Connector for SAP Business Suite - SAP Trust Manager SSO configuration

1. General

With the Trust Manager module of the Connector for SAP Business Suite, Single Sign On (SSO), and therefore an automatic authentication for Intrexx users, can be implemented in SAP. To do this, the module generates an SSO ticket per user session based on a cryptographic process. Intrexx uses this SSO ticket to authenticate the portal user for accessing SAP. In the same way, SAP users can access Intrexx without having to log in again. In the following, the setup for the Trust Manager module in Intrexx and SAP will be described.

2. Installation

To configure the Trust Manager SSO, an application is provided with Intrexx that you can import into your portal as usual. You can find the import file sap-business-suite-connector.zip in the installation directory adapter/sap. In order to use the application, the Connector for SAP Business Suite must be installed and configured.



This image shows the homepage of the application in the browser. To start the Trust Manager module click on SAP Trust Manager (SSO).

3. PSE keystore




A PSE keystore with the certificate for signing the SSO ticket with the target internal/cfg/security/system.pse in the portal directory is required. Keystore properties: The keystore can be created by clicking on New entry or alternatively with the Java Keytool.

PSE

Enter the title here.

Organisation

Enter the organisation here.

Organisational unit

Enter the organisational unit here.

Country

Enter the country code here.

Passwort

Enter the password for the keystore here.

Click on Save.



Here, click on Select data set.



The certificate can be downloaded by clicking on Certificate.

4. SSO parameter




Click on SSO parameters.



Here, click on New parameter.

Parameter

Enter the SYSID here.

Value

Enter the SID of the SAP system. Then click on Save.

5. Activate SSO




Here, click on Activate SSO.



Activate the setting Activate SSO and then click on Save.

6. Login

For an Intrexx user to log in to the SAP system with SSO, the Intrexx username must correspond to the SAP username. Alternatively, the SAP user name can be stored in the Intrexx session using the key sapsso_user. If this isn't defined, a search will be performed in the table xia_sec_user_mapping for the mapping for the user. If a mapping isn't found, the Intrexx username must match the SAP username. So that the SSO ticket is generated automatically when an Intrexx user logs in, the login process SAP Business Suite Connector must be activated in the Processes module.



The action SAP Trust manager checks whether the user exists in SAP and then generates the SSO ticket that is stored in the session for further accesses.

7. SAP configuration

  1. So that RFC connections between Intrexx and SAP are permitted, the profile parameter gw/acl_mode should be set to 0 or the corresponding ACL files should be adjusted in SAP. The parameter can be defined or modified via the transaction RZ10. The SAP system needs to be restarted afterwards.
  2. Now, the certificate downloaded earlier by Intrexx needs to be uploaded to SAP. The transaction STRUSTSSO2 needs to be called for this.
  3. Open Certificate / Import and select the certificate file.
  4. The certificate should now be shown under Certificate.
  5. Click on Add to Certificate List and then Add to ACL.
  6. The certificate should now be in the certificate list as well as under Logon Ticket under ACL. Check whether the SID and Client ID match.

  7. Leave the transaction.
  8. Open the transaction SM59 to test the TCP connection from SAP to Intrexx.
  9. There needs to be an appropriate connection to the SAP system and Intrexx portal under TCP/IP connections (here: Portal SAP70 and SID UP1).

  10. Double-click on the connection and then click on Connection Test. The result should look something like the following:

  11. Leave the transaction.
  12. Test the SSO ticket with the transaction SSO2.

  13. Select the RFC connection to Intrexx under Destination and then perform the test.
  14. The result should look something like the following:

If errors occur, please view the log file.