2786913-Fiori: SSO does not work or incorrect client for some Web Dynpro/WebGUI applications, but works for others Symptom When opening a WebGUI (SAP GUI for HTML) or Web Dynpro application/tile from the Fiori Launchpad, SSO does not work or the incorrect client is used so the end user is presented with a logon screen. WEBGUI is a SAP GUI for HTML where you can access SAP system from your browser without installing any SAP frontend software. WebGUI is a standard feature of SAP which can be launched by tcode WEBGUI or as per note 2203575.
Symptom
SSO failed when you run transaction from SAP GUI which opens a browser session and SSO is expected. The transaction might be NWBC, SOAMANAGER, SOLMAN_SETUP, SM_WORKCENTER, DBACockpit, etc. You may see the following unexpected page or popup:
- A popup dialog of logon
- A Blank page
- A logon page
In this case, the execution of report SAPHTML_SSO_DEMO will fail also.
Please note there are also some transactions which open browser but are not designed for SSO, such as WEBGUI and newer versions of Solution Manager that use Fiori applications (rather than older versions that used webdynpro applications) for SM_WORKCENTER etc. If the execution of report SAPHTML_SSO_DEMO works well but SSO for one transaction doesn't work in the same ABAP system, it means the transaction is not designed for SSO.
Read more...
Environment
Keywords
SSO, NWBC, SOAMANAGER, SOLMAN_SETUP, SM_WORKCENTER, DBACockpit, Logon Ticket, SAPHTML_SSO_DEMO, myssocntl, FQDN, FQHN,SOLMAN_WORKCENTER , KBA , mysapsso2 , BC-MID-ICF , Internet Communication Framework , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.
Instead of using the user ID and password to access a service from the Web Application Server ABAP via HTTPS, it is possible to use a client certificate for authentication purposes.
Import the CA certificate into the SSL server Standard
As a given user ID holds a certificate from a trusted CA, the certificate from the CA must be imported into the SSL server Standard PSE via STRUST. Just click on the button highlighted by the red rectangle:
Once the certificate is loaded, just click in the “Add to Certificate List” button (see “1” in red); the certificate will be displayed in the “Certificate List” section (see “2” in red):
Maintain the client certificate
It is necessary to map the client certificate with the actual user ID in the ABAP system. It is time to use transaction code SM30, loading maintenance view “VUSREXTID“:
The “External ID type” is “DN”:
Click on the “New Entries” button to add the client certificate (DN) and map to the existent user ID in the ABAP side:
Inform the External ID (the DN field of the client certificate), the user ID (as created in transaction code SU01), then mark the “Activated” checkbox and save the entry. The information presented is:
There are cases where the DN length from the user ID exceeds the length of column EXTID in table USREXTID. This is not a problem: just use the button highlighted (red square) above to load the actual certificate. The system is able to store the entire subject name in the database table or calculates a hash value (and store the original subject name in a second database table).
Webgui File Browser
At last, but not least, profile parameter icm/HTTPS/verify_client must be set to 1 (if the system should accept the client certificate) or 2 (the use of client certificates is mandatory).
Test if the SSO is working
For testing purposes, I used the WEBGUI internet service (via HTTPS) to test if the SSO works (assuming that the WEBGUI was correctly setup in the system): https://<FQDN>:<HTTPS port>/sap/bc/gui/sap/its/webgui
The SM50 logon trace (SAP note 495911) shows the following:
Sap Webgui Sso Tutorial
Sap Fiori Webgui Sso
You can read more about the use of X.509 certificates in AS ABAP in the SAP Help page.