Show TOC Start of Content Area

Procedure documentation Configuring SSO with User ID and Password to SAP Systems  Locate the document in its SAP Library structure

Use

This procedure describes how to configure SAP NetWeaver Portal and a SAP System for Single Sign-On (SSO) with user mapping. We recommend using SSO with logon tickets or client certificates. SSO with user ID and password should only be used if no other SSO method is possible. It has the following advantages:

·        It can be used for SSO to SAP Systems that do not support logon tickets (that have a release lower than 4.0B).

·        You do not need to have Central User Administration (CUA) in place. Users can have a different user ID and password in the SAP System in question than in the reference SAP system used for the logon ticket.

Recommendation

When SSO with user ID and password is used, the user ID and password are transmitted in plain text using HTTP POST. We strongly recommend that you protect the connections to the SAP System using HTTPS or SNC to prevent the user ID and password being eavesdropped by an external party.

Caution

SSO with user ID and password does not work for portal users whose ticket contains a user ID that exists in the backend SAP system if the following is true:

      You use SSO with user ID and password over HTTP.

      The SAP system in the backend trusts logon tickets of the portal.

This is because, in an HTTP environment, the logon ticket is a cookie that is issued by the portal and contains the portal user ID and potentially a backend system user ID. In adherence with the general HTTP rules for all cookies, the browser includes the ticket with every request to a system in the same domain name system (DNS) domain, even if the request also contains a user ID and password. The backend system is usually configured to first evaluate the ticket and then check for a user ID and password. So if the ticket contains a user that exists in the backend system, the backend system does not use the user ID and password to log the user on, but it uses the ticket instead. As a result, the portal user may be logged on as a different user in the backend system and gain the wrong authorizations in that system.

To prevent this scenario from occurring, we recommend that if you are using SSO with user ID and password to connect to a backend system, you do not configure the backend system to also accept logon tickets from that portal.

Procedure

...

       1.      In the system object defining the SAP System in the portal, set the property Logon Method to UIDPW. For more information about defining system objects, see System Landscape.

       2.      Either the administrator or the users must map users’ user ID and password to their user ID and password in the SAP System. For more information about user mapping, see User Mapping.

Result

When the user tries to access the SAP System through the portal, the user mapping information is used to access the component system

End of Content Area