Single Sign-On:

Single Sign-On feature of SAP NetWeaver Portal enables users to interact with many component systems available under portal environment with ease without providing user name and password to different systems he is interacting with. SSO is available in two variants > SSO with logon tickets > SSO with User ID and Password SSO with Logon Tickets: Logon ticket represents user credentials and is issued by portal server after initial authentication. Users, after successful initial authentication, will not be asked for any user id and password to log in to other systems connected to enterprise portal which he interacts with. Logon ticket is stored as cookie on client and is sent with each request of that client, which is then used by other applications with out further logons being required. When issuing a logon ticket, one system must act as ticket issuing system and one system as ticket getting system. SSO with User ID and Password: If users portal user id is different from SAP systems User ID, SSO with Logon tickets is not possible. I such case, SSO with User ID and password should be implemented Implementing SSO to SAP systems from Portal: Purpose: To implement SSO with logon tickets, users must be having same user ID in portal and SAP systems. Implementing SSO includes following steps: > Configuring Portal Server to Issue logon tickets > Configuring SAP system to accept and verify Logon tickets > Configuring Portal Server to issue logon tickets: Configuring Portal server to issue logon tickets include following steps:

> Specifying AS Java Client to use for logon tickets > Configuring life time of logon ticket > Set logon method to logon tickets in portal system landscape Change AS Java client used for Logon tickets: When J2EE is the ticket issuing system, it needs to provide a client value. The default client for J2EE engine is 000. You must change the default client 000 to a client that does not exist on the SAP Web AS. Procedure: Checking the property in policy configurations: In the security provider service, choose Policy Configurations select each template that uses the login module CreateTicketLoginModule. On selection the login module stack for this component appears. Checking property in User Store Configuration: In the security provider service, choose the User Management tab page > Choose Manage security stores > Select the login module CreateTicketLoginModule and choose View/Change properties. The options are shown in Options section To change the default client, > Go to Security Provider > Choose the User Management tab page > Choose Manage Security Stores > Select the login module CreateTicketLoginModule and choose View/Change properties. In the options enter the property client with value other than 000. Configure Validity period of logon ticket: Prerequisites: > This procedure requires you to restart the SAP NetWeaver AS Java > You have configured AS java to support SSO with logon tickets Procedure: > Set the UME property ume.admin.login.ticket_lifetime. The default value is 8, which means 8

hours. This can be changed and specified as required in hours using the syntax hh:mm. > Restart the AS Java Download Portals Public Key Certficate: Key store administration tool allows administrators to download the verify.der file and verify.pse files which contain portal servers certificate. Pre-requisite: To use key store administration tool System Administrator role is required. Procedure: >Login into Portal and go to: > SAP Logon Ticket Key Pair-Cert Key Store Administration System ConfigurationSystem Administrator > Download verify.der file

Configure SAP System to verify and accept logon tickets: Procedure: Log in into SAP system which you want to configure for SSO. Go to transaction STRUSTSSO2

Click on import certificate

Browse verify.der file and click Ok. Go to transaction RZ10 and select instant profile Click on Change Button Set the profile parameters: Login/accept_sso2_ticket = 1 Login/create_sso2_ticket = 0