Connector for SAP Business Suite - Developer's Manual part 5 - Personalized SAP access / Single Sign On (SSO)

In some scenarios, it is necessary to use a personalized SAP access. At least the system user stored in the SAP data source is used for access to SAP. However, it is also possible to use a user-dependant SAP user to then observe the permissions defined in the SAP system or avoid logging in to SAP again. This section will explain how requirements such as can be implemented.

1. Login mode

The login mode plays a role in many places with SAP access. The following login modes are used by the Connector for SAP Business Suite:

Login mode Use
system Use the system user defined in the SAP data source
user Exclusive use of the personal login information of the logged-in portal user. This information is determined without login information being determined. If this information is incorrect, access to SAP is not possible.
mixed Intrexx attempts to make access in the user mode. If this is not successful, the system mode is used.

The login information for each portal user can be defined as an external login in the Intrexx User Manager.



Which external login is used for connecting to the SAP system can be specified in the SAP data source.



Alternatively, a portal login with a password check against the SAP system is possible. Here, the password entered is checked against the specified SAP system. Intrexx needs to have an identically named user base for this. Parallel password maintenance / replication is not necessary in this case. This login method also enables Single Sign On scenarios via SAP logon tickets. Via the script API of the Connector for SAP Business Suite, you can deliberately influence the personalized access to enable further login scenarios in projects.

2. SAP login modules

Intrexx login modules enable authorization to the portal from external positions. The check against an external LDAP server is included in the standard login modules, for example. Intrexx must have a user master for each possible portal user. This does not have to contain a password check but needs to be able to be replicated via Intrexx tools. The Connector for SAP Business Suite comes with its own login modules that implement the password checks from SAP for SAP users, SU05 internet users or SAP business partners. The portal login and the login module to be called are managed in the configuration file "LucyAuth.cfg" of the portal. A login configuration that first checks the SAP user master, then the SU05 Internet users of the customer master and then the Intrexx standard login is shown here:
SapUserAuth
{
	net.initall.ixapi.auth.IxSAPLoginModuleUser sufficient
		instance="saperp"
		mapuser=false
		initjco=false
		debug=false;

	net.initall.ixapi.auth.IxSAPLoginModuleIUser sufficient
		instance="saperp"
		logintype="KNA1"
		initjco=false
		debug=false;

	de.uplanet.lucy.server.auth.module.intrexx.IntrexxLoginModule sufficient
		debug=false;

	de.uplanet.lucy.server.auth.module.anonymous.AnonymousLoginModule sufficient
		debug=false;
};
This configuration is then activated via the User menu / Configuration / Authentication in the Users module of the Portal Manager.



The SAP login module used here is the prerequisite for generating SAP logon tickets that are used in Single Sign On scenarios. When the portal user successfully logs in to the SAP system, such a ticket is automatically generated, which can then be used later to integrate SAP internet pages or SAP shortcuts.

3. Single Sign On with SAP logon tickets

Single Sign On (SSO) or avoiding unnecessary multiple logins is achieved with Intrexx via SAP logon tickets. For more information, see SAP Note 304450, for example. The SAP server must issue and accept SSO tickets (RZ10 parameters "login/accept*" and "login/create*"). Transaction "TRUSTSSO2" must also be initialized. The portal generates a ticket using the SAP function module "SUSR_CHECK_LOGON_DATA" in the specified SAP system, which is later available for SSO scenarios. This procedure is provided by the SAP login modules. The SAP System must be configured to use logon tickets (see SAP Note "612670"). Currently, there is only support for authorization with an SAP user name/alias and password (function module "SUSR_CHECK_LOGON_DATA: AUTH_METHOD ="P""). Further tests may be made available at a later date or can be implemented in projects.

4. More information

Developer's Manual part 6
API Developer's Manual