Connector for SAP Business Suite - SAP Trust Manager SSO configuration
1. General
With the Trust Manager module of the Connector for SAP Business Suite, Single
Sign On (SSO), and therefore an automatic authentication for Intrexx users,
can be implemented in SAP. To do this, the module generates an SSO ticket
per user session based on a cryptographic process. Intrexx uses this SSO ticket
to authenticate the portal user for accessing SAP. In the same way, SAP users
can access Intrexx without having to log in again. In the following, the setup
for the Trust Manager module in Intrexx and SAP will be described.
2. Installation
To configure the Trust Manager SSO, an application is provided with Intrexx
that you can import into your
portal as usual. You can find the import file
sap-business-suite-connector.zip in the
installation directoryadapter/sap. In order to use the application,
the Connector for SAP Business Suite must be
installed and
configured.
This image shows the homepage of the application in the browser. To start the
Trust Manager module click on SAP Trust Manager (SSO).
3. PSE keystore
A PSE keystore with the certificate for signing the SSO ticket with the
target internal/cfg/security/system.pse in the
portal directory is
required. Keystore properties:
Type: JKS
Provider: SUN
Type: Key Pair
Public Key: DSA (1.024 bits)
Signature Algorithm: SHA1withDSA
The keystore can be created by clicking on
New entry or alternatively with the
Java Keytool.
PSE
Enter the title here.
Organisation
Enter the organisation here.
Organisational unit
Enter the organisational unit here.
Country
Enter the country code here.
Passwort
Enter the password for the keystore here.
Click on Save.
Here, click on
Select data set.
The certificate can be downloaded by clicking on
Certificate.
4. SSO parameter
Click on SSO parameters.
Here, click on
New parameter.
Parameter
Enter the SYSID here.
Value
Enter the SID of the SAP system. Then click on
Save.
5. Activate SSO
Here, click on Activate SSO.
Activate the setting Activate SSO
and then click on Save.
6. Login
For an Intrexx user to log in to the SAP system with SSO, the Intrexx username
must correspond to the SAP username. Alternatively, the SAP user name can be
stored in the Intrexx session using the key
sapsso_user. If this is not defined, a search will
be performed in the table xia_sec_user_mapping
for the mapping for the user. If a mapping is not found, the Intrexx username
must match the SAP username. So that the SSO ticket is generated automatically
when an Intrexx user logs in, the login process
SAP Business Suite Connector must be activated
in the Processes module.
The action SAP Trust manager checks whether the user
exists in SAP and then generates the SSO ticket that is stored in the session
for further accesses.
7. SAP configuration
So that RFC connections between Intrexx and SAP are permitted, the
profile parameter gw/acl_mode
should be set to 0 or the corresponding ACL files should be adjusted
in SAP. The parameter can be defined or modified via the transaction
RZ10. The SAP system needs to be
restarted afterwards.
Now, the certificate downloaded earlier by Intrexx needs to be uploaded
to SAP. The transaction STRUSTSSO2 needs
to be called for this.
Open Certificate / Import and select the
certificate file.
The certificate should now be shown under
Certificate.
Click on Add to Certificate List and then Add to ACL.
The certificate should now be in the certificate list as well as under
Logon Ticket
under ACL. Check whether the SID
and Client ID match.
Leave the transaction.
Open the transaction SM59 to test
the TCP connection from SAP to Intrexx.
There needs to be an appropriate connection to the SAP system
and Intrexx portal under TCP/IP connections
(here: Portal SAP70 and SID UP1).
Double-click on the connection and then click on
Connection Test. The result should look
something like the following:
Leave the transaction.
Test the SSO ticket with the transaction SSO2.
Select the RFC connection to Intrexx under Destination
and then perform the test.
The result should look
something like the following: