Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO to ESS via Portal

martin_eberle
Explorer

‎2010 Nov 30 2:56 PM

0 Kudos
508

Hi

Our szenario is:

  • kerberos from client to Portal

  • Reference System to map SAP User

  • Trust between Portal and HR

  • ESS Backendsystem with auth method SAPLOGONTICKET

-> Works all fine.

Now the problem is ...

We would like to "reduce" the TRUST to enable SSO only for ESS & MSS, and not allow SSO to use it eg. with an trunsaction iVIEW to HR. Simply said, a higher security.

We don't know how to do this. Anybody with ideas?

Am I right, that with SNC I cannot tansport the user to build SSO between Portal and HR?

The idea was, to use SNC, because with SNC you can specify on the HR side who is mapped and allowed to enter with SSO.

But it seems, that between JAVA and ABAP Systems SNC can only be used to encrypt transport messages ???

What I'm wondering is:

With SAP Business Object (BOE) you can setup a SNC connection from BOE => BW to do SSO, or not?

Regards Martin

4 REPLIES 4

mvoros
Active Contributor

‎2010 Nov 30 11:13 PM

0 Kudos
313

Hi,

I am not sure if I understand you scenario but in transaction SICF you can set up allowed authentication methods for each service provided by application server. So if there are two different services in your case then you can exclude SSO to restrict some services.

Cheers

martin_eberle
Explorer
In response to mvoros

‎2010 Dec 06 11:25 AM

0 Kudos
313

Hi Martin

The restriction on the ABAP side sounds interessting.

Will we be able to restrict SSO only for ESS & MSS services?

Am I right, that ESS & MSS uses direct RFC and http based interfaces between Portal and HR?

Using SICF means, no trust is required based on exchange of Certificates?

Regards

Martin

thunder_feng
Product and Topic Expert
Product and Topic Expert

‎2010 Dec 01 6:51 AM

0 Kudos
313

Hello Martin

how about this:

1. create 2 'system' in your portal, one is for ESS/MSS only and this system can use the SSO.

2. create another system and use UIDPW as the logon method in your protal -> system landscape.

except the ESS/MSS, let all the other transaction iView use the second system.

Regards,

Thunder

martin_eberle
Explorer
In response to thunder_feng

‎2010 Dec 06 11:21 AM

0 Kudos
313

Hi

That's not a solution for us, since we want to suppress the technical option to access HR transactions from the portal.

The SSO mechanism should only be available for ESS & MSS szenarios.

Regards Martin