SAP Single Sign-On in 2 minutes.
| What technology to use?
|
SAP Single Sign-On in 20 minutes.
|
More details and documents:
SAP Single Sign-On Fact Sheet (PDF)
SAP Single Sign-On in Detail (PDF)
Overview Presentation (PDF)
What's New in Release 2.0 SP4? (Blog, Presentation)
|
Dear Colleagues,
We are using Secure Login Kerberos Token for our SSO in the SAP GUI. SAP GUI Version is 7.30 Patch 5 and Secure Login is Version 2, Support Package 3, Patch level 2.
In rare cases endusers are not able to login via SSO. When we check the PC and open SAP Secure Login Client we detect that there is no Kerberos Token to select. At the moment our solution is to reinstall the whole SAP Secure Login Client with the SAP GUI for the user.
We are not sure why a kerberos token would suddently not be available in the sap secure login client. Any idea in which area to look?
Regards,
Alexander
Hello,
We are trying to implement NW Single Sign-On for our SAP systems.
We are also using Apache Reverse Proxy for our systems.
Some info for implementation;
All Users' Domain : mycomp.com.tr
SL Server FQDN : nwsso.mycomp.com.tr
Apache Proxy DNS for SLServer : sso.mycomp.com
SPNEGO User : SL-JAVA-SSO (SPNs: HTTP/nwsso.mycomp.com.tr, HTTP/sso.mycomp.com)
SLA Console URL : https://sso.mycomp.com/slac
We are using portal.mycomp.com, bo.mycomp.com, erp.mycomp com DNSs to reach SAP systems through Apache.
All systems are members of the "mycomp.com.tr" domain and all users are members of the same domain.
My question is:
Is it possible to implement SSO when we are using "*.mycomp.com" for URLs although our domain is "mycomp.com.tr"?
And if yes how?
Can you help, please?
Thanks and Regards,
Yuksel AKCINAR
Dear All,
I am trying to use an SSL certificate created in Secure Login Server (SSO 2.0) for an ABAP system.
I have exported the the certificate as an PSE file and imported the certificate into the Server SSL node.
I noticed that the issuer will be removed as soon as I save the certificate into the SSL node.
I have done the same in an AS Java system and here all worked fine.
I know I need a third party PKI but can this not be achieved by the SSO 2.0 product?
Regards,
Ridouan
We are getting SSO error Miscellaneous failure GSS-API(min) Kerbros SSPI not usable with this User-account Stop! initial call togs_indicate_mechs() failed Time.
We have mapped our sap service user to the spn and when we select the option in AD to delegate authority to any application it works but when we select delegation to particular spn it gives above error.
Anyone suggest?
Hi,
We have ECC 6.0 on NW 7.31 on Linux platform. End-users use Windows 7 and SAP Gui to login to ECC. At present users log-into their desktops and then again login to SAP though GUI using there respective passwords.
I am looking for some solution to configure SSO on SAP Gui with MSADS. So that once the user logs on the desktop, he does not have to re-authenticate on sap gui to connect ECC. I want some solution where we don't have to install any tool/library on user desktop and there is minimum foot prints on user machines.
I heard that NW 7.31 SP-15, SAP Gui can have SSO with MSADS using SPNEGO etc.
Please suggest some solution.
Thanks
Vik
Hi,
just a short question.
Do we need to update the keytab file ( SAPSNCSKERB.pse ) with ( crontab )
../SLL/sapgenpse keytab -p SAPSNCSKERB.pse -a USER@DOMAIN.ORG -nopsegen -y " "
like we have to do it in the old SNC connection method ( kinit -k planned in the crontab ) ? or is it enough to build the pse one time.
Are there tickets that will expire ?
sapgenpse keytab -p SAPSNCSKERB.pse -nopsegen
#############################################################################
License Disclaimer SAP NetWeaver Single Sign-On
You are about to configure trust for single sign-on or SNC Client Encryption.
Please note that for single sign-on you require a license for
SAP NetWeaver Single Sign-On.
As exception, the usage of SNC Client Encryption only without SSO is free
as described in SAP Note 1643878.
#############################################################################
keytab: Found keyTab entries in PSE.
keytab: KeyTab content stored:
Version Time stamp KeyType Kerberos name
1 Fri Dec 12 09:43:16 2014 DES USER@DOMAIN.ORG
1 Fri Dec 12 09:43:16 2014 AES128 USER@DOMAIN.ORG
1 Fri Dec 12 09:43:16 2014 AES256 USER@DOMAIN.ORG
1 Fri Dec 12 09:43:16 2014 RC4 USER@DOMAIN.ORG
greetings
Oliver
Hi All,
I have configured an ABAP system to re-use my Windows authentication.
My system is starting fine but SAPGUI is giving me the following issue:
Any clues?
Thanks very much.
Regards,
Ridouan
Hi All,
We are planning to implement Kerberos authentication using our Window AD. I have below queries regarding the same.
1. Our ERP is ECC 5.0 with SAP_BASIS 640 patch 31, will this support Kerberos authentication.
2. If supports, we have different user id's in Windows AD and ECC for the same user. Will this supports. (For example in Windows AD we have SSOTEST, same user has TESTSSO in ERP)
3. Is Kerberos authentication required separate license.
If possible provide links for the same.
Regards,
Sree
Hi,
How do i achieve user authentication on SAP Gui through MSAD (LDAP). Please note, i do not want Single Sign On (SSO). I want following:
1, User login to Windows 7/MAC desktop authenticated from Microsoft Active Directory account
2, User opens SAP Gui client and logs on to ECC instance once again using the user/ID password of corporate active directory.
I do not want SSO where user clicks on sap gui connection and it automatically connects to instance without asking user credentials.
Please let me know how could i achieve this.
Thanks
Vik
Dear All,
We have implemented SSO , almost every user is connected without problem. Only 3 users having below error logging.
Can You Please let me know what would be the problem and How to solve issue.
Regards,
Phani
Hi,
[This is in continuation to Implementing Single Sign-On from .NET Application to SAP System, using SAP.NET Connector 3.0]
After hosting WCF service on IIS and accessing from client, it is giving error "Kerberos SSPI not usable with this User account". This error puzzled us.
Any help or pointer will be highly appreciated.
Markus Tolksdorf and Tim Alsop , I need your expertise again on this. 
Thanks in advance
Atul Sharma
In PI 7.4 Java only - via ESR -> open CTS transport browser I receive the logon popup for our Solman system (for charm). I am trying to implement SSO.
I have exported the SAPLogonTicketKeypair-cert (from PI NWA Keystorage) and imported in Solman (7.1 SP11) client 000. I have exported the Solman x.509 crt and imported into PI Ticketkeystore.
I still get the popup to supply login details. My id exists in both systems.
Has anyone done and can share details? Not sure what I missed. ..thanks in advance.
Hello,
I have succesfully configured the Secure Login Server to authenticate users via Windows Login / SPNEGO. Unfortunatelly the enrollment does NOT work for users in different domains, but only one domain AT A TIME. So the Secure Login Server SPN sits within the Kerberos Realm that allows users in exactly this Realm to login via SPNEGO. (Of course all users from all domains are visible in dthe Secure Login Servers UME)
But we have 4 domains in a forrest..So, according to note 994791 that states:
..I have configured SPNEGO only for the realm that hosts the SPN.
Unfortunatelly it doesn't work. Please help me if you have experience with cross domain SPNEGO authentication via Secure Login Server.
Thank You,
Philippe
Hi Experts,
Consider this scenario.
Case 1:
There are 2 domains (forests), Domain A and Domain B.
SAP users are located in Domain A, while AS-JAVA server is located in Domain B.
There is a One Way Forest Trust (OWFT) between Domain A and Domain B, in which Domain A is the trusted domain, while Domain B is the trusting domain.
AS-JAVA is using Active Directory (Domain B) as the UME data source.
We run ‘setspn’ in Domain B for the AS-JAVA resource.
We create the Kerberos Realm in AS-JAVA for Domain B.
Would this SSO configuration work?
On this scenario, what would be the KPN (principal@REALM) of the user? Is it principal@DomainA or principal@DomainB?
Another side question I have:
when configuring SPNEGO authentication, is there a step where we need to connect from AS-JAVA to the LDAP (AD) server?
Can this connection be secured using LDAPS on port 636/tcp?
Thanks in advance.
Best Regards.
This presentation introduces the SAP portfolio for compliant identity and access management. The SAP Single Sign-On solution and its benefits are explained in detail. Various scenarios covered by the solution are outlined. In addition, recommendations and best practices for your single sign-on project are provided.
Hi Experts,
We have configured SSO-Saml between Oracle web center portal and SAP-Abap. OWC portal(Idp) will initiate the saml request to SAP(sp) and we used Email-id as a identity federation.
Previously when owc portal initiated the saml request, we have faced relay state error while log into sap. So in Service provider ACS, we have mentioned the webgui services as a default application path and its started working and we are able to access SAP system through Sap gui for html(webgui) from OWC.
But when we are logging off from SAP,only SAP is logged off but SAML session is not logged off. I mean OWC portal in not logged off.
please guide me what we need to do in SLO for log off of the entire SAML session and is there any option to provide our own URL to redirect to logout page or what else we need to do.
Thanks in Advance,
Regards,
Lakshmanan V
,
Hi gurus,
We bought the SAP Netweaver Single Sign-On license so we can perform single sign on in NWBC for HTML. Per the NW SSO implementation guide, I put the login library on the ABAP server, set the appropriate parameters, and am configuring transaction spnego in the ABAP system. What steps do I follow once that is done so that users won't have to enter a password in NWBC for HTML? Is the SecureLogin client or SecureLogin Server required for this scenario? Since spnego is available for ABAP, can I assume it is like spnego for Java where the functionality provided by the Internet Explorer client is enough and I don't need any other software?
Warm regards, CM
Hello,
We want to implement NW Single Sign-On for our SAP systems. We have done the implementations as follows; (with the help of Implementation Guide and http://scn.sap.com/docs/DOC-40179 Implementing Single Sign-On with X.509 Certificates)
Secure Login Server
Secure Login Client
System Info is as follows;
SL Server FQDN : mycmnwsso.mycmp.com.tr
SPNEGO User : SL-JAVA-SSO (SPNs: HTTP/mycmnwsso.mycmp.com.tr, HTTP/sso.mycmp.com
SLA Console URL : https://sso.mycmp.com/slac
Enroll URL : https://sso.mycmp.com:443/SecureLoginServer/slc/getProfiles?grouppolicy...
I login to one of the client with domain user. I donot see the SLServer Root Certificate on SL Client. I opened trace. There is “[2014.12.03 17:08:50.754000][WARN ][sbus.exe ][LOADER ][ 6300] ERROR(0xA0800200) in sec_get_SEC_DLL: Failed to load library sbusslogin” error.
Why I cannot get SL Certificate on SL Client?
Although I entered ShowUserPoliciesPage registry entry I cannot see Profile tab page on SL Client Tool?
Any recommendation about the issue?
Can you help, please?
Thanks and Regards,
Yuksel AKCINAR
Hi Experts,
happy new year! I have a customer using X.509 based SNC for SAP GUI with configured alt. name DN feature (gss.xml) so the SAP CommonCrypto Library or the Secure Login Library uses the E-mail address instead of the subject DN.
On this system my customer now wants to enable SSO for ICM based web applications. He don't want to use X.509 as he doesn't see any chance to configure a alternate name mapping as for SNC, so he tried with Kerberos/SPNEGO for ICM. The SPNEGO uses the SNC Name mapping from USRACL (pname) equal E-mail address.
Is there any way to solve this? Currently the only way I see is to recommend to the customer using SPENGO (on this system) for SAP GUI (SNC) AND ICM/web.
Thanks.
Carsten
