
instance="saperp"
mapuser=false
initjco=false
debug=false;
net.initall.ixapi.auth.IxSAPLoginModuleIUser sufficient
instance="saperp"
logintype="KNA1"
initjco=false
debug=false;
de.uplanet.lucy.server.auth.module.intrexx.IntrexxLoginModule sufficient
debug=false;
de.uplanet.lucy.server.auth.module.anonymous.AnonymousLoginModule sufficient
debug=false;
};
This configuration is then activated via the User menu / Configuration / Authentication in the Users module of the Portal Manager.
The SAP login module used here is the prerequisite for generating SAP logon tickets that are used in Single Sign On scenarios. When the portal user successfully logs in to the SAP system, such a ticket is automatically generated, which can then be used later to integrate SAP internet pages or SAP shortcuts.
Single Sign On with SAP logon tickets
Single Sign On (SSO) or avoiding unnecessary multiple logins is achieved with Intrexx via SAP logon tickets. For more information, see SAP Note 304450, for example. The SAP server must issue and accept SSO tickets (RZ10 parameters "login/accept*" and "login/create*"). Transaction "TRUSTSSO2" must also be initialized. The portal generates a ticket using the SAP function module "SUSR_CHECK_LOGON_DATA" in the specified SAP system, which is later available for SSO scenarios. This procedure is provided by the SAP login modules. The SAP System must be configured to use logon tickets (see SAP Note "612670"). Currently, there is only support for authorization with an SAP user name/alias and password (function module "SUSR_CHECK_LOGON_DATA: AUTH_METHOD ="P""). Further tests may be made available at a later date or can be implemented in projects.
More information
SAP Trust Manager SSO configuration
API description Part 1 - Overview
API description Part 2 - SAP Portal Plugin
API description Part 3 - Implementing custom processing modules
API description Part 4 - Sample coding
Developer's Manual Part 2 - Integration scenario, SAP external data group
Developer's Manual Part 3 - Scripting integration scenario