Hi,
We have a scenario where users belong to 3 different Windows AD. Now we are going to install and configure a single secure login server (SLS) for all these ADs in order to achive SSO. We have added all the 3 ADs in SPNego configuration in SLS (Using SPN name created for each AD).
Our doubt is whether the above config setting will work or not for SSO when users from diff domain getting authenticated?
Kindly advise us.
Regards,
KeaneBasis
Hi All,
Is there any way to synchronise Windows AD password with SAP application? We have requirement whenever the user changes his AD password, the same will be synchronised with SAP password.
Kindly suggest.
Regards,
Keanebasis
Hello,
I understand that SAP NW SSO 2 includes an IdP and a STS.
However, consider that I already have an IdP, let's say that is Microsoft ADFS.
Just to enable a SAP Netweaver Gateway to accept SAML 2 tickets issued by my IdP, do I need licensing for NW SSO?
Since all the documentation about the Netweaver Gateway talks about SAML 2, I thought this feature of accepting tickets was already included.
Regards,
Felipe
dear experts,
i need your help because we are trying to configure the following scenario:
we have in the same system, two clients. One client is SUS and one client is SRM. Our need is to logon on the SUS web part (service srmsus) and once we are logged on SUS jump to MWBC on SRM without specify the user and pass, and the user that we use to logon on SUS is diferent that the user mapped on the SRM.
is this possible? do you have any information about this?
we only have this system, we have no portal anywhere.
thanks a million in advance
best regards
david
Enterprise Single Sign-On
E-SSO is an optional component used for legacy systems to help end users to log in to them, without the need to remember every user id and password. After successful authentication to the E-SSO application, further logon procedures to applications running under the system’s control are carried out automatically.
Identity Federation
SAP NetWeaver Single Sign-On also contains a component called Identity Federation.
Many of the business processes of a company will need to go across other companies with different IT infrastructures. For example: Company B is a supplier of Company A. Company A users needs to get access to Company B shared data. The problem is how to provide secure access across the boundaries of the company.
Identity Federation Solution
In the example presented, users from Company A will be able to log on to Company B shared data. Each company maintain its own identities but a trusted relationship between the Identity Providers for single sign-on can be used.
Identity Provider Web Browser-Based Single Sign-On
For web browser-based applications single sign-on can be done with SAML 2.0. The Security Assertion Markup Language (SAML) version 2.0 is a standard for the communication of assertions about principals, typically users. The assertion can include the means by which a subject was authenticated, attributes associated with the subject, and an authorization decision for a given resource.
The main components of this landscape are an Identity Provider and Services Providers. The service providers outsource the job of authenticating the user to the identity provider. The identity provider maintains the list of service providers where the user is logged in and passes on logout requests to those service providers.
Identity Management
With SAP NetWeaver Identity Management, IT organizations can ensure efficient and secure management of internal and external identity accounts in a heterogeneous environment. It enables IT organizations to coordinate and join existing accounts using directory services, to set up a complete workflow, to provision access to systems, and support distributed management of accounts.
SAP NetWeaver Identity Management enables you to streamline provisioning of users into all applications – SAP and third-party – as well as operating systems, file systems, and databases via a comprehensive, constantly expanding connector framework (see figure above).
The integration is based on open communication standards to enable the integration of virtually all applications, including Microsoft Active Directory, Microsoft Exchange, IBM Lotus Notes, and many others. The integration of SAP NetWeaver Business Warehouse allows for highly customized, differentiated state-of-the-art reporting.
SAP NetWeaver Identity Management is integrated with SAP Business Suite software. This comprehensive support for user provisioning is driven by the business processes implemented by the various applications of SAP Business Suite. For example, integration with the SAP ERP Human Capital Management solution automates identity management processes on the basis of employee creation and status change events triggered by HR business processes, as shown in the figure above.
Architecture of SAP NetWeaver Identity Management 7.2
The system landscape to set up when using SAP NetWeaver Identity Management depends on the functions and features to use and these can be divided into the two main categories:
1. Identity provisioning.
2. Identity federation.
Identity Centre
The Identity Centre is the primary component used for identity management. The Identity Centre includes functions such as:
Virtual Directory
SAP NetWeaver Identity Management Virtual Directory Server can logically represent information from a number of disparate directories, databases, and other data repositories in a virtual directory tree. Different users and applications can, based on their access rights, get a different view of the information.
Authorization Concepts and Management
With SAP NetWeaver, IT organizations can support business process flows by ensuring that authorized users have appropriate applications and data used to support the business process. IT organizations can define roles with minimal permissions, provide read-only access to data, and segregate process duties when required. Authorization is defined to support business requirements; for example, within an HR organization, authorizations can be set to grant permission to employee data to only authorized users such as managers or HR personnel.
NetWeaver Identity Management offers a convenient but powerful role concept (see figure above). Business roles, which are defined as part of a business process, can be assigned to users. These business roles consist of one or more technical roles, which are system specific and represent access information or technical authorizations.
These include authorization roles such as those for SAP software systems that are based on the ABAP programming language or groups for Active Directory. By focusing on business processes and business roles, SAP NetWeaver Identity Management lets you start with business requirements and encapsulate the complexity of managing technical roles and access. When you assign a business role to a user, all technical roles for that business role and any role below that it in the hierarchy are assigned to the user. In addition, workflow and provisioning is automatically triggered.
SAP BusinessObjects Access Control
SAP BusinessObjects Access Control is a tool about risk analysis. SAP recommends that when an Identity Management system is installed, also SAP BusinessObjects Access Control should be used. It is an access control mechanism to analyze the segregation of duties risks. The Figure above shows the main features of both products, but together will provide compliant identity management for the entire system landscape.
Compliant Identity Management Example Customer Scenario
An example is presented in the next few figures when a user requests new access to some functionality in one of the systems through SAP NetWeaver Identity Management:
1. User requests new access using SAP NetWeaver Identity Management to one of the systems in the landscape
2. The request has to be approved by the designated approver.
3. Approver sends back the approval.
4. Identity Management will ask the risk management system, in this case SAP BusinessObjects Access Control if this new access right for this user should be allowed, according to segregation of duties.
5. Risk and Analisis Remediation.
Hi All,
We have recently upgraded portal to version 7.31 and have implemenedt SAML 2.0 authenticaion. Basically here the SAP portal is a service provider and identity provider is a third party system. There is a Load balancer with VIP for the portal, where SSL traffic terminates and then uses http to reach portal.
The portal has host name http:// sap<sid>00.com, while the load balancer VIP has url (https://sap<SID>.com).
We have configured the SAML, however the endpoints show the http url, and the identity provider is unable to reach the endpoints.
Do we need to modify the endpoints to reflect Load Balancer url, and how can that be acheived.
Appreciate any guidance on this.
Thanks
Abhi
Hi All,
Have you come across when you are in a web client UI, ie CRM Portal, you copy (CTRL C) HTML formatted text then paste (CNTRL V) into MS Excel, there is a prompt to reauthenticate even after single sign on has already been authenticated.
It seems that this is standard behaviour or as expected, have any of you by passed this through any MS settings?
Environment
SAP ECC 6.0 / SAP CRM ABAP 7.0
Single Sign-on 2 NW7.31 SP10
SSO2 certificate using X.509 and SPNEGO
Steps:
Issue: MS Excel prompts to select certificate
Solutions tried
Value tried : BasicAuthLevel to 0
Solutions expected
Thanks all!
Andrew
Hello.
I adjusted new SPNego for use SSO with Kerberos protocol on Solution Manager 7.1 SP8.
And now successfully open via spnego some urls: NWA, sld, spnego config, sso2 on Solman.
But I can't open link to Incident Management with spnego, still logon prompting window opens.
Link to Incident Management is the external alias in sicf.
Pls see attachment.
What settings I should to adjust to solve this problem?
--
thanks and regards,
Yessen
Hi,
I have two domains configured in SPNego of secure login server (SS0 2.0). Secure login client is receiving certificate for one domain users when user manually enters password in SLC. But Secure login is not receiving user certificate for the second domain/AD. It shows "Supplied credentials not accepted by the server".
When i check the Diagtool log, it shows "SPNEGO realm is not enabled" for the second domain/AD. But both the SPNego configurations are enabled only in NWA.
Attached the error screen, SLC trace and Diagtool trace files.
Anyone pls help on this?
Regards,
Yogesh Kumar D
Hi,
We want to configure SSO for MDM 7.1 SP09 using X.509 certificate. We already have a secure login server (SSO 2.0) in our landscape.
Is it possible to achieve SSO, using X.509 certificate for MDM, using NW SSO 2.0 ?
Anyone please share if any documents available for doing this.
Regards
Yogesh Kumar D
Hi,
We have installed the secure login server 2.0. And configured SSO for SAP (ABAP, JAVA) systems using X.509 certificate. it is working fine.
We want to configure SSO for some non SAP applications like MS outlook, Outlook Web Access, Sharepoint.
I dont see any documentation in the implememntation guide of NW SSO 2.0 for how to configure these non sap applications to accept X.509 certificates.
Anyone please share the details of how to configure SSO for MS outlook, OWA and Sharepoint
Regards,
Yogesh Kumar D
Hi Experts,
I have implemented the SSO between ep 7.4 and Ecc 6.0 with SSO configuration between SAP Portal 7.3 and ECC 6.0 Ehp 6.
But,when i try to test SSO with the tcode its asking for the username&password,
When i logoff and login its not asking the username and password(first time its asking the Uname&pwd).
When i close the browser and open the browser once again, the SSO fails.
Can any one tell me how to trouble shoot the issue??
Regards,
Anil
Hi,
we are using SAP Netweaver Enterprise Portal 7.0 (SP25) based on Windows 2008 R2/Oracle 11g.
When we setup the Portal, we used the UME of the ECC - ABAP.
The portal is used internally only.
Now we want to provide SSO.
User authenticate against Windows Active Directory (Windows 2003).
We thought SSO via spnego would be the best solution.
Any better alternates, we should use?
We are following the SAP documentation:
SAP-Bibliothek - Benutzerauthentifizierung und Single Sign-On
We still want to create users in ABAP and assign them the portal roles. LDAP access should only have read access, to verify the security token from Active Directory.
When we setup the portal from scratch using ABAP as its UME, in the system configuration, LDAP can't be selected/add as data source.
In case we understand the documentation correctly, we would now need to add LDAP via the configtool for read access.
What is not clear to us, when we active now LDAP via config tool, if we would now lose the ABAP connection.
Is there a tutorial for SSO Netweaver 7.0 EP, like for EP 7.3, available?
In 7.3 SSO is pretty simple to get it running, thanks to the many tutorials here and on the internet.
Thanks for your help.
Best regards
Carlos Behlau
Dear all,
we have an SAP EP 7.31 and an ERP backend. In the portal I've configured the the connection to the backend, created an alias for the connection an setup an iView to a BSP on the backend. The connection test in the system landscape administration finished successful. When I try to preview this iView the BSP opens in a new browser window but the login screen was displayed. If I now go to the adress bar of the browser and reopen the page, the bsp was display correct. Why is my SSO not working at the prime attempt?
I've imported the portal certificate to the backend and and the one of the backend to the portal.
Regards!
Wanted your expert opinion on something. We have using NWBC 4 and got Portal 7.3 in our landscape. We have established SPNego for IE single single on for Portal. We also have SNC entries with SAPGui to manage ECC SSO using SAPGui.
We want to extend NWBC to ECC SSO. But this been a massive hunt for right solution.
SAP Netweaver SSO is obvious solutions, but seems it involves some licence cost. Other option was to redirect NWBC to Portal and then back using redirect app as described in this note.
Question is, what is best way forward, and if we can achieve NWBC ECC SSO with this redirect method. With all the effort we put in we are able to see web page of /nwbc page instead of launching ECC on NWBC 4.0.
Thanks a lot for your time.
Note 1250795 - Redirect appliction.pdf
Regards,
Sudhir
Hi guys,
in theory i would guess this is possible but does someone ever tested this?
Situation: Secure Login Library 2.0 or CCL on a SAP ABAP backend system. The system is configured for Kerberos and X.509 based SNC. As Server identity (snc/identity/as) the X.509 DN of the SNC certificate is used. The system is used by multiple customers. some have a SSO license and installed the Secure Login Client 2.0 thus can use SNC/SSO based login using X.509 certs or Kerberos.
An other customer only wants to have SNC encryption, but not SSO. Now I would think it is sufficient to install the SAP GUI add-on delivered by the SNC Client Encryption on the client. Technically as we know, its based on Kerberos so all required service users and SPNs within the customers AD are created and the corresponding keytab is available on the AS ABAP (SAPSNCSKERB.pse). In addition saplogon.ini on the client is modified with the SNC-Name of the Server (SPN).
I would mean there is nothing special to consider on the backend, in order to mix both technologies, or?
Please let me know your opinions
Gruß,
Carsten
This document specifies the hardware and software requirements for the SAP NetWeaver Single Sign-On solution.
Hi Guys
We are facing an SSO issue. We are in the situation where we are implemenring a new domain, but in parallel we are implementing SAP portal for which we need SSO. Let's call the old domain global.old-domain.com and the new domain new-domain.com. There is a two-way forest trust between the two domains. The portal server is running in the new domain, ume is setup to connect to AD in new-domain.com, service users have been created in both domains just as SPNs HTTP/portal.new-domain.com have been created in both domains, SPNEGO is configured with realm for new-domain.com and global.old-domain.com using the service users and user mapping is set to "Principal only" mapping to login id, so user KPNs from both domains will map to samaccountname in AD of new-domain.com.
The issue is that SSO only works with a PC and user in new-domain.com. When I try to logon with a user and PC in the old domain, I am simple presented with the standard portal login prompt.
I have attached output from troubleshooting wizard after tracing both the successful from and the failed authentication. It seems the spnego token is never sent, when it fails....?
Can anybody give some hints on what we are missing?
A couple of questions:
1. Does the service user for creating SPNs and realms have to be the user running the portal service (SAPService<SID>)?
2. Does anybody know of any other good ways to trace and debug SPNEGO issues? So I can try and find out why an SPNEGO token is not received on the portal server.
Hoping someone can help.
Remember the attached files are just zip-files with an added ".txt" at the end, which means that if you want to unzip it, you will have to remove the .txt extension.
/Jacob 
Hi,
We are implementing NW SSO 2.0 with X.509 based authentication. For now, I have successfully connected the Secure Login client to Secure login Server with my LDAP user account.
However I am not able to login via SNC through my SAP system. I am getting an SNC error mentioned below. I exported the SNC certificate from ABAP system and imported my certficate store but it doesnt get populated in my Secure login client.
*** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]
N GSS-API(maj): No credentials were supplied
N GSS-API(min): No credentials found for this name (not logged on) (USER=Unknown)
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=DE1, OU=I0020095220, OU=SAP Web AS, O=SAP Trust Community, C=DE"
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 1034]
M {root-id=53480D4658932260E1008000A045047E}_{conn-id=00000000000000000000000000000000}_0
M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 1039]
M {root-id=53480D4658932260E1008000A045047E}_{conn-id=00000000000000000000000000000000}_0
M in_ThErrHandle: 1
M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c 11329]
M {root-id=53480D4658932260E1008000A045047E}_{conn-id=00000000000000000000000000000000}_0
Thanks
Thilip Kumar
Hello.
I adjusted new SPNego for use SSO with Kerberos protocol on Solution Manager 7.1 SP8.
And now successfully open via spnego some urls: NWA, sld, spnego config, sso2 on Solman.
But I can't open link to Incident Management with spnego, still logon prompting window opens.
Link to Incident Management is the external alias in sicf.
Pls see attachment.
What settings I should to adjust to solve this problem?
--
thanks and regards,
Yessen