Configure Basic Authentication for SSO for the SAP integrator portlet

If you do not use the SAP navigation integration, but you want the SAP integrator portlet to pass the SAP SSO token to the users' browser, you need to use HTTP Basic Authentication for single sign-on for the SAP integrator portlet.

• We cannot have the SSO token passed by both the login filter and the portlet. If we use both the SAP navigation integration and the portlet, use only the login filter and configure it for the navigation integration.

• If you have multiple instances of the SAP integrator portlet, it can help to put common configuration settings for the instances into the WP Configuration Service. Typically, the difference in the configuration between several instances of the integrator portlet lies only in the SAP content URL setting. For details see Configure properties in the WP Configuration Service.
• For users to be able to add their credentials to the Credential Vault slot in the Integrator for SAP portlet, verify the following prerequisites are fulfilled:

  • The users must have the Privileged User role.

  • You must set the skin for the SAP integrator portlet to the standard skin or another skin that exposes the portlet context menu.

To configure HTTP Basic Authentication for single sign-on for the SAP integrator portlet:

1. In the Edit Shared Settings mode of the portlet IBM WebSphere Portal Integrator for SAP, create a Credential Vault slon that can later store users credentials. As an alternative method, we can use the WebSphere Portal administration for creating a slot. For details, see the topic Configure Integrator for SAP.

2. In the Edit Shared Settings mode of the SAP integrator portlet, set the configuration parameters listed in the topic about Configuration parameters for the SAP integrator portlet. If you do this, the portlet performs an HTTP request once for each user session to get an SSO cookie from the SAP NetWeaver Portal. For this it uses the user ID and password credentials that are configured for the selected Credential Vault slot and performs HTTP Basic Authentication against the SAP content URL. To get the setting of the cookie to the portlet response to work, configure the SAP SSO domain. If any of the parameters in the Edit Shared Settings mode of the portlet are missing in the configuration, WebSphere Portal does not perform an HTTP request.

3. Configure the following login and logout filters in the Resource Environment Provider WP Authentication Service:

   logout.explicit.filterchain   com.ibm.wps.integration.sap.logout.LogoutFilter 
   logout.implicit.filterchain   com.ibm.wps.integration.sap.logout.LogoutFilter 
   

   For details, see the topic Configure authentication filters.

4. Users must add their credentials to the slot. They can do this in the Personalize mode of the SAP integrator portlet, independent of whether to use the portlet itself for integration of content from the SAP NetWeaver Portal into your WebSphere Portal.

5. If you do not want users to be able to edit the user ID and password credentials that the integrator portlet uses with Basic Authentication, then we can revoke the Privileged User role at the portlet for these users. You do this using the Portal Access Control. This can be useful if we use a shared Credential Vault slot and a group of users share the same user ID and password for accessing the SAP NetWeaver Portal.

Parent: Configure Integrator for SAP
Related:
Configure authentication filters
Related:
Configure the size of the SAP integrator portlet
Related reference:
Configuration parameters for the SAP integrator portlet