Page tree
Skip to end of metadata
Go to start of metadata

Description:

This document describes the steps necessary to set up the SSO authentication using the SAPSSOEXT method. Note: This is not required for VSN 3.0 SP2 or above.


The Authentication Process

  1. Log into a SAP portal with username and password.
  2. The portal communicates with the SAP backend system, and it generates a ticket.
  3. The portal creates a cookie (MYSAPSSO2) and stores the ticket inside it.
  4. When launching the Nakisa application from the portal, the portal passes the cookie to our application.
  5. Nakisa application extracts the SSO ticket.
  6. Our application takes the SSO ticket and asks the SAP backend if the ticket was originally issued by it. (Whether or not the ticket is valid).

Steps to configure:

1. Download verify.pse from a portal:

  1. Inside the portal, choose System Administration
  2. System Configuration
  3. Keystore Administration
  4. Choose Content tab
  5. Choose Download verify.pse file
  6. Once the file is downloaded, place it in XML folder of the Nakisa application

2. Download SAPCAR:

  1. Access the SAP Service Market place: http://service.sap.com/patches (S-User is required)
  2. Choose "Support Packages and Patches-Entry by Application Group" from the Left panel
  3. Choose "Additional Components"
  4. Choose "SAPCAR"
  5. Choose "SAPCAR 7.10"
  6. Choose your server. In this example, we are using "Windows Server IA 32 32 bit"
  7. Download the EXE file.

 

3. Download SAPSSOEXT dlls:

  1. Access the SAP Service Market place: http://service.sap.com/patches (S-User is required)
  2. Choose "Support Packages and Patches-Entry by Application Group" from the Left panel
  3. Choose "Additional Components"
  4. Choose SAPSSOEXT
  5. Pick the one that's described for your server, in this example, we are using Windows Server on IA32 32bit
  6. Download the latest release of SAP SSO EXT lib for SAP logon ticket verification
  7. Extract the downloaded SAR file using SAPCAR downloaded above. (Instructions below)
  8. Find the DLL's in the extracted files.
  9. Place the sapsecu.dll in XML folder of the Nakisa Application.

4. Using SAPCAR to extract SAPSSOEXT dlls

1. Put the downloaded SAPCAR in c:\SAPSSOEXT\SAPCAR, the file name is SAPCAR_3-20002090.exe
2. Put the downloaded SAPSSOEXT in c:\SAPSSOEXT\SAPSSOEXT, the file name is SAPSSOEXT_4-10002921.SAR
3. Open Command Prompt: "Start" > "Run" > "CMD"
4. Go to the folder storing the SAPCAR. In my case "cd sapssoext\sapcar".
5. Type in SAPCAR_3-20002090.exe -xvf c:\sapssoext\sapssoext\sapssoext_4-10002921.SAR

6. You can find your extracted files in c:\SAPSSOEXT\SAPCAR

7. Copy the sapsecu.dll inside the XML folder of Nakisa Application.
8. Copy the sapssoext.dll in the c:\windows\system32\ folder and ensure that the dll is registered to windows. To register, "start" > "run" > type in regsvr32 c:\windows\system32\sapssoext.dll

 5a. Configuration in Nakisa Application (versions up to and including 2.1)

1. Find the LoginConfiguration.xml in XML folder and open it in a text editor.

The credentials section of the loginconfiguration.xml should look like the following:

<credentials>
  <assembly name="SapSso"/>
  <info>
  <item name="PseFilePath">String</item>
  <item name="SsfLibFilePath">String</item>
  <item name="PsePassword">String</item>
  <item name="WindowsPlatform">[32|64]</item>
  <item name="TicketFile">String</item>
  </info>
</credentials>

Default value for the previous parameters are:
PseFilePath=XML\verify.pse
SsfLibFilePath=XML\sapsecu.dll
PsePassword not present
WindowsPlatform=32
TicketFile not present

The following is a sample configuration of that section:

<credentials>
  <assembly name="SapSso"/>
  <info>
    <item name="PseFilePath">XML\verify.pse</item>
    <item name="SsfLibFilePath">XML\sapsecu.dll</item>
    <item name="PsePassword"></item>
    <item name="WindowsPlatform">32</item>
    <item name="TicketFile">XML\ticket.txt</item>
   </info>
</credentials>


2. Save the file.

3. It's highly recommend that you make a copy of LoginConfiguration.xml and call it LoginConfiguration_SSObk.xml

4. Perform an IISreset on the server: "Start" > "Run" > type in "IISRESET" (for 2.1 Java perform a Start and Stop of the service - see SAP note 1585949 (FAQ: How to stop and restart Nakisa build on Java server) for more details).

5. Test the application. If the SSO authentication is done properly, you should be able to access the application.

6. If the authentication is properly configured, you will need to copy the loginConfiguration.xml in XML folder, and replace the LoginConfiguration_SAP_SSO.xml in admin_Config/<installation>/authentication (Should be done by a trained partner because if fail to do so, will cause the save and publish in administrator console to overwrite the XML\loginconfiguration.xml with incorrect information.)

 5b. Configuration in Nakisa Application (from version 3.0)

1. Open the AdminConsole and select SSO configuration in Security Settings. Enter the SAP system that holds the Portal logon ticket and click Submit. Save the configuration and exit the AdminConsole.

2. Find the credentials.xml in .delta\Authentication\LoginConfiguration_SSO\ folder in your build configuration and create a backup. Then open the file in a text editor.

The contents should look like the following:

<credentials>
  <assembly name="SapSso"/>
  <info>
  <item name="PseFilePath">String</item>
  <item name="SsfLibFilePath">String</item>
  <item name="PsePassword">String</item>
  <item name="WindowsPlatform">[32|64]</item>
  <item name="TicketFile">String</item>
  <item name="ProcessingMode">[Base64decode]</item>
  </info>
</credentials>

Default value for the previous parameters are:
PseFilePath=XML\verify.pse
SsfLibFilePath=XML\sapsecu.dll
PsePassword not present
WindowsPlatform=32
TicketFile not present
ProcessingMode not present

The following is a sample configuration of that section:

<credentials>
  <assembly name="SapSso"/>
  <info>
    <item name="PseFilePath">XML\verify.pse</item>
    <item name="SsfLibFilePath">XML\sapsecu.dll</item>
    <item name="PsePassword"></item>
    <item name="WindowsPlatform">32</item>
    <item name="TicketFile">XML\ticket.txt</item>
    <item name="ProcessingMode">Base64decode</item>
   </info>
</credentials>


3. Save the file.

4. Open the AdminConsole, load the build and Publish it

5. Test the application. If the SSO authentication is done properly, you should be able to access the application.


Troubleshooting & Verifications

  1. Verify if the Nakisa Application is hosted on the same domain as the SAP portal.
  2. Make sure that the iview settings in SAP portal that's pointing to Nakisa is written in fully qualified domain name. For example, a NOMS build that's hosted on "http://servername/OrgManagement"  the iview should point to "http://servername.nakisa.net/OrgManagement" .
  3. When you are calling your SAP portal from a browser, you will have to make sure that the URL you type in the browser's location bar must be in fully qualified domain name. For example: "http://portalserver.nakisa.net:50000/irj/portal".
  4. Ensure that the portal is set to create cookies (in the iView settings).

3 Comments

  1. Unknown User (cubcoe0)

    It is very clear and detailed article, thank you very much!

    But is it suitable for JAVA installation as well?

  2. Anonymous

    Hello Yelena,

    Thanks for the feedback.

    Answering your question, it works for the Java version as well. So far, on the 2.1.

    Regards.

  3. Unknown User (flfv85e)

    Hi,

    I have query to ask. I am trying to configure SSO for my Java version.

    I have followed all the the steps from 1 to 4 as said in the document but to perform the 5th step

    5. Configuration in Nakisa Application

    I did not find the loginconfiguration.xml file inthe XML folder as said in the article.

    Kindly let me know if I am skiping any steps.

    Thanks in advance.