Scenario

Koen_VL · ‎01-29-2015

NOTE:

This scenario is based on logon tickets, which are no longer recommended: http://service.sap.com/sap/support/notes/2117110

- SAP Moderator

Scenario

You want to enable SAML Single Sign On for SAPGui windows.

You have these components in place: IdP, SAPGui windows, Internet Explorer and SAP NetWeaver AS ABAP 7.02 or higher.

SAPGui does not offer native support for SAML. To make this happen, we combine the legacy support feature of the ABAP SAML service provider with the SAPGui shortcut SSO using the MYSAPSSO2 cookie.

Solution components

Enable SAML authentication on the ABAP system using transaction SAML2 and exchanging the metadata with your IdP.
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/4a/b6df333fec6d83e10000000a42189c/content.htm
The important setting in this case is to set the value of "Legacy Systems Support (Issue Logon Ticket) to "On" in the SAML Local Provider Configuration.

Build a BSP application that will establish the SAML SSO with the IdP. This BSP application takes the cookie from the browser and puts it in a SAPGui shortcut. More information around SAPGui shortcut SSO can be found here Single Sign-On for SAP Shortcuts - User Authentication and Single Sign-On - SAP Library

BSP application:

- Start page launchGui.htm: grabs the cookie and navigates to the BSP page creating the shortcut file.

(source code attached in launchGui.txt.zip)

- Page createSapGuiShortcut.htm parses the cookie and creates a SAPGui shortcut file containing the MYSAPSSO2 logon ticket.

(source code attached in createSapGuiShortcut_OnRequest.txt.zip )

Put this BSP application in the "Default Application Path" of the "Assertion Consumer Service" setting of the SAML Service provider.

Now start an IDP initiated request. After successful authentication against the IdP, the BSP application takes the MYSAPSSO2 cookie from the browser session and puts it in the SAP shortcutfile. Opening the SAP shortcut file will initiate a SAP logon ticket SSO to SAPGui. Depending on a registry setting in windows, the user will get a popup to open the shortcut file or start the SAPGui immediately. More details about this setting and how to influence it can be found in this SAP note: http://service.sap.com/sap/support/notes/604324.

User mapping

In a typical scenario, the user names of the ABAP system will not be identical to the ones on the IdP. To facilitate this, you can use the user mapping as described here Mapping SAML Principals to AS ABAP User IDs - User Authentication and Single Sign-On - SAP Library

To enable this mapping, set the "Supported NameID Formats" in the trusted provider in the SAML configuration to "unspecified" and then in the details of "NameID Format" specify the source "Mapping in USREXTID table". Then go to "Name ID Management", select the user you want to map and select the Name ID Format "Unspecified" and add the user there. This will generate an entry in the table VUSREXTID. Alternatively, you can also populate that table directly as described in note http://service.sap.com/sap/support/notes/1362866

Former Member · ‎04-29-2015

Ahhh.. it was just a matter of time until someone got this to work for a SAML request.

Well done 🙂

Cheers,

Julius

former_member213644 · ‎09-12-2015

Hi Koen,

We are implementing your scenario. We have a non-sap vendor Identity Provider and that is connecting to our ABAP system which has been configured as you specified to act as a Service Provider. Then on the ABAP system, we deployed the BSP application with the source code you had provided. Now, when we enter the bsp application URL via the internet explorer browser, we see that it is redirecting to the identity provider where we provide our user credentials, then it comes back to our ABAP system domain and immediately we get the pop-up to launch the SAPgui shortcut. When we open the shortcut, instead of automatically logging us into the system, we are having to type in our ABAP user ID and password. Can you let us know what we might be missing? Here is a workflow of what we are doing with screenshots:

1) Initiate test by entering to URL of BSP application in browser:

2) URL is directed to Identity provider domain for authentication where we enter AD user credentials of the Identity provider:

3) After Identity provider authenticates, URL is now redirected back to Service Provider domain and BSP application is launched, which creates the sapgui shortcut pop-up:

4) After opening the pop-up, get this prompt and say allow:

5) Then, here is where we have the issue. Instead of automatically logging into the SAP ABAP System, it is prompting for our ABAP User that is defined through SU01 (we have kept it same as Identity Provider AD account user). So, I am forced to enter the abap user password:

6) After entering the password, it asks for it another time. Not sure why this is happening either. Please advise on this as well:

7) After entering it, now it finally logs into the system. Can you please advise where we are missing something? Why does it prompt for ABAP user password?

😎 I have attached screenshots of how we defined the BSP application via SE80 as per downloading your source code:

Does this mean SAML is not working? Or is it a problem with the BSP application that you have given us? Thanks for any feedback or help!

Koen_VL · ‎09-14-2015

Hi Vikas,

most probably the issue is that you are not having a mySAPSSO2 logon cookie.

check these settings:

The parmeters as described here: Activating HTTP Security Session Management on AS ABAP - User Authentication and Single Sign-On - SA...
on the ABAP system in transaction strustsso2, make sure that your system is added to the ACL for logon ticket.
In the configuration of the SP (transaction SAML2), make sure the flag "Legacy Systems support is set to "on"

hope it helps

Koen

former_member213644 · ‎09-14-2015

Hi Koen,

Yes, I suspect the mySAPSSO2 cookie being as issue as well, but I have already done all the settings you had mentioned and still SSO doesn't seem to work.

1. Here are our http security session settings which show it is active. Parameters are correct as well as per Activating HTTP Security Session Management on AS ABAP - User Authentication and Single Sign-On - SA...

2. In strustsso2, the SSF SAML2 Service Provider - E and SSF SAML2 Service Provider - S both have the ABAP system (ECD) defined in the ACL.

3. The SAML2 config settings for the service provider have already been turned on for legacy support so that it can issue logon tickets:

As you can see all our settings match with the requirements of an SSO setup, yet still having issues. Can you please advise? Thanks!

Koen_VL · ‎09-17-2015

Hi Vikas,

all settings seem to be correct.

can you test if you execute the function module CREATE_RFC_REENTRANCE_TICKET in SE37 if you get the SSO ticket?

koen

wlacaze · ‎10-24-2016

Hi,
Im implementing SSO with Google for work, the SAML part is working well , I try to implement the solution that you propouse in your blog but is not working.
The system dont take the cookie from the launchgui.htm to the createsapguishortcut page, I see the MYSAPOOS2 cookie on the launchgui.htm
you have any advice?_
thanks

dyaryura · ‎11-28-2016

Hi all,

I had the same issue with the cookie not being passed to the shortcut. Instead of getting the cookie from the browser I used the FM CREATE_ RFC_REENTRANCE_TICKET mentioned by Koen to get the MYSAPSSO2 token directly from ABAP application into the var "mysapsso2" and it worked for me.
Wondering if this is working only in my scenario due to some config or it also works for you...

Thanks
Diego I. Yaryura

Koen_VL · ‎11-30-2016

Hi Diego,

thanks for the response. That is actually how I have implemented it now too. Getting the cookie from the browser is often problematic since getting the cookie from the browser it is typically blocked for security reasons.

koen

former_member225654 · ‎02-09-2017

Hello Koen,

How may I get the code from your examples above?

Thanks,

Noe

Koen_VL · ‎02-20-2017

sure,

put this code in the onCreate event of the bsp page.

  DATA:

   shortcut_file      TYPE string,

   X_shortcut_file    TYPE xstring,

   mysapsso2_cookie   TYPE string,

   codepage           TYPE abap_encod,

   exceptioncx_bcs    TYPE REF TO cx_bcs.



  CALL FUNCTION 'CREATE_RFC_REENTRANCE_TICKET'

    IMPORTING

      ticket                 = mysapsso2_cookie

    EXCEPTIONS

      ticket_logon_disabled  = 1

      ticket_creation_failed = 2

      kernel_too_old         = 3

      OTHERS                 = 4.





  CONCATENATE              '[System]'                             cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT

  CONCATENATE shortcut_file 'Name='          sy-sysid             cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT

  CONCATENATE shortcut_file 'Client='        sy-mandt             cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT

  CONCATENATE shortcut_file '[User]'                              cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT

  CONCATENATE shortcut_file 'Name='          sy-uname             cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT

  CONCATENATE shortcut_file 'at="MYSAPSSO2=' mysapsso2_cookie  '"' cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT

  CONCATENATE shortcut_file '[Function]'                          cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT

  CONCATENATE shortcut_file 'Command=SMEN'                        cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT

  CONCATENATE shortcut_file '[Options]'                           cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT

  CONCATENATE shortcut_file 'Reuse=0'                             cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT



  TRY.

      X_shortcut_file  = cl_bcs_convert=>string_to_xstring( iv_string = shortcut_file ).

    CATCH cx_bcs INTO exceptioncx_bcs.

*   Shortcutfile creation failed in creating xstring.

  ENDTRY.



 cl_bsp_utility=>download(

     object_s            = X_shortcut_file

     content_type        = 'application/x-sapshortcut'

     response            = runtime->server->response

     navigation          = _M_navigation ).

alberto_pisano · ‎02-21-2017

Sorry ,

I lost the attachment for the source code .

Could you please help me?

former_member231801 · ‎05-25-2017

Hi koen.vanloocke2,

Can help pass the attachments .for the the BSP application.

Thanks !!

deb_nugent2 · ‎06-01-2017

Koen Van Loocke,

The code attachments for the BSP application appear to still be missing. Would it be possible to re-attach them or provide a way for us to see them?

We are trying to enable SAML2 authentication for use with the SAPGui for accessing the ABAP systems and this blog appears to be exactly what we need.

Any assistance would be greatly appreciated.

Thank-you in advance,

Deb Nugent.

Former Member · ‎08-04-2017

Koen Van Loocke,

We are trying to install the BSP application. Would you mind to let us know where can I download the source zip files.

Thanks

Ronnie Lau

former_member577323 · ‎05-23-2018

Hi koen,

Hope you are doing well. We are working with the 3rd party IdP and are following this document. However the source code which was mentioned in the document "launchGui.txt.zip" and SapGuiShortcut_OnRequest.txt.zip" are not accessible, can you please let us know where we can find both zip files?

Any suggestion is greatly appreciated.

Thanks,

Judy

former_member577323 · ‎05-23-2018

Hi Vikas,

Hope you are doing well. I was just reading this blog and am having trouble accessing the source codes mentioned in the document. Since you mentioned you have deployed the BSP application with the source code author has provided, can you please let me know where I can find the source code this is included in "launchGui.txt.zip" and "createSapGuiShortcut_OnRequest.txt.zip"? Any suggestion is greatly appreciated.

Thanks,

Judy

former_member598238 · ‎11-26-2019

Attachments please

Private_Member_555548 · ‎04-24-2020

Dear experts,
Hope everyone is safe and healthy, thank you for the code and event handler it worked in the Internet Explorer but it does not run in Chrome 80 and Safari. In Chrome its simply saves the htm file locally. Any idea how to make it worked for Chrome and Safari browsers? Please advise.

Thanks

former_member256258 · ‎04-29-2020

Same here, we use Edge (Chromium) just opens the file but nothing else happens. Any idea?

Thanks

former_member468732 · ‎07-16-2020

Thanks koen.vanloocke2 .

I have tried with the provided details and its work for me.

Launching webURL to creates a SAPGUI shortcut file and then popup a SAP GUI Logon pad and then automatically login to the system with SSO ticket.

Code is attached for 'OnRequest' Event handler of page 'createSapGuiShortcut.htm' and Layout of page 'launchGui.htm'.

** the handler is called whenever a request is made for a particular page

** it is used to restore the internal data structures from the request



*Event Handler --> OnRequest of Page createSapGuiShortcut.htm



DATA:

        cookies  type table of string,

        cookie_token  type string,

        cookie_key    type string,

        cookie_value  type string,

        mysapsso2     type string,

        shortcut_file type string.



split cookie AT ';' into table cookies.

loop at cookies into cookie_token.

  replace first occurrence of '=' in cookie_token with '###'.

  split cookie_token at '###' into cookie_key cookie_value.

    if cookie_key = 'MYSAPSSO2'.

      mysapsso2 = cookie_value.

    exit.

    endif.

endloop.

  CONCATENATE               '[System]'                            cl_abap_char_utilities=>cr_lf INTO shortcut_file. 

  CONCATENATE shortcut_file 'Name='          sy-sysid             cl_abap_char_utilities=>cr_lf INTO shortcut_file. 

  CONCATENATE shortcut_file 'Client='        sy-mandt             cl_abap_char_utilities=>cr_lf INTO shortcut_file. 

  CONCATENATE shortcut_file '[User]'                              cl_abap_char_utilities=>cr_lf INTO shortcut_file. 

  CONCATENATE shortcut_file 'Name='          sy-uname             cl_abap_char_utilities=>cr_lf INTO shortcut_file. 

  CONCATENATE shortcut_file 'at="MYSAPSSO2=' mysapsso2 '"'        cl_abap_char_utilities=>cr_lf INTO shortcut_file. 

  CONCATENATE shortcut_file '[Function]'                          cl_abap_char_utilities=>cr_lf INTO shortcut_file. 

  CONCATENATE shortcut_file 'Command=SMEN'                        cl_abap_char_utilities=>cr_lf INTO shortcut_file. 

  CONCATENATE shortcut_file '[Options]'                           cl_abap_char_utilities=>cr_lf INTO shortcut_file. 

  CONCATENATE shortcut_file 'Reuse=0'                             cl_abap_char_utilities=>cr_lf INTO shortcut_file.



runtime->server->response->set_header_field( name = 'content-type' value = 'application/x-sapshortcut').

*runtime->server->response->set_header_field( name = 'Content-Disposition' value = 'attachment; filename="login.sap"').

runtime->server->response->set_cdata( data = shortcut_file ).







Page --> launchGui.htm  --> layout





<html>

  <head>

    <title>Launch SAP Gui</title>

    <script>

    function ReadCookie() {

    document.createShortCut.cookie.value = document.cookie ;

    document.createShortCut.submit();

          }

    function CloseWindows() {

      window.open('','_parent','');

      window.close();

          }

    </script>

   </head>

   <body onLoad="ReadCookie();window.setTimeout('closeWindows();',300);">

     <form action="createSapGuiShortcut.htm" method="POST" name="createShortCut">

        <input type="hidden" name="cookie" />

     </form>

   </body>

</html>

former_member735840 · ‎03-17-2021

How to get source code(launchGui.txt.zip and SapGuiShortcut_OnRequest.txt.zip)?

Please help me.

Email: kszun76@gmail.com

former_member757687 · ‎07-20-2021

How to get source code(launchGui.txt.zip and SapGuiShortcut_OnRequest.txt.zip)?

Please help me.

Email: guyunlong2009@126.com

former_member757687 · ‎07-21-2021

Do you get source code?

Vignesh_Sridhar · ‎11-09-2021

Hi koen.vanloocke2,

Please help to attach the source code.

Thanks in advance!!

Email : s.vignesh.sridhar007@gmail.com

Elirullsab · ‎06-03-2022

Hello

I need the source code(launchGui.txt.zip and SapGuiShortcut_OnRequest.txt.zip)

Thanks in advance!!

Email : elirull@hotmail.com

monty79 · ‎07-27-2022

Would you please send attached files with relevant code (launchGui.txt.zip & SapGuiShortcut_OnRequest.txt.zip) to my e-mail, alexey.filipchenko@gmail.com?

Thanks!

former_member75153 · ‎01-30-2023

Hi koen.vanloocke2

Can you please share attached file to me via email nhanhnguyen@kpmg.com.vn

Thanks,

Nhan

Koen_VL · ‎01-30-2023

Hi Nhan,

please see the comment of the SAP moderator on top of the post. This should no longer be used.

Regards

Koen

former_member75153 · ‎01-30-2023

Thanks Koen, have a good day !

Regards,

Nhan

danielcarpio140 · ‎02-08-2023

Hi Koen,

Good contribution! But I think this solution should not longer be recommended because a simple reason "SAML 2.0 SSO for SAPGui is not supported by SAP. SAML 2.0 is a authentication method only for web-based access (e.g. WebGui)".

Please check the KBA 2564192 - Is that possible to use SAML2.0 with SAP GUI connections?

SAML 2.0 SSO for SAPGui windows

NOTE:

This scenario is based on logon tickets, which are no longer recommended: http://service.sap.com/sap/support/notes/2117110

Scenario

Solution components

User mapping

Get Started with the ABAP Development Tools for SAP NetWeaver

Become an ABAP in Eclipse Feature Explorer and earn the Explorer Badge

Six kinds of debugging tips to find the source code where the message is raised