Connector for SAP Business Suite - Developer's Manual part 5 - Personalized SAP access / Single Sign On (SSO)
In some scenarios, it is necessary to use a personalized SAP access.
At least the system user stored in the SAP data source is used for access to
SAP. However, it is also possible to use a user-dependant SAP user
to then observe the permissions defined in the SAP system or avoid
logging in to SAP again. This section will explain how requirements
Password check by SAP
Access to SAP with the real SAP user
Calling SAP websites (WebDynpro, BSP applications) with Single Sign On (SSO)
Starting SAPGUI transactions with the transfer of parameters
can be implemented.
1. Login mode
The login mode plays a role in many places with SAP access.
The following login modes are used by the Connector for SAP Business Suite:
Use the system user defined in the SAP data source
Exclusive use of the personal login information of the
logged-in portal user. This information is determined
without login information being determined.
If this information is incorrect, access to SAP is not possible.
Intrexx attempts to make access in the user mode. If this is
not successful, the system mode is used.
The login information for each portal user can be defined
as an external login
in the Intrexx User Manager.
Which external login is used for connecting to the SAP system can be specified
in the SAP data source.
Alternatively, a portal login
with a password check against the SAP system is possible. Here, the
password entered is checked against the specified SAP system.
Intrexx needs to have an identically named user base for this. Parallel
password maintenance / replication is not necessary in this case.
This login method also enables Single Sign On scenarios
via SAP logon tickets.
Via the script API of the Connector for SAP Business Suite, you can
deliberately influence the personalized access to enable further
login scenarios in projects.
2. SAP login modules
Intrexx login modules enable authorization to the portal from
external positions. The check against an external LDAP server is
included in the standard login modules, for example.
Intrexx must have a user master for each possible portal user. This does not have
to contain a password check but needs to be able to be
via Intrexx tools. The Connector for SAP Business Suite comes with
its own login modules that implement the password checks from SAP
for SAP users, SU05 internet users or SAP business partners.
The portal login and the login module to be called are managed in the
configuration file "LucyAuth.cfg" of the portal. A login configuration that
first checks the SAP user master, then the SU05 Internet users of the
customer master and then the Intrexx standard login is shown here:
The SAP login module used here is the prerequisite for generating
SAP logon tickets
that are used in Single Sign On scenarios. When the portal user successfully
logs in to the SAP system, such a ticket is automatically generated,
which can then be used later to integrate SAP internet pages or SAP shortcuts.
3. Single Sign On with SAP logon tickets
Single Sign On (SSO) or avoiding unnecessary multiple logins is achieved
with Intrexx via SAP logon tickets. For more information, see SAP Note 304450,
for example. The SAP server must issue and accept SSO tickets
(RZ10 parameters "login/accept*" and "login/create*"). Transaction
"TRUSTSSO2" must also be initialized. The portal generates a ticket
using the SAP function module "SUSR_CHECK_LOGON_DATA" in the specified
SAP system, which is later available for SSO scenarios. This procedure
is provided by the SAP login modules.
The SAP System must be configured
to use logon tickets (see SAP Note "612670"). Currently, there is only support
for authorization with an SAP user name/alias and password
(function module "SUSR_CHECK_LOGON_DATA: AUTH_METHOD ="P"").
Further tests may be made available at a later date or can be implemented in projects.