Connector for SAP Business Suite - SAP Trust Manager SSO configuration
General
With the Trust Manager module of the Connector for SAP Business Suite, Single Sign On (SSO), and therefore an automatic authentication for Intrexx users, can be implemented in SAP. To do this, the module generates an SSO ticket per user session based on a cryptographic process. Intrexx uses this SSO ticket to authenticate the portal user for accessing SAP. In the same way, SAP users can access Intrexx without having to log in again. In the following, the setup for the Trust Manager module in Intrexx and SAP will be described. More information about this topic can also be found in the Developer's Manual Part 1.
Installation
To configure the Trust Manager SSO, an application is provided with Intrexx that you can import into your portal as usual. You can find the import file "sap-business-suite-connector.zip" in the installation directory adapter/sap. In order to use the application, the Connector for SAP Business Suite must be installed and configured.
This image shows the homepage of the application in the browser. To start the Trust Manager module click on "SAP Trust Manager (SSO)".
PSE keystore
A PSE keystore with the certificate for signing the SSO ticket with the target "internal/cfg/security/system.pse" in the portal directory is required. Keystore properties:
-
Type: JKS
-
Provider: SUN
-
Type: Key Pair
-
Public Key: DSA (1,024 bits)
-
Signature Algorithm: SHA1withDSA
The keystore can be created by clicking on "New entry" or alternatively with the Java Keytool.
PSE
Enter the title here.
Organization
Enter the organisation here.
Organizational unit
Enter the organization unit here.
Country
Enter the country code here.
Password
Enter the password for the keystore here.
Then click on Save.
Here, click on "Select data set".
The certificate can be downloaded by clicking on "Certificate".
SSO parameter
Click on "SSO parameters".
Here, click on "New parameter".
Parameters
Enter the "SYSID" here.
Value
Enter the SID of the SAP system. Then click on Save.
Activate SSO
Here, click on "Activate SSO".
Activate the setting "Activate SSO" and then click on "Save".
Login
For an Intrexx user to log in to the SAP system with SSO, the Intrexx username must correspond to the SAP username. Alternatively, the SAP user name can be stored in the Intrexx session using the key "sapsso_user". If this is not defined, a search will be performed in the table "xia_sec_user_mapping" for the mapping for the user. If a mapping is not found, the Intrexx username must match the SAP username. So that the SSO ticket is generated automatically when an Intrexx user logs in, the login process "SAP Business Suite Connector" must be activated in the Processes module.
The action "SAP Trust manager" checks whether the user exists in SAP and then generates the SSO ticket that is stored in the session for further accesses.
SAP configuration
-
So that RFC connections between Intrexx and SAP are permitted, the profile parameter "gw/acl_mode" should be set to 0 or the corresponding ACL files should be adjusted in SAP. The parameter can be defined or modified via the transaction "RZ10". The SAP system needs to be restarted afterwards.
-
Now, the certificate downloaded earlier by Intrexx needs to be uploaded to SAP. The transaction "STRUSTSSO2" needs to be called for this.
-
Open "Certificate / Import" and select the certificate file.
-
The certificate should now be shown under "Certificate".
-
Click on "Add to Certificate List" and then "Add to ACL".
-
The certificate should now be in the certificate list as well as under "Login Ticket" under "ACL". Check whether the SID and Client ID match.
-
Leave the transaction.
-
Open the transaction "SM59" to test the TCP connection from SAP to Intrexx.
-
There needs to be an appropriate connection to the SAP system and Intrexx portal under TCP/IP connections (here: Portal "SAP70" and SID "UP1").
-
Double-click on the connection and then click on "Connection Test". The result should look something like the following:
-
Leave the transaction.
-
Test the SSO ticket with the transaction "SSO2".
-
Select the RFC connection to Intrexx under "Destination" and then perform the test.
-
The result should look something like the following:
If errors occur, please view the log file.
More information
SAP Trust Manager SSO configuration
API description Part 1 - Overview
API description Part 2 - SAP Portal Plugin
API description Part 3 - Implementing custom processing modules
API description Part 4 - Sample coding
Developer's Manual Part 2 - Integration scenario, SAP external data group
Developer's Manual Part 3 - Scripting integration scenario
Developer's Manual Part 4 - Personalized SAP Access / Single Sign On (SSO)