Setting Up Single Sign-On on the Mobile Device

Use

With the parameters in the file MobileEngine.config, you can configure the client to support Single Sign-On (SSO) if the device has an online connection. The mobile device receives the SAP logon ticket from a system that issues tickets, such as SAP Enterprise Portal. The mobile device can then be verified on the server with the SAP logon ticket without the user having to enter an additional password.

If you want to configure the client to use Single Sign-On, you must define whether the device is to be used by one user (single user mode) or multiple users (multiple user mode).

You can configure the following scenarios:

?     One user - SAP MI-oriented

User authentication is delegated to the ticket-issuing system from SAP MI (AWT and JSP clients)

?     One user

Access to SAP MI using ticket-issuing system, for example, SAP Enterprise Portal (JSP clients only)

?     Multiple users

Access to SAP MI using ticket-issuing system, for example, SAP Enterprise Portal (JSP clients on Win32 systems only)

One User - SAP MI-Oriented

The device is used by a single user only. The user starts the client on the mobile device. It requests a ticket that is used for the initial logon and for synchronization from the system that issues tickets. The SAP MI uses the configured URL.

In this scenario users only need to enter a user ID and password when they log onto the system issuing the ticket. The logon data is verified in SAP MI using the SAP logon ticket. Password handling settings are consequently ignored in SAP MI and the user has no access to password management.

In the initial logon, which must be performed online, the user data from the logon ticket is used to create a user in the client.

Parameters and Values for this Scenario

?     JSP clients on Win32 systems and Windows Mobile systems (PDA):

MobileEngine.UM.SingleUserMode=true

MobileEngine.UM.SAPLogonTicketSupport=true

MobileEngine.UM.SAPLogonTicketRequestURL=<URL of the ticket-issuing system>

MobileEngine.UM.SAPLogonTicketWaitingRefresh=<Time in seconds after which the system checks (again) if the logon ticket was received>(Default: 3)

MobileEngine.UM.SAPLogonTicketRequestTimeout=<Time in seconds between requesting logon ticket and cancellation> (Default: 90)

MobileEngine.UM.SAPLogonTicketLogoffURL=<URL for the logoff>(optional)

?     AWT Clients:

MobileEngine.UM.SingleUserMode=true

MobileEngine.UM.SAPLogonTicketSupport=true

MobileEngine.UM.SAPLogonTicketRequestURL=<URL of the ticket-issuing system>

MobileEngine.UM.SAPLogonTicketRequestTimeout=<Time in seconds between requesting logon ticket and cancellation> (Default: 90)

MobileEngine.UM.SAPLogonTicketLogoffURL=<URL for logoff> (optional)

MobileEngine.UM.ExternalAuthUserParameter

MobileEngine.UM.ExternalAuthPasswordParameter

MobileEngine.UM.ExternalAuthAdditionalParameters

One User – Access to SAP MI from a Ticket-Issuing System, for Example, SAP Enterprise Portal

This scenario only applies to JSP clients.

The device is used by a single user only. The user starts SAP MI on their mobile device as a service running in the background without a user interface. There must be an empty file named startasservice.txt in the same directory as the file mobileengine.exe.

To work with SAP MI, the user opens the SAP MI user interface from a link (for example, in SAP Enterprise Portal).

As a result of logging onto the system issuing tickets, there is already a logon ticket available if the user interface of the SAP MI was started. The logon ticket is, therefore, not explicitly requested.

Parameters for This Scenario

MobileEngine.UM.SingleUserMode=true

MobileEngine.UM.SAPLogonTicketSupport=true

Mobile Engine.UI.CloseBrowserWindowSupport=true (optional)

In this scenario users only need to enter a user ID and password when they log onto the system issuing the ticket. The logon data is verified in SAP MI using the SAP logon ticket. Password handling settings are consequently ignored in SAP MI and the user has no access to password management.

In the initial logon, which must be performed online, the user data from the logon ticket is used to create a user in the client.

Multiple Users

This scenario only applies to JSP clients on Win32 systems only.

The device is used by multiple users. The user starts SAP MI on their mobile device as a service running in the background without a user interface. There must be an empty file named startasservice.txt in the same directory as the file mobileengine.exe.

To work with SAP MI, the user opens the SAP MI user interface from a link (for example, in SAP Enterprise Portal).

If the ticket does not exist, the user can start SAP MI from the browser under the configured address, usually http://localhost:4444/index.htm, and log on with user ID and password. The system uses settings already in SAP MI for handling passwords and the user can use password management in SAP MI.

Before a user can use a SAP logon ticket, a user ID and password must be created for this user in the client.

Parameters for This Scenario

MobileEngine.UM.SingleUserMode=false

MobileEngine.UM.SAPLogonTicketSupport=true

Prerequisites

?     The server (SAP NetWeaver AS) has been configured to support SAP logon tickets (see User Authentication and Single Sign-On) and to accept logon tickets from issuing systems (see Configuring the System to Accept Logon Tickets).

?     The client is installed on the mobile device.

?     If you want to use the multiple user mode, you have to have the JSP version of the client.

?     A Win32 operating system or Windows Mobile operating system is installed on the mobile device.

Adjusting Client Parameters for Single Sign-On

You have to add or adjust the parameters described under Parameters for Single Sign-On for Single Sign-On support. The parameters and values that are relevant for your scenario are described in the above scenario description.

You will find information on the various methods for configuring the client using parameters in the file MobileEngine.config under Configuration of Mobile Devices.

Checking and Adjusting Existing Parameters

...

...

JSP clients on Win32 systems:

       1.      In the system directory, check the entry under \drivers\etc\hosts and adjust it if necessary.

       2.      In the file MobileEngine.config enter the local host specified under \drivers\etc\hosts for the parameter MobileEngine.Runtime.Host. You will find information on the various methods for configuring the client using parameters in the file MobileEngine.config under Configuration of Mobile Devices.

The system issuing the ticket is server dnt123.abc.def.corp.

Windows 2000 is installed on the mobile device.

Make sure that the following is specified under <Drive>\WINNT\system32\\drivers\etc\hosts:

<IP address> localhost localhost.abc.def.corp

Enter the following for parameter MobileEngine.Runtime.Host:

MobileEngine.Runtime.Host= localhost.abc.def.corp

JSP clients and AWT clients on Windows Mobile systems (PDA):

...

       1.      Choose Start ® Settings to change to the Connections tab page.

       2.      Choose Connections ® Advanced.

       3.      Choose Networks  ® Exceptions.

       4.      Add the entry *abc.def.corp/* and save.

JSP and AWT clients on all systems:

...

       1.      In the file MobileEngine.config check the relevant parameters MobileEngine.Sync.Gateway and MobileEngine.Sync.Client, MobileEngine.Sync.Language for the connection and adjust them if necessary. You will find information on the various methods for configuring the client using parameters in the file MobileEngine.config under Configuration of Mobile Devices.