Configuring single sign-on to SAP systems using WebSphere Adapter for SAP Software

This article shows you how to configure SAP to enable SSO token generation, including how to log in into different SAP systems via the WebSphere SAP Adapter, and how to pass an SSO token dynamically back to the WebSphere SAP Adapter.

Share:

Matu Agarwal (matu.agarwal@in.ibm.com), Software Engineer, WebSphere Adapters team, IBM

Photo of Matu AgarwalMatu Agarwal is a Software Engineer on the WebSphere Adapters team at the IBM Software Lab in Bangalore, India, where he works in Development and Customer Support. He has a Bachelor of Technology degree in Computer Science and Engineering from Harcourt Butler Technological Institute in Kanpur, and has four years of IT experience working with various Java technologies including JCA. You can contact Matu at matu.agarwal@in.ibm.com.



27 June 2012

Introduction

Single sign-on (SSO) to an SAP system enables you to log in once and gain access to multiple SAP systems without needing to log in again each time. SSO to SAP has several benefits -- it removes the need to maintain multiple passwords for different SAP systems, simplifies centralized compliance and reporting, and facilitates the monitoring of suspicious activity.

Prerequisites for this article

  • IBM® Integration Designer V8 (formerly called WebSphere® Integration Developer), which is contained in IBM Business Process Manager V8 Advanced Edition.
  • WebSphere Adapter for SAP Software V7.5.0.2 (hereafter called WebSphere SAP Adapter).
  • Access to an SAP system configured for IDoc/BAPI processing and for SSO. The prerequisite for the use of SAP logon tickets is the use of identical user names in the systems that issue and accept the ticket. For more information, see your SAP administrator.
  • An SAP JCo library.
  • A basic understanding of SAP, WebSphere SAP Adapter, and IBM Integration Designer or WebSphere Integration Developer. For more information on these products, see Resources at the bottom of the article.

SSO scenario

A supply chain management team for a company uses SAP to manage inventories of everything from raw materials and parts to finished products. Team members need to log in frequently to different SAP systems to update inventory information. They have to maintain a list of credentials for different SAP systems, increasing workload and complicating compliance, reporting, and security monitoring. Single sign-on to SAP offers a solution to these problems by providing on sign-on for all of the SAP systems.

When you provide a username and password to one trusted SAP application, SAP issues a SAP logon ticket (also called an SSO token) that you can use to access multiple SAP systems that are integrated into the SSO landscape. The WebSphere SAP Adapter implements SSO by directly consuming the SAP logon ticket and using it to establish connections to the various SAP systems.

This article has two sections:

  • Configuring and activating a webgui service in SAP to issue SAP logon tickets -- Shows you how to configure SAP and enable a webgui service to issue SAP logon tickets that can be used to log in to various SAP systems without providing a username and password.
  • Logging into SAP using the SAP logon ticket and WebSphere SAP Adapter -- Shows you how to configure WebSphere SAP Adapter for SSO.

Configuring and activating a webgui service in SAP to issue SAP logon tickets

You need to perform this one-time setup to activate a webgui service in SAP and enable SAP logon tickets. After this service is activated, you can log in to an SAP system from a web browser by providing a username and password, retrieve the SAP logon ticket from the browser cookie, and then use it to log in to various configured SAP systems without providing a username and password. Follow these steps to activate the webgui service:

  1. Go to transaction code RZ10 and set the system profile parameters as shown below. For a: Host name:, specify the fully qualified domain name of your SAP system in the host name variable, such as saperp07.in.ibm.com:
    Figure 1
    Figure 1
  2. Assign the HTTP/ HTTPS service port to the server port variable:
    Figure 2
    Figure 2
  3. Restart the SAP application server to apply these parameters.
  4. Go to transaction code SMICM. Select Go to => Service. Your configured service should be listed with a green icon:
    Figure 3
    Figure 3
  5. To verify that the webgui service is activated in the SAP system, go to transaction code SICF, set the Service Name as webgui, and click Execute:
    Figure 4
    Figure 4
  6. Navigate down the service list, right-click on the webgui service, and click Activate Service if it is not active:
    Figure 5
    Figure 5
  7. You can now log in to any SAP system from your web browser using the URL https://service_name:port_name/sap/bc/gui/sap/its/webgui/. For this article, it is https://saperp07.in.ibm.com:8443/sap/bc/gui/sap/its/webgui/:
    Figure 6
    Figure 6
  8. After you log in to the SAP system with your username and password, a session cookie named MYSAPSSO2 is generated. You can use this SSO token to log in to any configured SAP system without providing username and password. Many web applications can access this token, but you may not be able to access it from some browsers. In order to access the MYSAPSSO2 cookie, you may need to install a utility such as the FireBug or FireCookie plug-ins for Mozilla, or the HTTPWatch plug-in for Microsoft® Internet Explorer:
    Figure 7
    Figure 7

Logging into SAP using the SAP logon ticket and WebSphere SAP Adapter

In this section, you will learn how to implement SSO for SAP using the WebSphere SAP Adapter and the SAP logon ticket. In this example, an outbound service is configured for the BAPI BAPI_CUSOMER_GETDETAIL using the external service wizard provided in IBM Integration Designer. This BAPI takes a customer number as input and retrieves the corresponding customer detail from SAP. For information on how to install, configure, and deploy the WebSphere SAP Adapter, see WebSphere Adapter for SAP Software documentation.

There are two ways to configure the SAP Adapter for SSO, and both procedures are described in the sections below:

  • Set a SAP logon ticket on the Service Generation and Deployment Properties Screen in the External Service wizard. The Adapter uses this ticket during runtime to log in to the SAP system
  • Set the SAP logon ticket dynamically in the SAP Adapter ConnectionSpec (outbound requests only).

Setting a SAP logon ticket using the Adapter External Service wizard

  1. Run the External Service wizard, provide the connection credentials, select the SAP Interface (BAPI for this example), and discover the appropriate object. You also need to set the logon ticket on the Service Generation and Deployment Properties screen. Under Security credential options, select Other. For more information on running the wizard and on configuration steps, see WebSphere Adapter for SAP Software documentation
    Figure 8
    Figure 8
  2. Under the Advanced properties section on the same page, enable SSO and set the logon ticket:
    Figure 9
    Figure 9
    In the above screenshot, Secure Network Communication (SNC) is also enabled. While the SSO token alone is sufficient to log in to SAP, you should use the SSO token in conjunction with SNC because the SSO token should not travel over the network unencrypted. For more information on SNC configuration, see the developerWorks article Configuring SNC between SAP systems and clients using WebSphere Adapter for SAP Software V7.5.
  3. You can also set or edit this token value after completing the EMD wizard by using the Property View in the IID toolkit:
    1. Right-click on WebSphere SAP Adapter import in the assembly diagram and select Show in => Properties.
    2. On the Properties tab, select Binding => End-point configuration.
    3. Click Advanced properties and then enable and set the SSO token value. Configuration is now complete, and you can deploy and test the WebSphere SAP Adapter.

Set the SAP logon ticket dynamically in the SAP Adapter ConnectionSpec

In the procedure described above, you need to set the SAP logon ticket beforehand, and for every change in the SSO token, you need to redeploy WebSphere Adapter. But in many real time scenarios, you may need to dynamically pass this logon ticket to WebSphere SAP adapter, passing a different token for login without redeploying adapter. You can pass an SSO token or other connection parameters dynamically to WebSphere SAP Adapter using Business Graph, which has a child business object called properties defined as an element in the BusinessGraph schema definition. This business object can hold ConnectionSpec properties that are dynamically set into ConnectionSpec on WebSphere SAP Adapter. Here are the steps to pass the SAP logon ticket dynamically as part of an outbound request:

  1. While running the External Service wizard, enable the dynamic authentication function in the Composite Properties screen. It generates BusinessGraph as the top-level business object:
    Figure 10
    Figure 10
  2. In the Service Generation and Deployment Properties screen, under Security Credentials, select Other as in the previous section, since you are passing the SSO token dynamically.
  3. Verify that BusinessGraph has been generated along with other artifacts, and that the WSDL file has the operations you selected:
    Figure 11
    Figure 11
    Figure 12
    Figure 12
  4. After verifying the artifacts, configure the ConnectionSpec class name in the ConnectionSpec properties:
    1. Right-click WebSphere SAP Adapter import in the assembly diagram and select Show in => Properties.
    2. On the Properties tab, select Binding => Endpoint configuration.
    3. On the ConnectionSpec properties tab, select the ConnectionSpec class name as com.ibm.j2ca.sap.SAPConnectionSpec.
    Figure 13
    Figure 13
  5. Set the Resource authentication field in Security attributes to Application:
    1. Select Security attributes from Binding properties.
    2. Set the Resource authentication property to Application from Advanced properties. The default value is Container.
    Figure 14
    Figure 14
  6. You have completed the ConnectionSpec configuration for SAP Adapter. Next, you need to write the Java code to set the SSO logon ticket on the configured ConnectionSpec. The connection properties set on the BusinessGraph are prefixed with CS to identify them as ConnectionSpec properties. So you need to set CSssoLogonTicket in the properties element of the BusinessGraph.
  7. From the Business Integration view, select File => New => Interface and create an interface. Add a request/response operation to it similar to a WSDL operation created by SAP Adapter. Also, add an additional input parameter of type String to pass the SSO logon ticket, as shown below. This interface exposes the WebSphere Adapter operation as a service to the outside world, with the SSO token as an additional input parameter:
    Figure 15
    Figure 15
  8. Drag a Java component onto the Assembly Editor and add the interface created in the previous step to this component, as shown below. Wire this component to SAPOutboundInterface:
    Figure 16
    Figure 16
  9. Right-click on the component and select Generate Implementation. In the component code, you will find the interface operation generated in Step 6 (BapiGetDetail(DataObject,String)). Set the dynamic ConnectionSpec properties (SSO token) in the properties child object of the BusinessGraph, as shown in the code.

    The code invokes the SAPOutboundInterface service, and passes the BusinessGraph object as input (variable name BapiInput in the example). After setting the SSO token, this service returns the SAP response object, which is returned back to the calling function. Here is the sample code:

    import com.ibm.websphere.sca.Service;
    import com.ibm.websphere.sca.Ticket;
    import commonj.sdo.DataObject;
    import com.ibm.websphere.sca.ServiceManager;
    
    public class DynamicSSOLogin {
    
        public DynamicSSOLogin() {
            super();
        }
    
        @SuppressWarnings("unused")
        private Object getMyService() {
            return (Object) ServiceManager.INSTANCE.locateService("self");
        }
    
        private Service _SAPOutboundInterfacePartner = null;
    
        public Service locateService_SAPOutboundInterfacePartner() {
            if (_SAPOutboundInterfacePartner == null) {
                _SAPOutboundInterfacePartner = (Service) ServiceManager.INSTANCE
                        .locateService("SAPOutboundInterfacePartner");
            }
            return _SAPOutboundInterfacePartner;
        }
    
        public DataObject BapiGetDetaill(DataObject BapiInput, String SSOToken) {
            DataObject prop= BapiInput.getDataObject("properties");
            prop.setString("CSssoLogonTicket", SSOToken);
            Service serv= locateService_SAPOutboundInterfacePartner();
            Object boReturn= serv.invoke("executeSapBapiCustomerGetdetail",BapiInput);
            return (DataObject)boReturn;
        }
    
        public void onExecuteSapBapiCustomerGetdetailResponse(Ticket __ticket,
                DataObject returnValue, Exception exception) {
            //TODO Needs to be implemented.
        }
    }
  10. Now you can invoke the WSDL operation and pass the SSO token along with the BAPI input parameters. For testing, right-click on the Java component, select Test Component, set the parameter values, and click Continue. You can now pass different SSO tokens with input request and without the need for redeployment:
    Figure 17
    Figure 17

Conclusion

This article showed you how to connect to an SAP system as an individual user who connects to the runtime server hosting the Adapter, instead of the typical case of a single static technical user configured using a J2C alias. The advantage of using the Adapter is that SAP can apply its fine-grained authorization and provide additional services based on knowledge of who the user is. For example, a user may have configured a user profile in SAP specifying German language and dates returned in DDMMYY format. Using an SSO logon ticket for connectivity to SAP also avoids "password fatigue," where users need to manage multiple passwords in large-scale SAP implementations. The article explained how to implement SSO using WebSphere SAP Adapter, and described the advantages of doing so, including the WebSphere SAP Adapter's QoS features such as assured-once delivery, transactionality, and first-failure data capture (FFDC).

Acknowledgement

The author would like to thank Jens Engelke from IBM BPM Development for reviewing this article.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into WebSphere on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere
ArticleID=824007
ArticleTitle=Configuring single sign-on to SAP systems using WebSphere Adapter for SAP Software
publish-date=06272012