Skip to content

SSO with External ID

The following article shows how to set up Single Sign-On (SSO) with Secure Network Communication (SNC) and External ID.
SSO with External ID uses a Personal Security Environment (PSE) to create a trust relationship between the SAP application server and the service account that runs Board Connector. This allows Board Connector to impersonate any SAP user.

Requirements

The usage of SSO with External ID requires:

For more information on PSE, see SAP Help: Creating PSEs and Maintaining the PSE Infrastructure.

The Process

SSO with External ID uses an X.509 certificate & PSE to create a trust relationship between the SAP application server and the service account that runs Board Connector. This allows Board Connector to impersonate any SAP user.

sap-external-id

  1. Users authenticate themselves against Board Connector via Active Directory (Kerberos) and request data from SAP.
  2. Board Connector opens an RFC connection via SNC and uses PSE & External ID for authentication.
  3. Board Connector reads the SAP table USRACL to determine the SAP user that is mapped to the Active Directory user from step 1.
  4. Board Connector then impersonates the mapped SAP user to request the SAP data via SNC.
  5. Board Connector retrieves the requested SAP data with the privileges of the caller.
  6. Board Connector loads the extracted SAP data to the tool that triggered the extraction.

Setup in SAP

  1. Use the SAPGENPSE command line tool to generate an X.509 certificate for the Windows service account that runs Board Connector.
    Use the following command to create the certificate:
    sapgenpse gen_pse -p theo-bc.pse
    
    The distinguished name of the PSE owner can be the fully qualified hostname of the Board Connector server, e.g., CN=bcserver.example.com.
  2. Use the the following command to export the certificate:
    sapgenpse export_own_cert -v -p theo-bc.pse -o theo-bc.crt
    
  3. Use SAP transaction STRUST to add the certificate to the list of trusted PSE certificates, see SAP Help: Adding Certificates to PSE Certificate Lists.
  4. Use SAP transaction SNC0 to create an access control list item that allows RFC and external IDs for the Common Name (CN) of the certificate created in step 1.
    sap-external-id
  5. Use SAP transaction STRUST to export the server certificate of the SAP server, see SAP Help: Exporting the AS ABAP's Public-Key Certificate.
  6. Copy the exported server certificate to the PSE directory of the machine that runs Board Connector.
  7. Use the SAPGENPSE command line tool to import the server certificate to the client PSE. Example:
    sapgenpse maintain_pk -v -a server.crt -p theo-bc.pse
    
  8. Use the following command to create a credentials file (cred_v2), see SAP Help: Creating the Server's Credentials Using SAPGENPSE.
    sapgenpse seclogin -p theo-bc.pse –O SAPServiceUser
    
    The credentials file gives Board Connector access to the PSE without providing the password for the PSE.

The PSE directory should now contain the following files:

  • the client PSE theo-bc.pse
  • the client certificate theo-bc.crt
  • the server certificate that was exported from your SAP system [server].crt
  • the credentials file cred_v2

Setup in Board Connector

Create a new SAP source system in your Board Connector to set up SSO with External ID:

  1. Navigate to [Server > Manage Sources] in the main menu of the Designer. The window "Manage Sources" opens.
  2. Click [Add] to create a new SAP source.
  3. Open the tab General and enter the connection details of your SAP system.
  4. Open the tab Authentication and activate the option Secure Network Communications (SNC).
    sso-certificate-auth
  5. Enter the name of an SAP user in the field User for the initial login with Board Connector.
    This user must be a technical user (SAP user with security policy set to Technical User) and must have privileges to read the SAP table USRACL via the function module RFC_READ_TABLE.
  6. Enter the complete path to the SAP cryptographic library in the field SNC Library, e.g. C:\PSE\sapcrypto.dll.
  7. Enter the SPN of the SAP service account in the field SNC partner name. Use the following notation: p:[SPN]@[Domain-FQDN-Uppercase].
  8. Enable the option SSO - Log in as caller via External ID.
  9. Click [Test Connection] to verify your connection settings.
  10. Click [OK] to save your changes.


Last update: September 13, 2024
Written by: Fritjof Mayer, Valerie Schipka