Use SSO (Single Sign On) instead of user name and password
Since the communication layer of the S10 Framework, like "SAP Fiori Launchpad" and "SAP GUI for HTML", is implemented as an SAP ICF service, you can use any authentication method supported by the ICF.
In the SAP system, transaction SICF, you can configure the logon methods that the SAP system performs in the specified order each time you log on to this service:
Other options in this list are "SPNego" and "SAML". Details can be found in the SAP Help Portal, e.g.
SAP NetWeaver 7.5 > AS ABAP Authentication Infrastructure > Maintaining Logon Procedures > Logon Checks: Overview
There are external identity providers that can be used; some of them are platform dependent. Additional parameters in the URL may be needed. For details see the SAP Help Portal e.g.
SAP Identity Management > SAP Identity Management Library > Identity Federation > Identity Provider for SAP Single Sign-On and SAP Identity Management > Operations and MonitoringPerforming Identity Provider-Initiated Single Sign-On
While the whole topic is somewhat complex, the handling in the S10 Framework is then quite simple. We will describe three scenarios:
1. Launching S10 applications from SAP Launchpad
2. Embedding S10 applications in a SAP GUI screen
3. Using standalone S10 applications with SSO
1. Launching S10 applications from SAP Launchpad
The S10 Framework recognizes that the S10 application is running in the Fiori Launchpad context and performs the login internally without showing the standard login page. The user immediately gets the first screen of the S10 application launched via the tile:
Internally, the HTML page "classes/user/views.en/user.sso2logon.html" of the corresponding S10 project is used. It contains the following JavaScript code:
<script language='javascript'> var classname = "..."; var progname = "..."; var service = "s10"; S10Logon("", "", "", "", classname, progname, service);
</script>
Insert the correct ABAP class name and, for local classes, the ABAP program name. Additional parameters when calling S10Logon() are possible, but normally not required.
2. Embedding S10 applications in a SAP GUI screen
You can use the GuiXT "WebView" command to embed an S10 application in a SAP GUI screen. In this case, it is desirable to avoid the login screen of the S10 application since the user is already logged in via SAP GUI.
The easiest way to avoid an additional login is to call an SAP function that returns a so-called assertion ticket which is valid for 2 minutes. We pass this ticket via the WebView URL to the S10 application, which uses it in the login as a browser cookie "MYSAPSSO2" and does not send the normal login screen. Example:
GuiXT Script:
// Transaction BP in S/4HANA
// Current business partner role
Set V[bp_role] "&F[BUS_JOEL_MAIN-PARTNER_ROLE]"
// Role customer and tab "Additional Data" ?
if V[bp_role=FLCU01] and Q[Page=Additional Data]
// display sales via S10 application
del G[Customer Groups]
WebView (10,1) (38,120) "about:blank" name="sales" initflag="sales_init" _
-transparent -closeonhide
if V[sales_init]
Call "CREATE_RFC_REENTRANCE_TICKET" -currentUser import.ticket="ticket“
Clear V[bp_number]
endif
// BP number changed? then set nuew WebView URL
if not V[bp_number=&F[BUS_JOEL_MAIN-CHANGE_NUMBER]]
Set V[bp_number] "&F[BUS_JOEL_MAIN-CHANGE_NUMBER]“
connectHTML name="sales" _
setUrl="https://www.mycismobile.com:44300/sap/bc/bsp/s10/cis/default.htm?start=sales&customer=&V[bp_number]&MYSAPSSO2=&V[ticket]&language=&V[_language2]"
endif
endif
Remarks:
- We start the "WebView" with a blank page (URL "about:blank"). The actual URL is set later on dynamically. We use the "-transparent" flag in order to avoid the display of the blank page as a white rectangle (flickering).
- If the webview was created the first time, i.e. V[sales_init] is "X", we generate a temporary logon ticket ("assertion ticket") for the current user via the SAP function "CREATE_RFC_REENTRANCE_TICKET"
- Each time the customer number changes we refresh the URL
- The URL contains the customer number, the ticket and the 2-character language key
- The ticket is actually used the first time in a SAP GUI mode only, since a permanent MYSAPSSO2 cookie is present after the first logon in this mode.
3. Using standalone S10 applications with SSO
To implement SSO for standalone S10 applications, i.e. neither launched from a Fiori Launchpad nor embedded in SAP GUI, we use the S10SSO() function in the login screen. This function attempts a login without user credentials and then calls a JavaScript callback function indicating whether the SSO login was successful or not.
When we are informed that SSO has failed, we can decide whether to show a normal login screen with user and password, or if we know that SSO is mandatory, just return an error message.
If we want to support login with name and password, we can implement it as follows: We first don't show the whole HTML page (style "display:none" in BODY tag) and when we are informed about the SSO failure we set it to visible by "display:block".
You can take the following JavaScript as a sample:
<script language='javascript'> var classname = "main"; var progname = "ZZS10_VIQMEL"; S10SSO(classname, progname, sso_callback); function sso_callback(sso_logon_done) { if (!sso_logon_done) { document.body.style.display = "block"; }; };
</script>
You can insert this script in the HEAD part of the default login page and add style="display:none;" in the BODY tag. Normally, "document.body" is not known in scripts inside the HEAD part of the HTML page, but in this case it can be used because the callback function is called asynchronously.
A simpler solution would be to omit the callback function:
<script language='javascript'> var classname = "main"; var progname = "ZZS10_VIQMEL"; S10SSO(classname, progname);
</script>
This also works because the first screen of the application is displayed right away if the SSO login is successful. However, during the SSO login, the standard login with user and password entry may be visible for a very short time, which is avoided with the first solution.
If you do not want to allow a login via user name and password when SSO fails, you can put an appropriate error text into the HTML body indicating one or more possible causes, for example a missing certificate on the device.
Components
S10 Framework