How to configure your SAP applications for Single Sign-On

Evidian Enterprise Single Sign-On integrates different forms of scripts that will help you configure easily your SAP solution for Single Sign-On. This tutorial will demonstrate a configuration of Single Sign-On for SAP logon in a few clicks.

The SSO studio integrates multiple forms of scripts adapted to different types of applications.

Evidian E-SSO allows you to only have to remember one password for all of your applications. The solution is built for a seamless user experience. Indeed you will not need to modify any of your SAP applications or need to code a particular script.

The SAP plug-in is integrated in Enterprise Single Sign-On.

The SSO studio allows you to detect new applications, either web based, desktop as well as legacy applications.

The goal of Evidian Enterprise SSO is to be easily configurable by anyone inside the organization. Thus adding an application to your SSO engine will be possible for anyone among your company.

Every collaborator may add his own SAP application, and can do so in a few clicks.

The SAP GUI scripting integrated in the solution will help collaborators to easily add their SAP applications to the solution.

Prerequisites

  • SAPGUI 6.20 Scripting must be activated on the SAP R/3 server, with the following parameter:

Sapgui/user_scripting = TRUE

  • SAPGUI Scripting must be activated on the SAP R/3 client.
  • The connection description in the SAPLogon must not use the slow connection parameter.
  • SAPGUI Scripting works only with the new SAP R/3 visual design.

Configuration Guide

In this section:

Configuring an SAP R/3 Application

An application should be configured with the Enterprise SSO configuration editor. For SAP R/3 applications, use the SAP application model in Enterprise SSO Studio.

Configuring an Application for SAPGUI Scripting

If you use SAPGUI Scripting window types, the OLE/automation option in the configuration is not required. It should, therefore, be left inactivated.

Configuring the SAPGUI Scripting Window

The Detection Tab

The detection of SAP R/3 connections is based on their connection servers or server groups:

To specify an SAP R/3 server or group of servers, use the following options:

  • Name (mandatory): server name (SAP R/3 hostname) or server group name for which SSO is to be performed.
  • SAP system name: SAP R/3 name of the system in 3 characters (database ID).
  • Direct server connection
  • Detect the System Number: provide the SAP R/3 System Number if the target server is running more than one copies of SAP R/3.
  • Group with load balancing
    Message Server
    : enter the SAP R/3 message server name as it is configured in the SAPLogon module if there are a several SAP R/3 groups with the same name but with different messages servers.

 

The Actions Tab

Description of the SAP R/3 parameters 

At authentication time, Enterprise SSO can fill the language and client name fields as defined in the SAP R/3 application model. These parameters must be declared in the Parameters tab of the application object.

  • Automatic validation of the credentials: the user does not have to validate the credentials sent by E-SSO to start an SAP session. The Auto validate login page check box is selected by default.
  • Changing the SAP R/3 user’s password: by default, Enterprise SSO manages the authentication process, and the user cannot change his or her SAP R/3 password at this stage but must use the password change transaction once connected. To avoid the complexity inherent in this procedure, activating this option will result in Enterprise SSO asking the user if a change of password should be made during connection to SAP R/3; Enterprise SSO will then manage all the password change processes as required.
  • Automatic validation of the connection notification: the SAPGUI Scripting technology causes a message to appear, notifying the user that a script is connecting to SAPLogon. By activating this option, and by declaring the notification window title (by default this is saplogon), Enterprise SSO will automatically validate the notification as required. The notification will still appear in non-Enterprise SSO connections, and therefore for other scripts.
  • To define error messages, click the Errors button:

Error messages are detected by Enterprise SSO so that it can react when there is a password desynchronization problem, when there is a password change, or if the new password is refused by the SAP R/3 system. In addition to the pre-configured error messages, you can declare your own specific messages:

  • By content: enter a message and assign a meaning to it. Enterprise SSO will look for the message in the status bar or error dialog box. In this case, it is the message string that is looked for. It is dependent, therefore, on the language of the SAP R/3 client.
  • By reference: if you also specify the SAP R/3 ABAP reference of the message, Enterprise SSO will look for the reference of the message, and not its content. Thus, it becomes independent from the client language. In this case, the content of the message field is simply for informative purpose.

The list of message references can be found using the transaction SE16, table T100.

Authentication steps:

  • Connection refused: the SAP R/3 system has refused the connection. The user may be locked, or the server unavailable.
  • Invalid password: the user password is incorrect. A new password is requested through Enterprise SSO’s data collection windows.
  • New password refused: the user has just changed the password, but the SAP R/3 system does not accept it. A new password is requested through Enterprise SSO’s data collection windows.

 

For more information on SAP configuration on Enterprise SSO please refer to the "Enterprise SSO administrator Guide" in the SAP R/3 Plug-in section