Hi Experts,
We have a SAP HANA XS Application which has a drill down link to an ECC Web Application. When this link is clicked the User is prompted for the Login Screen by the ECC System.
The requirement is to have SSO configured for this ECC System such that if the user is coming from HANA XS Application, then the user should be automatically logged in with the required user into the ECC system.
Is there a way that this can be achieved?
--
Thanks and Regards,
Shreepad Patil
Hi,
We have users that work from home and use the Secure Login Client (Fat client). We are using the SPNEGO authorization method. When they start their computer, they are not connected to the network. The SLC starts at computer startup and runs into a "No host found." error. This is correct. They then connect to the network use VPN software. Since the SLC did not connect at startup, the user does not have a valid certificate. Is there a way to get the SLC to automatically login to the SSO server after the user has connected to the VPN, or do they have to manually login after the connection?
Thanks for any help!
We are currently developing an application using SAP ID Service (SCN password) and SSO as main authentication principle.
As our application might be used by external partners / agencies it would be great if they could request a client certificate.
I only found this URL to request a client certificate:
And some additional information around it. it seems that only customers / partners are eligible for requesting a SAP Passport.
My question is now, if there is also some kind of a self-service for creating a client certificate for public SCN users in order for future usage of HCP applications.
Best regards
Johannes
Good day,
Please help, we are implementing SSO using Secure Login Server, Secure Login Client, Active Directory, X.509 certificates. We've managed to get the setup to work for SAPGui with the Secure Login Server connected to the AD. However we cannot get nwbc (desktop & html) to work. We've done the nwbcoptions.xml settings, as well as transaction SPNEGO still the logon screen keeps popping up.
Any pointers would be appreciated.
Dear SAP Community,
We are running a website where users need to be authenticated from the Portal.
Scenario:
User logs in into SAP portal via SAML Authentication. This user can view a link in the Portal he can click the link and will be transferred to a website on another domain. This domain will receive the a "ticket" and the user will be able to login.
Information from a friend:
If you have a setup that uses SAML, there are mechanisms to transfer that session between domains that basically rely on passing a ticket through the URL to the client from the authentication server, and that ticket is then passed to the site you want to authenticate against, which can use that to establish the identity of the user with the authentication server and establish the sessi
Does SAP provide a solution for this.
Hi,
We have configured kerberos only authentication (NW SSO) for all our SAP systems. The single sign-on works perfectly fine. But in our production systems there are 9 app servers. We have activated SNC as per procedure and we use logon groups for signing in to SAP. The SSO works fine, but sporadically it does not work and it prompts for user name and password in the login screen.We have tested SSO for each individual app servers including CI and it works fine. Even with logon groups it works fine most of the times but at times it prompts for login screen. We use Secure Login client 2.0 SP3.
Thanks
Thilip Kumar
Hello
We are in the middle to configure SSL in SAP ECC 6.0.
I have couple of questions for Common Name (CN) that needs to be define while creating the SSL server PSE.
a. Should we use server name or SID name or * in CN field? SAP is not supporting * but some non-sap sites
are suggesting to use *.
b. In our enviornment, we have CI and more than one dialog instances. If we need to define server name
in the CN field, do we need to create SSL server PSE for CI and DI's separately (mean multiple SSL
for one SID).
or is there another option instead to use multiple SSL for one SID.
Pls suggest.
Thanks
Amar
Hi guys,
after installing the SSO client for the first time, we have intermittently noticed a profile selection dialog popping up when a user tries to connect to an SNC-enabled SAP system using SAP GUI. The dialog asks the user to select a profile (in our case we have two SLS profiles). The selection is then remembered from that point going forward, same as if the user would make the selection in the client directly (via right-click).
The question is what exactly triggers that dialog from appearing since we have not been able to reproduce it - even if no profile is selected as "use for secure login".
Is there a registry key maybe that we're missing? We played around with allowFavorite, but that didn't help.
Thanks
Michael
Password Manager helps you store strong passwords in a secure store for single sign-on (SSO) to applications and web sites, without the need to remember every password or click a specific logon dialog. After you have logged on to the Password Manager application, logon to applications running under the control of the system happen automatically. The Password Manager Implementation Guide takes you through all steps required to install, configure, and operate Password Manager.
All
Assuming a customer has Windows / Oracle environment for his SAP applications
I understand that SAP provides the wrapper libraries for Kerberos SSP
If the objective is to get simple SSO into the sap application using SNC (SAPGUI), in what way is NW SSO 2.0 superior?
Or in other words , what are the shortcomings of a Kerberos SSP solution which is for free that a customer has to buy the license for NW SSO ?
Details would be much appreciated
Note : Its clear that SSO to browser based icm applications iwth spnego is only possiblke with NW SSO but this is not required for the time being and SSO to the SNC interface with SAPGUI is the sole criteria
Thx
Hi,
We are configuring SSO with an external service provider and plan to use SAML 2.0 for this purpose.
We installed IDMFEDERATION on a NW Java 7.4 machine and configured IdP there. Installed the certificate from the service provider into the keystore and created the URL iView and maintained the parameters.
Service Provider is requesting a SAML 2.0 sample response file to configure the extraction part at his end. How do I create a SAML sample response file. Please let me know.
Thanks!!
BR,
Sanjeev
The master guide provides an overview of SAP Single Sign-On, its software units, and its scenarios. Use it to help you design your single sign-on system landscape before you start the implementation phase.
Secure Login is an innovative software solution specifically created for improving user and IT productivity and for protecting business-critical data in SAP business solutions by means of secure single sign-on to the SAP environment.
Login testing the service WebGUi
1. SICF->Default_Host->sap->bc->gui->sap->its->webgui –test the service
Getting this Prompt for first AD user ID and Password and then SAP user ID and Password.
2. Same thing happens with NWBC and BW-Portal Login- it Prompts for AD ID and then SAP ID and passowrd.
Where as ABAP SSO work perfect.
Here are my configuration steps.
NWSSO Configuration Steps.
1. Service User in the MSADfor AS-ABAP or AS-JAVA/Portal with following information
• User ID: SAPService<SID>(existing individual<SID> Service user id)
• Set the User cannot change the password
• Set Password never expire
2. Created SPN for this Service User
• For ABAP -SAP/SAPService<SID>
• Web (HTTP/ Hostname for ABAP apps server)
3. Installed Secure Login Library on SAP Server
• Created a folder name (SLL)in /user/sap/<SID>/DVEBMGS00 ($(DIR_INSTANCE)\SLL)
• Verified SLLibrary:(Version - 8.4.18.0)
(Starting NW7.4 sapcrypto library is coming and check the version is same at SLL directory and in the Kernel Dir.
4. Define the following SNC parameters using RZ10
snc/identity/as = p:CN=SAPServiceSB1@mycompany.com
snc/enable = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_rfc = 1
snc/accept_insecure_gui = 1
snc/data_protection/min = 3
snc/data_protection/max = 3
snc/data_protection/use = 3
snc/permit_insecure_start = 1
snc/r3int_rfc_qop = 8
snc/r3int_rfc_secure = 0
snc/force_login_screen = 0
spnego/enable = 1
spnego/krbspnego_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll
snc/gssapi_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll
5. Kerberos KeyTab was generated successfully for SPNEGO/SNC and verified
#sapgenpse seclogin -l –v
6. Configured Credential file and verified
7. Install Secure Login Client and defined SNC name as p:CN=SAPServiceSB1@mycompany.com
8. Configure User Mapping in SAP AS ABAP – SNC name – p:CN=<USERID>@MYCOMPANY.COM
9. Restarted the SAP server and my ABAP SSO is working perfectly.
10. SPNEGO Configuration:
a. Define Kerberos KeyTab for SPNEGO using tcode – SPNEGO
b. Created UPN - SAPServiceSB1@MYCOMPANY.COM with the password of this server ID.
For WebGui all the required Service are activate and published via SICF and also per http://scn.sap.com/docs/DOC-29485
Created SAP Message and SAP also confirmed all your setting looks and Kerbros being case sensitive but since my ABAP SSO is working so that possibility is also ruled out.
Are there any different steps or know issue with above setting for SPNEGO. I have not mention the steps for Portal because first lets get the Webgui or NWBC resolve which usages the SPNEGO configuration.
Hello,
we have a Problem with the SAP Password Manager and Internet Explorer 11.
After the Upgrade from IE9 to IE11 the Add-On wouldn't start in the IE11. I can see that the Add-On is active but there is no active Tool Bar, also the Passwrod Manager ist wihtout any function.
Have any other the same Problem?
Thanks for your assistance.
Dear Sirs,
I try to do an authorization to my NW 7.3 Java instance through my Windows domain authorization.
I done:
1) Create connection to LDAP-server and tested it.
2) Add windows domain certificate to TrustedCAs
3) Configure SPnego
Now, I can to login in my NW7.3 Java instance with my windows password, but however I must to input password when I open NW7.3 Java homepage.
Is it possible to login into the Java instance without password's input, using my windows workstation login/password?
What I have to do for that?
I use Windows XP on my workstation and IE 8.0.6 & Chrome 38.0.2125.
Best regards,
Alexey Lugovskoy
Hello All,
We have recently (successfully) configured SAML2.0 on AS ABAP (ERP 6.05/NW7.02) for authenticating Web Applications (Web Dynpros, Fiori Apps...etc) via a Web Browser internediary, and using ADFS as the Identity Provider.
We would now like to extend this configuration for Message Based Authentication for Webservices being consumed by other (non-web browser) intermediaries (such as SharePoint, Project Server, Software AG (ESB)...etc).
The configuration completed so far is detailed as follows:
Test Results/Errors:
We have used SOAP UI to make the webservice calls in our tests, with the following results:
Questions:
1. Is it mandatory to have the certificates in the SAP Trust Store (STRUST) signed by a verified Certificate Authority (CA) ?
2. If so, which Certificates need to be signed by the CA ?
3. Referring to the configuration detailed above, Is there any configuration or specific settings that have been missed ?
4. For the Web Service (SOA Manager) config, what is the recommended Transport Guarantee/Communication Security method ?
Your time and guidance on this discussion is greatly appreciated.
Thank you and regards,
James Curran
SAP Technical Consultant
Dear All,
In chapter "4.7.3.1.6 Using Kerberos for SNC with Users in Different
Domains" of the SAP SSO Implementation guide it is mentioned that it
might also be possible to setup SNC for users in different domains
without having a trust relationship for the different domains.
"Since it is not so easy to configure trust relationship for different
domains, the Secure Login Library also supports another option."
BASIC PARAMETERS:
CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 pl40
SAP GUI 7.30 PL 10 used on Windows 7 Client for testing
We are currently getting errors when trying to use SNC in another domain which has no trust to the main domain. That's the reason for this post.
I have attached the trace file of the secure login client.
Thanks & Best Regards
Matthias
This document explains in detail the new features in SAP Single Sign-On 2.0 Support Package 04, such as two-factor authentication with SAP Authenticator, mobile single sign-on, risk-based authentication with access policies, and Secure Network Communications (SNC) Made Easy.
If two Secure Login Server instances are running independently, i.e. not in a NetWeaver cluster, their configuration is not synchronized. While Secure Login Server Administrator Console allows to maintain the same X.509 PKI by exporting and importing Certificate Authority objects, it is not possible to create exactly the same Client Authentication Profiles and Policy Groups, as they get a random GUID as part of their URLs, even if the same display names are chosen. This leads to compatibility issues if such independent SLS instances shall be used for load balancing or fail-over.
A manual export and import of all configuration items except the PKI objects can be done with AS Java Config-Tool, as illustrated in this blog.
That´s it. Now your target system´s Secure Login Server will look like the source system, except its hostname.
Be aware that any changes in one of the systems are still not synchronized after this procedure. Adding a client profile in one system requires a similar export/import with AS Java Config-Tool.