Hello Patrick,

Thank you very much for your answer, but I have two different situations in wich the user is not valid for identity propagation:

1.- Shared/Generic users executing this integration. I can't control that the same user won't be used by different people

2.- Same user executing the integration from different desktops, for example, an operator that executes the integration from different SAP desktops

The effect would be the same: the destination application won't know which "sap session" corresponds to every integration execution.

This is why I need a unique "logon" identifier to send to the 3rd party system.

I thought about using the ABAP session id, obtained with the FM TH_GET_SESSION_ID, but found that for example when using ITS, every time a user executes the logon URL, the session id changes, even if the logon ticket is the same.

I need a session id that doesn't change unless all the browser windows are closed, the way it happens with MYSAPSSO2.

Any ideas? Does anybody know another id that could uniquely identify each logon-session?

Thanks in advance,

Joseba M. Iturbe

Hi Soporte,

sorry, I'm a bit lost here. What is your intention. If it is only about identification of the user session, you can create your own token and send it to the backend. This even will allow you to create these identifiers at the granularity you need. The mysapsso2 cookie is NOT bound to a session and therefor does not match your description. The same cookie will be used for all logins from one pc to the backend within one browser instance. This implies, if you have two browser instances you will also get two MySAPSSO2 cookies even if the user is working on the same PC.

So the MYSAPSSO2 cookie is NEITHER specific to one PC NOR specific to a login session on a single backend. Please also note, that you can have more than one HTTP session per login.

I would guess that the identifier can be contructed from data you can retrieve via GET_USER_DETAILS. However this depends on the real use case, which I do still not understand.

Regards,

Patrick

Hi Martin,

the reentrance ticket is not the same as the logon ticket but the similiar to the assertionticket used by the RFC infrastructure. However as you already stated, you can only create this for the current user.

Usually it is used to enter into the same system again (i.e. a call back scenario).

The reason why you don't have to login when testing from SE80 is because AS ABAP issues a logon ticket inside the IE control before starting the WDA and the logon ticket will be of course accepted since the system issuing it is the system checking it. The behaviour depends on login/*_sso2_ticket instance profile parameters and with newer releases whether AS ABAP HTTP security sessions are being used.

I tend to agree with Patrick since as far as I know the logon ticket gets parsed in a very low level part of the AS ABAP, maybe even by the kernel. I don't mind being proven wrong, though.

But then you are on a double-stack system and in SE80 you already are on the inside?

--> SAPJSF is taking care of it for you from SE80 tests That affects WS for sure and WD is started via the message server so if you land on a new server with individual PSE it can happen that you cannot logon if they dont all trust each other.

If it does not work from SE80 on single stack systems for WD then it normally means that there is some ICM setting that is not correct.

If it theb still does not work for the user on single stack systems for WD then it means that there is some PSE setting that is not correct.

Cheers,

Julius

Hi Martin,

there are unsupported features you can use for many things. However in this case, I do not see how this can help here. The question initially was about accessing the incoming ticket in the HTTP request not about how to create a new one for the app. For RFC connections, I do not even see, why this would be required, as the RFC hinmself has the ability built in.

As the ticket part of the incoming http request, for security reasons, is already consumed at a very low level in the ICF and therefor unavailable to the application, I doubt you will be able to access this ticket. But there are others more knowledgeable that may have more info about this.

The reentrence and assertion tickets were created to get some short lived information, which can be used by apps to let a user establish a new session to the same (re-entrance ticket) or some other system (assertion ticket) in mediated scenarios or in case of a protocol change. This will allow to specify for which systems such information can be used, as you ahve to establish trust first. If you could access the ticket of the user directly, other systems would not be able to see, that the communication was mediated or initiated via a different server.

Regards,

Patrick

Hi Martin,

please read this response from jmiturbe. There it is stated:

Soporte Desarrollo wrote:
I need a session id that doesn't change unless all the browser windows are closed, the way it happens with MYSAPSSO2.

If you create the ticket in the ABAP system, you will get a new one for each request unless you store it somewhere in the system (which hopefully noone will do ).

Regards,

Patrick

I would rather have the 3rd party system generate the cookie and then open the URL from SAP including that cookie. See method SET_COOKIE of IF_HTTP_ENTITY.

I do agree to Samuli and MArtin as well. The reason mostly is, the SAPSSO2 cookie being treated as sort of a passpoart for more than one system. If the 3rd party system has such a ticket like the SAP reentrence ticket (which you would use in the inverse case of the 3rd party talking to the SAP system and then redirecting the user to SAP) the scope of the ticket is smaller (only the host) and instead of usually 8h the ticket is valid for minutes only.

Ragards, Patrick