Is there a licensing involved when using NTLM SSO specifically documented in this URL Single Sign-On with Microsoft NT LAN Manager SSP - User Authentication and Single Sign-On - SAP Library?
Is there documentation anywhere referencing licensing or no licensing using this SSO method?
If there is licensing involved, are there any free SSO licensing schemes available for SAPGUI?
Thanks
Regards,
Mel Calucin
Wanted your expert opinion on something. We have using NWBC 4 and got Portal 7.3 in our landscape. We have established SPNego for IE single single on for Portal. We also have SNC entries with SAPGui to manage ECC SSO using SAPGui.
We want to extend NWBC to ECC SSO. But this been a massive hunt for right solution.
SAP Netweaver SSO is obvious solutions, but seems it involves some licence cost. Other option was to redirect NWBC to Portal and then back using redirect app as described in this note.
Question is, what is best way forward, and if we can achieve NWBC ECC SSO with this redirect method. With all the effort we put in we are able to see web page of /nwbc page instead of launching ECC on NWBC 4.0.
Thanks a lot for your time.
Note 1250795 - Redirect appliction.pdf
Regards,
Sudhir
Hi,
I am trying to integrate a Information Steward Scorecard into the SAP Portal as a URL iView.
That works basically well but how do I configure Single Sign On (SSO), so the user (calling the URL iView) does NOT have to login into the Information Steward embedded into the portal (where he already loged on).
And thre are two different scenarios with either a technical user or real user mapping, so:
Scenario 1:
User "xyz" logs into SAP Portal as "xyz", calls the Info Steward iView that loads the Scorecard loging in with a hard-coded "technical user" in the Information Steward automatically
Scenario 2:
User "xyz" logs into SAP Portal as "xyz", calls the Info Steward iView that loads the Scorecard loging in with a user mapping as user "xyz" in the Information Steward automatically
Are there any technical documentation or guidelines explaining the necessary steps to configure the Single Sign On for these scenarios?
Any help appreciated
Regards
Hi,
we are try sapssext java example to generate sso ticket and save to sapshortcut file to sso abap server, but server responses "Issuer of SSO ticket is not authorized" .
We has config server parameters e
login/accept_sso2_ticket = 1
login/create_sso2_ticket = 2
and import certificate and set acl ok.
On target ecc system, I switched on the sm50(level 3) trace and found the following error:
M PfSetActDBConRec: record found for dbcon <>
M PfStatBegin: open DBCON rec with opcode 10
M PfStatEnd: close DBCON rec after opcode 10
B } db_xrtab( fcode = 'RT_READ_ONLY', retcode = 64 )
N No entry in TWPSSO2ACL for SYS and CLI .
N CheckSubject failed (rc=19). Verifying if ticket was issued by me.
N *** ERROR => System ID and client from ticket are not the same than mine. [ssoxxkrn.c 1065]
N {root-id=56F2022A1D251EE484B95DA770743FB6}_{conn-id=00000000000000000000000000000000}_0
N Data from ticket: sysid= , client=
N My system data: sysid=ITS , client=001
N *** ERROR => Neither was ticket issued by myself nor can I find issuer in TWPSSO2ACL (see note 1055856). [ssoxxkrn.c 1071]
N {root-id=56F2022A1D251EE484B95DA770743FB6}_{conn-id=00000000000000000000000000000000}_0
N dy_signi_ext: ticket issuer not trusted
B { db_rtab( fcode = 'RT_READ_ONLY', tname = 'TSL1D' ) {rsauwri2.c:398}
B NTAB: db_ntab(): NT_RDTDESCR: tabname: TSL1D , fieldname: , fieldnumber: 0
B NTAB: procure_2(): art: 3, tabname: TSL1D
B NTAB: fetch_entry(): art: 3, tabname: TSL1D
B NTAB: T_search(): tabname: TSL1D , hval: 26883
B NTAB: db_ntab(): returning 0
data from ticket sysid and client are empty, so the server can not match in TWPSSO2ACL.
Thanks in advance,
Hi,
I installed a simple Kerberos SSO configuration.
But now I don't have the Option to switch between the SAPGUI logon language, even I change the parameter via SU01.
Is there no option to choose an individual language, or am I blind?
What is the best way to change the language during the logon, like I changed this without SSO?
Thanks for any help!
Tobias
I am implementing Transport Express application as part of a larger project on a Dual Track environment. The business want TE to be integrated into the SSO landscape. This is where I am having difficulties. I need advice from anyone having implemented BTI's Transport Express into SAP requiring SSO with CUA as part of the business landscape? Our Domain Controller is Solution Manager. The TE settings in SolMan allow for a Web UI email notification, this contains a hyperlink to a user Dashboard. The expectation with SSO is that clicking on the hyperlink will automatically connect us to the Web UI Dashboard. Currently this does not work. Any suggestions?
I have also been given three options to concider; 1. Our Portal manages ABAP and Java SSO, 2. SPNego is for ABAP systems, 3. A system to system config might work.
Hi experts,
We have completed the SAP Portal Upgrade from Netweaver 7.0 to 7.4 .
In Netweaver 7.0 , we have configured SSO between windows active directory to Portal with help of SAP note 1457499 & attached configuration guide. it worked fine before the upgrade process.
but now in the Netweaver 7.4 which is not worked so again we configured the SSO as per the below SCN Link step 4 for Configuring the SSO between Java & Windows active directory.After completing that configuration also still SSO is not working.
please provide us your valuable suggestion to fix the SSO in Netweaver 7.4.
SSO configuration in SCN :Single Sign-On with Kerberos (Enable Single Sign-On on SAP AS JAVA)
Regards
Sebastian A
Hi,
I am with a problem in SAP BO 4.1 SP02 to SSO Authentication.
We follow the guidelines as this manual and error when opening lauchpad appears.
Please can you help me?
Environment : SSO Enabled SAP Enterprise portal.
Scenario : The time we login into the SAP Enterprise portal a cookie get generated.
We have an iView within the same SAP Enterprise portal through which we are opening following SAP WebGUI URL
"http://SAP Host Name:HTTP Port/sap/bc/gui/sap/its/webgui/!?sap-client=XXX".
Requirement : We want to open the SAP WebGUI in a different Browser and want to use the same cookie which is
generated for SAP Enterprise portal.to authenticate against SAP WebGUI.
So that we are able to login into the SAP WebGUI opened in a new Web Browser using same Cookie which
is already generated for SAP Enterprise Portal.
Can any one guide us that "How to use the already generated cookie and how it will be transfered from
SAP Entereprise portal to the new browser in which SAP WebGUI is opened"
Hi,
We are looking for SSO solution with SAML 2.0 and it looks there are several ways available to achieve (http://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0)
We already have SAP NW IdM 7.2 in place so thinking of making it as our identity provider and found following link as a good point to start with
http://help.sap.com/saphelp_nwidmic_72/helpdata/en/64/38385003ce4f2d88602fbf0de78f2f/frameset.htm
Can anyone please share your experience (Limitation/ practical challenges) that you have faced any ?
or
Is it better to go with SAP NW Single Sign-on ?
Thanks,
Karthik
Hi All,
This is my first post in SCN.
I am testing SAP Personas at the moment. I am trying to mix it with SAML2 authentication for user access. What I would like to do is to force some transactions or systems in the URL based on parameters like "fullscreen=true&system=53E4981169A546A".
However, whenever the user first logon using SAML2, those parameters get lost. Is it something anyone ever experienced? I can't manage to figure out where is the setup for correctly forwarding those URL parameters.
Regards,
Aymeric
Hi Experts,
I have a doubt about this product, as I know I can authenticate with certificates provide by Symantec then
1. Go to the Trust Manager screen.
2. Expand the SSL server PSE node.
3. For each unique SSL server PSE:
- Select the application server (its certificate appears in the PSE maintenance section in the Own certificate field)
- In the PSE maintenance section, choose Create Certificate Signing Request.
- Copy/paste the entire contents (including the BEGIN and END tags) into our order form.
Any clue?
Regards.
Now you can provide your employees, customers, and partners with simple and secure cloud-based access to the business processes, applications, and data they need. The new SAP Cloud Identity offering provides state-of-the art authentication mechanisms, secure single sign-on functionality, on-premise integration, and convenient self-service options. Learn more. September 4, 2014
One of the new features of SAP Single Sign-On 2.0 SP3 is support for two-factor authentication with SAP Authenticator, a one-time password generator. Read Ivelina Kiryakova’s blog and learn how to use a second authentication factor for high security scenarios. July 18, 2014
In her latest blog, Martina Kirschenmann presents SAP’s new cryptographic library “CommonCryptoLib” and explains how you will benefit from it with your SAP Single Sign-On installation. July 17, 2014
Good day,
Please help, we are implementing SSO using Secure Login Server, Secure Login Client, Active Directory, X.509 certificates. We've managed to get the setup to work for SAPGui with the Secure Login Server connected to the AD. However we cannot get nwbc (desktop & html) to work. We've done the nwbcoptions.xml settings, as well as transaction SPNEGO still the logon screen keeps popping up.
Any pointers would be appreciated.
Hi All,
We are calling SAP web GUI HTML inside one java application.Is there any possible to configure SSO between java application and inside SAP WEB GUI HTML.With out passing user credentials.
Regards.
Narendar
Mysapsso2 cookie has been generated after we are login into the portal https://FQDN/irj/portal for all the backend systems in client browser. Since it is working fine. After login into the portal , while clicking the URL iview of external JBoss application sever in portal home page and it is shows the new windows pop up login page. After login into this external JBoss application server, we have configured work item for SAP ITS WEBGUI login page of the backend system inside this JBoss appliaction. Here we need to pass the mysapsso2 cookie information in SAP WEBGUI, so that login page is bypassed using SSO. Kindly do give some suggestion for fixing this issue. Kind Regards, R Rajavelu
Hi experts,
We're attempting to set-up a SAML based authentication between our IDP and SAP portal. However, we're running into an issue where the SAML assertions are created under a load-balanced virtual name (virtual.domain.com) while the SAML configuration in the portal is only picking up the local server name (server.domain.com).
The mismatch of names is causing authentication to fail. We've also noticed that once SAML configuration is complete in the NWA, the Endpoint URL values are NOT adjustable.
So we're stuck at the moment to understand how to configure the portal to use the 'virual.domain.com' address in the SAML config to resolve the authentication errors?
Has anyone seen this before and how were you able to resolve?
Thank you!
Tim
Hello Gurus,
We have two portals in our landscape.
The primary portal used for end user authentication is a SAP NW AS Java 7.31. This portal is configured with a UME having LDAP as the data source.
The second portal to which users have to SSO from the primary portal is a SAP NW AS Java 702. This portal is configured with a UME as ABAP datasource.
There are a few users who have a mismatch between AD samaccountname and the SAP logon id. We are trying to configure SSO with SAP logon tickets for these users using user mapping. The ones having the same unique id across are having no issues.
I have so far not succeeded for these set of users if I follow the configuration steps listed on the SAP help documentation.
I am not sure where exactly, I have gone wrong.
- Should the system object for the secondary portal reference the SAP ABAP application server or the SAP portal
- If SAP portal then which template to be used? The template for SAP Remote portal is no longer available.
- I followed some documentation and created one using the SAP dedicated application server and updated the WAS properties. But, it does not seem to work
Any guidance in this regard will be very helpful.
Regards,
Subbu
Hello Experts!
We're currently configuring SAP NW SSO 2.0 and we're getting an error when log-in to the SL Web Client having an expired certificate.
The scenario is a Secure Login Server component installed on the same SAP Application Server where a SAP SRM runs. The Secure Login Server is supposed to generate X.509 certificates in order to perform SSO against different SAP Systems in the Landscape, including the SRM server itself.
Due to customer requirements the Certificate should expire in a short time, i.e. 10 minutes.
At his point, we were able to successfully generate and X.509 certificate and use it to perform SSO against ABAP and Java Systems.
As configured, after 10 minutes, the certificate expires. If we try to log-on again to the Secure Login Web Client in order to get a new certificate an error occurs:
In the java console, the first exception we get is:
network: Connecting https://<hidden server name>:50001/SecureLoginServer/webclient/sap.com~securelogin.webclient.jar?version=1410707274078 with proxy=DIRECT
network: Connecting http://<hidden server name>:50001/ with proxy=DIRECT
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: SHA-256Certificate finger print: <here fingerprint 1>
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: <here fingerprint 2>
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
Workarounds:
We found the following workarounds that aren't suitable for us. We require the SL Web Client to automatically handle such situation without changes in the client machines.
1) Delete the expired certificate in IE manually and restart IE.
2) Disable in the Java Control panel "Use certificates and keys in browser keystore" and install the Secure Login Root CA certificate in the Java VM.
Any thoughts? have you faced the same issue?
Thank You!!
Diego.
Hello,
We are currently planing to use SAP logon tickets to achieve SSO from EP to other SAP GUI systems.
The user will once authenticate itself with user id and password in portal which will be done with the LDAP .
Once the user enter the portal, user with specific role would be able to access ivews with list of SID of our landscape,SID will be link and when we click it will call the SAP logon pad and the user will be authenticated using SAP logon tickets. Thus SAP start screen will appear.
In addition to this we need to access third party such as mailbox and other web base application ( ticketing tools)
We are not using SAP Single sign on product.
Can we do this without the product ??
If yes do we need to buy any other third party product like kerberos ??
Mainly i would like to know can this be done without any addition buying any SAP or other product.?
Thanks,
Vinit Kulkarni
