Single Sign-on with SAP Enterprise Portal

EPM System products handle SSO to SAP Enterprise Portal by issuing an SAP logon ticket. This action enables users who log in to EPM System products to navigate seamlessly to SAP applications. The illustrated concept:

Presents an overview of single sign-on from Oracle's Hyperion products to SAP Enterprise Portal

When a user logs in, the EPM System product authenticates the user against configured user directories, including Native Directory, and issues an EPM System logon token. This token enables SSO to EPM System products. It also generates a SAP logon ticket if the user is defined in the SAP provider.

Note:

For SSO with SAP to work, you must configure SAP native repository as an external user directory on Shared Services.

When the user subsequently navigates to the SAP system or uses an SAP data source, the SAP logon ticket contained in the EPM System token is passed to SAP to enable SSO. The SAP system assumes the responsibility to validate the credentials in the SAP logon ticket.

EPM System products handle SSO from SAP Enterprise Portal by accepting an SAP logon ticket. This action enables users who log in to SAP Enterprise Portal to navigate seamlessly between SAP and EPM System products. The illustrated concept:

Presents an overview of single sign-on from SAP Enterprise Portal to Oracle's Hyperion products

When a user logs in to SAP Enterprise Portal, SAP authenticates the user.

When the user navigates to an EPM System product, the SAP ticket is passed to the EPM System product. Using an SAP certificate stored on the Shared Services server machine, the EPM System retrieves the user name, which is trusted as being that of a valid user. The EPM System product queries user directories to determine the user's groups. Using the group information, EPM System product gets provisioning information.

Note:

The SAP provider must be configured as a user directory in Shared Services for this process to work.