cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO to openDocument interface with Vintela (kerberos) AND ! SAP LogonTicket

Go to solution
martin_eberle
Explorer

on ‎02-25-2011 1:49 PM

0 Kudos

Hi

We want both modes for SSO to be active in parallel to use the openDocument interface.

1) Windows Client => external App => Link to openDocument interface (with kerberos)

2) SAP Portal => Link to openDocument interface (with SAP Logon Ticket)

Both version works well for us if individually configured, but not at the same time. Once configured for Vintela (kerberos), it overrules the SSO mechanism for SAP Logon Ticket.

Now there is the idea to dupplicate the webapp on tomcat an use one for Vintela and the other for SAP Logon.

=> Is this a valid configuration option?

=> Any practical experience?

=> Any concerns when doing this?

Regards Martin

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

IngoH
Active Contributor
‎02-25-2011 5:40 PM
0 Kudos

Hi Martin,

whats the overall workflow you are trying to establish from an end user point of view ?

ingo

Show replies
Show replies
martin_eberle
Explorer
‎03-01-2011 8:38 AM
0 Kudos

Hi Ingo

We have 2 usergroups:

1st usergroup calls BO Reports with data in a MS SQL database. The current reports requires the BO user to match with the corresponding data (filter of relevant userdata). Currently this is done with a mapping of Kerberos user to the the Enterprise user of the BO. From the external application (Planview - Project Managment Software) certain links leads the user to BO Reports. In the background the planview application generates datamarts as basis for the BO reports.

2nd usergroup are SAP users. They want to be able to call BO Reports with data in SAP backendsystems. This must happen with a SSO mechanism out of the SAP Portal. We do not have a server side trust between BO and BW/ERP.... But we have a trust between SAP Portal and BW,ERP, ...

Martin

IngoH
Active Contributor
‎03-02-2011 3:09 PM
0 Kudos

Hi,

1st usergroup calls BO Reports with data in a MS SQL database. The current reports requires the BO user to match with the corresponding data (filter of relevant userdata). Currently this is done with a mapping of Kerberos user to the the Enterprise user of the BO. From the external application (Planview - Project Managment Software) certain links leads the user to BO Reports. In the background the planview application generates datamarts as basis for the BO reports.

>> I assume you are covered here - at least it sounds like it.

2nd usergroup are SAP users. They want to be able to call BO Reports with data in SAP backendsystems. This must happen with a SSO mechanism out of the SAP Portal. We do not have a server side trust between BO and BW/ERP.... But we have a trust between SAP Portal and BW,ERP, ...

>> This means standard OpenDoc with SAP Authentication. The SAP Portal would generate the token. Trust needs to exist between the portal and BW / ERP. SAP Authentication for those system has to be configured, roles have to be imported.

ingo

martin_eberle
Explorer
‎03-02-2011 6:04 PM
0 Kudos

Hi Ingo

Just to be sure that you understand me: We have tested both configurations seperatly with sucess.

The problem raised up, when we wanted to enable in the tomcat application "openDocument" SSO for both scenarios simultanous. When you configure Vintela SSO, then the SAP Token is ignored, therefor with 1 openDocument Webapplication it is not possible to provide both SSO mechanism at the same time.

This was, when we started to think about a dupplication of "openDocument" webapp within the Tomcat container.

1) Just copy and paste the directory of the openDocument webapp

2) use directory "openDocument" with Vintela SSO config and use "openDocumentSAP" (=copy, but different web.xml) for SAP SSO

Now the question is: are there any concerns or practical experience on such an approach?

Regards Martin

martin_eberle
Explorer
‎03-02-2011 6:07 PM
0 Kudos

Hi Ingo

as an addon information:

we checked the flag "opendoc.sso.sap.primary" which sounds what we were looking for.

But SAP stated, that this flag is for other usage and not this way implemented....

Martin

IngoH
Active Contributor
‎03-03-2011 3:00 AM
0 Kudos

Hi,

have you thought about combining the Windows AD users with SAP credentials using SNC ?

Ingo

martin_eberle
Explorer
‎03-03-2011 7:38 AM
0 Kudos

Hi Ingo

Yes I did. Then we could easily link from all applications to BO reports (not only via Portal). The problem here is, that we have not implemented SNC, our BW systems are AIX + Linux combinations and there we would need another 3th party (commercial) product for the kerberos implemantation required for SNC.

This would mean much more overhead (technical + financal) than dupplicating the webapplication.

Additional we think of using Portal SSO mechanism to use with SAP Shortcut URLs to enalbe SSO to ERP transactions...

Martin

IngoH
Active Contributor
‎03-07-2011 3:38 PM
0 Kudos

Hello Martin,

the portal won't solve the problem in the picture.

overall the issue you are facing is that you have two different authentication mechanisms - Windows AD and SAP - and in some form you need to combine them to allow for a compete SSO workflow on top of all data sources

ingo

michael_raab
Discoverer
‎02-10-2012 1:28 PM
0 Kudos

Hello Mr. Eberle, hello Mr. Hilgefort,

I have the same requirment for our landscape. Could a satisfying solution be found yet?

Our SSO against SAP (ABAP) systems has been set up a long time ago with NTLM. For BO and our SAP Portals we use Kerberos for SSO.

Regards,

Michael Raab

Answers (0)

Ask a Question