SSO with External ID

The following article shows how to set up Single Sign-On (SSO) with Secure Network Communication (SNC) and External ID.
SSO with External ID uses a Personal Security Environment (PSE) to create a trust relationship between the SAP application server and the service account that runs Xtract Universal. This allows Xtract Universal to impersonate any SAP user.

Requirements

The usage of SSO with External ID requires:

• The Xtract Universal service must run under a Windows AD Service account, see Run the Xtract Universal Service under a Windows Service Account.
• Set up access restrictions for the Xtract Universal Designer and the XU server, see Restrict Access to Windows AD Users (Kerberos Authentication).
  
• Windows AD users must be mapped to SAP users in the SAP table USRACL, see SAP Help: User Authentication and Single Sign-On.
• The SAP CommonCryptoLib must be installed on the machine that runs Xtract Universal, see SAP Note 1848999.
  Copy the library (sapcrypto.dll) and the command line tool (sapgenpse.exe) to a local directory, e.g. C:\PSE\. For more information, see SAP Help: Downloading and Installing the SAP Cryptographic Library.
• The environment variables SECUDIR and SNC_LIB must be set to the PSE directory that contains the SAP CommonCryptoLib.

For more information on PSE, see SAP Help: Creating PSEs and Maintaining the PSE Infrastructure.

The Process

SSO with External ID uses an X.509 certificate & PSE to create a trust relationship between the SAP application server and the service account that runs Xtract Universal. This allows Xtract Universal to impersonate any SAP user.

1. Users authenticate themselves against Xtract Universal via Active Directory (Kerberos) and request data from SAP.
2. Xtract Universal opens an RFC connection via SNC and uses PSE & External ID for authentication.
3. Xtract Universal reads the SAP table USRACL to determine the SAP user that is mapped to the Active Directory user from step 1.
4. Xtract Universal then impersonates the mapped SAP user to request the SAP data via SNC.
5. Xtract Universal retrieves the requested SAP data with the privileges of the caller.
6. Xtract Universal loads the extracted SAP data to the tool that triggered the extraction.

Setup in SAP

1. Use the SAPGENPSE command line tool to generate an X.509 certificate for the Windows service account that runs Xtract Universal.
   Use the following command to create the certificate:

   sapgenpse gen_pse -p theo-xu.pse
   

   The distinguished name of the PSE owner can be the fully qualified hostname of the Xtract Universal server, e.g., CN=xuserver.example.com.
2. Use the the following command to export the certificate:

   sapgenpse export_own_cert -v -p theo-xu.pse -o theo-xu.crt
   

3. Use SAP transaction STRUST to add the certificate to the list of trusted PSE certificates, see SAP Help: Adding Certificates to PSE Certificate Lists.
4. Use SAP transaction SNC0 to create an access control list item that allows RFC and external IDs for the Common Name (CN) of the certificate created in step 1.
   
5. Use SAP transaction STRUST to export the server certificate of the SAP server, see SAP Help: Exporting the AS ABAP's Public-Key Certificate.
6. Copy the exported server certificate to the PSE directory of the machine that runs Xtract Universal.
7. Use the SAPGENPSE command line tool to import the server certificate to the client PSE. Example:

   sapgenpse maintain_pk -v -a server.crt -p theo-xu.pse
   

8. Use the following command to create a credentials file (cred_v2), see SAP Help: Creating the Server's Credentials Using SAPGENPSE.

   sapgenpse seclogin -p theo-xu.pse –O SAPServiceUser
   

   The credentials file gives Xtract Universal access to the PSE without providing the password for the PSE.

The PSE directory should now contain the following files:

• the client PSE theo-xu.pse
• the client certificate theo-xu.crt
• the server certificate that was exported from your SAP system [server].crt
• the credentials file cred_v2

Setup in Xtract Universal

Create a new SAP source system in your Xtract Universal to set up SSO with External ID:

1. Navigate to [Server > Manage Sources] in the main menu of the Designer. The window "Manage Sources" opens.
2. Click [Add] to create a new SAP source.
3. Open the tab General and enter the connection details of your SAP system.
4. Open the tab Authentication and activate the option Secure Network Communications (SNC).
   
5. Enter the name of an SAP user in the field User for the initial login with Xtract Universal.
   This user must be a technical user (SAP user with security policy set to Technical User) and must have privileges to read the SAP table USRACL via the function module RFC_READ_TABLE.
6. Enter the complete path to the SAP cryptographic library in the field SNC Library, e.g. C:\PSE\sapcrypto.dll.
7. Enter the SPN of the SAP service account in the field SNC partner name. Use the following notation: p:[SPN]@[Domain-FQDN-Uppercase].
8. Enable the option SSO - Log in as caller via External ID.
9. Click [Test Connection] to verify your connection settings.
10. Click [OK] to save your changes.

Related Links

• Documentation: SAP Single-Sign-On
• Documentation: Run the Xtract Universal Service under a Windows Service Account.
• SAP Help: Creating PSEs and Maintaining the PSE Infrastructure