CA SSO Agent for SAP Guide › Configuration for SSO Mode with CA SSO

Configuration for SSO Mode with CA SSO

This section contains the following topics:

How to Configure CA SSO Agent for SAP in SSO Mode

How to Configure CA SSO Agent for SAP in SSO Mode

The following process outlines the steps for SSO mode configuration. In this configuration, this product interacts with a Policy Server. For detailed information about configuring the Agent for SAP for Federation mode using CA Federation, see Configuration for Federation Mode.

Follow these steps:

1. See the platform support matrix and verify that your environment meets all of the prerequisites.
2. Configure the front-end web server.
3. Verify the configuration of MYSAPSSO2 tickets.
4. Configure the Web Agent.
5. Configure the Policies.

Configure the Front-End Web Server

The web server (which operates with a Web Agent), acts as a front end for the SAP Web Application Server (Web AS) J2EE engine.

The following list describes guidelines for configuring the front-end web server:

• Install and configure a Web Agent on the front-end web server to provide the first tier of authentication for CA SSO Agent for SAP.

  Note: For more information, see the CA SSO documentation.

• Configure the web server to proxy the requests for the Web AS J2EE engine applications.
  • For the SAP Enterprise Portal, configure the web server to proxy the requests for resources starting with /irj.
• Block access to the SAP Web AS applications directly through the SAP Web AS J2EE engine. This product denies such access because it does not authenticate the users for any direct access. Route all requests to SAP Web AS applications, including the SAP Enterprise Portal applications, through the front-end web server only.
• Implement the web server plug-ins in the following order:
  1. Web Agent
  2. SessionLinker (if used)

     For more information about the Session Linker, see the CA SSO SessionLinker Guide.

  3. Web AS proxy plug-in.

Note: For more information, see your SAP documentation.

More information:

Verify a Sun Java Systems Web Server Configuration Using RPP - Example

Verify an Apache Web Server Configuration - Example

Verify the Configuration of MYSAPSSO2 Tickets

Configure the J2EE engine of the SAP Web Application Server to issue and accept MYSAPSSO2 tickets. The logon ticket is stored as a session cookie, named MYSAPSSO2, in the web browser of the user.

Note: For more information, see your SAP documentation.

Map a CA SSO User as a Web AS User

Mapping allows the CA SSO User ID to be different from the Web AS username.

Follow these steps:

1. Select a User attribute from the CA SSO User directory to identify the Web AS username.
2. Verify that the value of this User attribute exactly matches the Web AS username in the Web AS user store.

Note: This User attribute value is used in creating the MYSAPSSO2 ticket and providing access to the Web Application server application.

Configure an Active Response for the SessionLinker

The SessionLinker monitors the following session cookies for an application:

• MYSAPSSO2
• JSESSIONID

Configure an active response in the SessionLinker which mentions the previous session cookies.

For information about SessionLinker, see the CA SSO SessionLinker Guide.

Configure the Web Agent

Perform the following procedure to configure the Web Agent.

Follow these steps:

1. Install and configure the Web Agent on the front-end web server.

   Note: For more information, see the CA SSO documentation.

2. Verify the following details:
   • The name of the agent object is specified correctly in your agent configuration object.
   • The agent object is a CA SSO agent.
3. Set the following parameters in the Agent Configuration Object:
   • FCCCompatMode = No
   • DisableSessionVars = No

   If CA SSO is in a federation deployment with CA Federation, also set the following parameter:

   • LegacyVariables = No
4. If you have an Enterprise Portal integration, modify the following parameters of the Agent Configuration Object for certain Enterprise Portal links to function properly:
   • Remove // and ~ from the list in the BadUrlChars parameter.
   • Remove < and > from the list of BadCSSChars parameters.
5. Restart the web server to reflect the changed values.

Configure CA SSO Policies

Perform the following procedure to configure CA SSO policies.

Follow these steps:

1. Use the agent object and an authentication scheme to create a validation realm for protecting the following resource:

   /smwebasagent/
   

2. Create a rule on the realm protecting the following Web Agent Actions:
   • Get
   • Post
3. Create a response that contains the following Web Agent HTTP Header Variable response attributes:
   • A User attribute, set to a Variable Name WASUSERNAME (an Attribute Name set to the attribute for presentation to the Web Application Server for MYSAPSSO2 ticket generation).
   • An Active Response for NPSSessionLinker, using the following settings:
     • Leave the Variable Name blank.
     • Set the Library Name to npssessionlinker.
     • Set the Function Name to Config.
     • Set the Parameters to COOKIE1=MYSAPSSO2;COOKIE2=JSESSIONID.
     • In the Advanced tab, remove the leading equal sign (=).
4. Verify that the result matches the following example:

   <@lib="npssessionlinker" func="Config"
   param="COOKIE1=MYSAPSSO2;COOKIE2=JSESSIONID"@>
   

5. Create a policy that includes the previous rule with an appropriate set of users. Associate the responses with the rule created in Step 2.