Quantcast
Channel: SCN : All Content - SAP Single Sign-On
Viewing all 865 articles
Browse latest View live

SAML 2.0 SSO for SAPGui windows

January 29, 2015, 10:19 am
$
0
0

Scenario

 

You want to enable SAML Single Sign On for SAPGui windows.

You have these components in place: IdP, SAPGui windows, Internet Explorer and SAP NetWeaver AS ABAP 7.02 or higher.

 

SAPGui does not offer native support for SAML. To make this happen, we combine the legacy support feature of the ABAP SAML service provider with the SAPGui shortcut SSO using the MYSAPSSO2 cookie.

 

scenario.jpg

 

Solution components

 

  1. Enable SAML authentication on the ABAP system using transaction SAML2 and exchanging the metadata with your IdP. This is well documented in the wiki Single Sign-On with SAML 2.0 and ABAP Systems Supporting SAP Logon Tickets  The important setting in this case is to set the value of "Legacy Systems Support (Issue Logon Ticket) to "On" in the SAML Local Provider Configuration.
  2. Build a BSP application that will establish the SAML SSO with the IdP. This BSP application takes the cookie from the browser and puts it in a SAPGui shortcut. More information around SAPGui shortcut SSO can be found here Single Sign-On for SAP Shortcuts - User Authentication and Single Sign-On - SAP Library

BSP application:

 

    • Start page launchGui.htm: grabs the cookie and navigates to the BSP page creating the shortcut file.

bspLaunchGui.png

(source code attached in launchGui.txt.zip)

 

    • Page createSapGuiShortcut.htm parses the cookie and creates a SAPGui shortcut file containing the MYSAPSSO2 logon ticket.

 

bspCreateSapGuiShortcut.htm.png

(source code attached in createSapGuiShortcut_OnRequest.txt.zip )

 

Put this BSP application in the "Default Application Path" of the "Assertion Consumer Service" setting of the SAML Service provider.

defaultApplicationPath.jpg

Now start an IDP initiated request. After successful authentication against the IdP, the BSP application takes the MYSAPSSO2 cookie from the browser session and puts it in the SAP shortcutfile. Opening the SAP shortcut file will initiate a SAP logon ticket SSO to SAPGui. Depending on a registry setting in windows, the user will get a popup to open the shortcut file or start the SAPGui immediately. More details about this setting and how to influence it can be found in this SAP note: http://service.sap.com/sap/support/notes/604324.

 

 

User mapping

 

In a typical scenario, the user names of the ABAP system will not be identical to the ones on the IdP. To facilitate this, you can use the user mapping as described here Mapping SAML Principals to AS ABAP User IDs - User Authentication and Single Sign-On - SAP Library

 

To enable this mapping, set the "Supported NameID Formats" in the trusted provider in the SAML configuration to "unspecified" and then in the details of "NameID Format" specify the source "Mapping in USREXTID table". Then go to "Name ID Management", select the user you want to map and select the Name ID Format "Unspecified" and add the user there. This will generate an entry in the table VUSREXTID. Then do the final mapping in SM30 and the user name mapping is set up. Alternatively, you can also populate that table directly as described in note http://service.sap.com/sap/support/notes/1362866

Search

Implementing SSO out of the box

January 29, 2015, 2:38 pm
$
0
0

Is there any documentation for implementing SSO out of the box?  In sap course ADM960 it details setting up SSO.  No additional software, such as SSO 1.0-2.0 was required.  The only thing downloaded was the cryptographic library.  We are using Linux systems.

I want to implement SSO using the tools built in.  Any help would be great.

Warren

SECURE LOGIN CLINET CONFIG on MAC

January 30, 2015, 5:11 pm
$
0
0

HI Guys,

 

I have installed Secure login client and Root cert on my Mac book. I know that Profile registries does not exist in Mac to connect client with secure login server.

I tried to make cert as trusted but it still cant connect with my Secure login server.

 

Can somebody please explain configuration/steps used on mac for profile registry?

 

Sunil Sharma

can i create a user can log in from personas only and cant log in from sap gui and webgui?

February 2, 2015, 12:32 am
$
0
0

I have an issue related to personas 2

i need to create personas user with restricted log in : can only log in from personas

and if there is any help document in this purpose ?

SSO and SAML issue with Fiori

February 2, 2015, 6:47 am
$
0
0

Hi

I have set up a Fiori system based on 7.4 and it is working fine.

I attempted to use Single Sign using SAML based on ADFS as an identity provider which we are already using in our environment.

I have followed this guide by Chris Wealy on  Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet

However when I am trying to login to the FIori launchpad, I am redirected to the Idp site where I enter my credentials and I am not able to login. Checking the diagnostic tool I am getting the following error

 

SAML20 SP (client 410 ): Exception raised:

SAML20 SAML20 CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Long text: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Diagnosis System Response Status 401 was returned. Access denied. Procedure Contact the administrator of the entity, to which access was attempted. The logon data prevent communication. Use an HTTP destination and configure the logon data and the SSL client values as needed. Procedure for System Administration

SAML20     at CL_SAML20_ABSTRACT_PROFILE->SOAP_SEND(Line 160)

SAML20     at CL_SAML20_ARTIFACT->RESOLVE_ARTIFACT(Line 61)

SAML20     at CL_SAML20_ABSTRACT_MSG->PARSE_MESSAGE(Line 216)

SAML20     at CL_SAML20_RESPONSE->CREATE_FROM_MSG(Line 46)

SAML20     at CL_SAML20_ABSTRACT_PROFILE->CREATE_MSG_OBJECT(Line 46)

SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 32)

SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 303)

SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)

SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2491)

 

However checking the possible solution to the above error I came across this

 

Problem: You are performing SAML 2.0 authentication and you get the following error:

CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Long text: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1.

Reason: SSL server certificate of identity provider is not imported in “SSL Client Standard” PSE.

Solution: Import SSL server certificate of the identity provider in “SSL Client Standard” PSE.

 

I have imported the the SSL server certificate along with the root certificate of the the Identitiy provider which is ADFS and still I am getting the same error.

 

The ICM trace is showing this

 

Thr 140736331941632] *** ERROR during SecuSSL_SessionStart() from SSL_connnect()==SSL_ERROR_CONNECTION_LOST

Thr 140736331941632]    session uses PSE file "/usr/sap/UI5/DVEBMGS00/sec/SAPSSLC.pse"

Thr 140736331941632] No LastError / ErrorStack available!

Thr 140736331941632]   SSL_get_state()==0x2120 "SSLv3 read server hello A"

Thr 140736331941632]   SSL NI-hdl 193: local=10.2.32.85:52039  peer=10.2.32.43:443

Thr 140736331941632] <<- ERROR: SapSSLSessionStart(sssl_hdl=7fff90003a60)==SSSLERR_SSL_CONNECT

Thr 140736331941632] *** ERROR => SSL handshake with adfs.sbm.com.sa:443 failed: SSSLERR_SSL_CONNECT (-57)

Thr 140736331941632] SAPCRYPTO:SSL_connect() failed

Thr 140736331941632]

Thr 140736331941632] SapSSLSessionStart()==SSSLERR_SSL_CONNECT

Thr 140736331941632] SSL_connnect() failed  (0/0x00) Huh??

Thr 140736331941632]   SSL:SSL_get_state()==0x2120 "SSLv3 read server hello A"

Thr 140736331941632]   SSL NI-hdl 193: local=10.2.32.85:52039  peer=10.2.32.43:443

Thr 140736331941632]   cli SSL session PSE "/usr/sap/UI5/DVEBMGS00/sec/SAPSSLC.pse"

Thr 140736331941632]   Target Hostname="adfs.sbm.com.sa"

 

Can anybody help out.

 

Do you need any other logs or configurations to check?

SSO configuration from BOE to HANA

February 2, 2015, 2:09 pm
$
0
0

Looking to set up SSO from BOE to HANA using SAML and coming up short on what is hopefully just some missing configuration. If anyone has experience getting this running, I'd be grateful for feedback or links to more comprehensive documentation.

 

We are running BOE 4.1 SP5 and HANA rev 92 (on a multiple node installation). The plan is to 1) enable SSL logins on HANA, 2) set up BOE as the IdP, 3) create the SAML provider in HANA and establish trust between the two systems.

 

  1. HANA is accepting Open SSL connections thanks to this very helpful document. Confirmed via HANA Studio login.
  2. On the BOE side, an IdP Base64 certificate was generated in the CMC via the HANA Authenitcation dialog.
  3. The IdP cert was appended to the trust.pem file (on the master node) as per this blog post. The SAML provider has been created in HANA with the Subject/Issuer set to match the BOE cert. We also used sapgenpse to add the cert to saplogon.pse and sapsrv.pse in $SECUDIR (again on the master node).

 

Everything has been restarted after the last configuration change.

 

A test user has been set up in HANA with the SAML provider enabled, user name matching a BOE enterprise account. When testing from the CMC, we see the following error message: Connection Failed: The test of the HANA SSO ticket used to log onto the HANA DB has failed due to: [10]: invalid username or password. (FWM 02133)

 

The HANA tracelog, set to debug, shows some errors in SAMLAuthenticator (ERROR in libxmlsec) before it culminates in this block:

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882796 i Authentication   SAMLAuthenticator.cpp(00400) : Unable to verify XML signature

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882934 d Authentication   ManagerAcceptor.cpp(00273) : Injecting logon name into method:

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882986 d Authentication   SAPLogonManager.cpp(00360) : Store chosen for assertion ticket validation: saplogon.pse

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883114 w Authentication   SAPLogonManager.cpp(00504) : The base64 decode of the received ticket failed. SSO_RC return value: 1281

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883121 d Authentication   SAPLogonManager.cpp(00513) : Use SSO Validation PSE >>>saplogon.pse<<<

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883123 d Authentication   SAPLogonManager.cpp(00514) : Received Base64 Ticket >>>SAML 2.0 assertion ticket...<<<

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883167 i Authentication   MethodSAPLogon.cpp(00275) : unsuccessful login attempt with SAPLogon/SAPAssertion ticket!

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883181 d Authentication   ManagerAcceptor.cpp(00273) : Injecting logon name into method:

[22277]{-1}[63/-1] 2015-02-02 20:10:23.884313 d Authentication   Connection.cc(03617) : [PRE AUTHENTICATION] logon name:

[22277]{-1}[63/-1] 2015-02-02 20:10:23.884359 d Authentication   Connection.cc(03684) : [POST AUTHENTICATION] logon name:

 

It looks like the ticket is received but not being parsed. It's not clear to me if this is related to the certificate or some other configuration element, or exactly what the missing piece is.

A221021F Server refuses certificate based key exchange.

December 17, 2014, 1:18 am
$
0
0

Dear All,

 

We have implemented SSO , almost every user is connected without problem. Only 3 users having below error logging.

1.png2.png

 

Can You Please let me know what would be the problem and How to solve issue.

 

Regards,

Phani

LDAP migration to Active Directory Services

February 3, 2015, 4:16 am
$
0
0

Hi,

 

   Can someone help me with steps & SAP notes required for the migration of LDAP to Active directory Services?

 

 

Regards

Vishal Chaturvedi

Search

Is there a way to suppress the identity provider prompt?

September 19, 2014, 10:44 am
$
0
0

We are implementing SAML2 in our SAP Portal. We are getting a prompt to "Choose one of the available identity providers." Is there a configuration around this to go directly to the IDP login page? We would be implementing this in NW 7.31.

 

This is the page I want to skip.

 

SAP NetWeaver Portal idp prompt.jpg

SAML AS JAVA user mapping. Can table VUSREXTID On AS ABAP be leveraged?

February 4, 2015, 12:25 am

AD Integration with sap abap R/3 system

February 5, 2015, 4:23 pm
$
0
0

Hi All,

 

We are in the planning to setup AD integration with our present sap system, where ad user name is differently maintained and sap user ids are different. we don't have any java systems in our landscape. our requirement is simple , user id and password  authentication should be through AD.

However was not able to find any specific implementation guide, it would be great if any one can share the best possible solution with steps to take an approach.

 

I have already gone through many post but couldn't find any thing suitable for our scenario.

 

Please help.

 

Thanks and Regards

JADS.

SSO between SAP Portal and SuccessFactors

February 6, 2015, 3:19 am
$
0
0

Hi Experts,

 

I am trying to establish SSO between SAP Portal 7.4 and SuccessFactors cloud instance.

I followed Section 1 & 2 in the below document to do the necessary configuration.

 

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/006381ca-cda8-2f10-a2b1-cd351eb04dad?overridelayout=t…

 

As per the document, by the end of section 2, the SSO should be established. however, I am getting error as below.

 

SSO1.png

Please let me know if there is any other configuration need to be done to establish SSO.

 

Regards,

Pavan

SSO with Kerberos for sicf services

February 7, 2015, 12:51 pm
$
0
0

Dear All,

 

We are trying to set up SSO (Kerberos / SPNego) for our Fiori Development system. Reference to the URL http://scn.sap.com/docs/DOC-50394 and the Secure Login Implementation Guide, I am able to set up SSO for SAP GUI successfully but when I access the Fiori Launchpad (and any other html gui aka webgui service), the system still prompts me for a user name and password.

 

I also looked at the SPNego ABAP Troubleshooting note (Note 1732610 - point 3.2.12) but it seems irrelevant to our case as our ABAP system release is NW 7.4 SR1. Further, if I check alternate logon procedure for the ushell service, I can select the "SPNego Authentication" in the list but it does not work.

 

Can anyone please advise if there are any additional steps that have to be performed for SICF services to enable SSO?

 

Thanks a lot..

 

Kind regards,

 

Amer.

A2200220: Peer Certificate expired

February 8, 2015, 8:32 am
$
0
0

Hello All,

 

The end user getting the error as mentioned above. does anybody know the exact problem. Which certificate got expired here? I have checked every certificate, none is expired.

 

Kind Regards

MAD

SAP SSO user's password changes

February 11, 2015, 1:14 pm
$
0
0

Hello all,

 

we are using SAP SSO with Kerberos. When we change an user password, its account stops working. We are not able to access SAP R3 after that. What is the procedure for password changing?

 

Regards,

Search

SAP SSO license

February 11, 2015, 1:11 pm
$
0
0

Hello all,

 

as SAP Partner. I can download SAP SSO. Using S-User from customer, we do not see it under software available for download. Does it require any separate license?

 

Regards,

Secure Login Client 2.0, SP3, several certificates to select

January 13, 2015, 4:23 am
$
0
0


Dear Colleagues,

 

We have configured secure login client to allow sso to our abap systems. The configuration is working, but the first time the user logs in to an abap system he needs to select certificate in the secure login client. Besides the kerberos token we have a microsoft certificate. As soon as you select the right entry (kerberos) sso will work. As we are rolling the sap gui out to tousands of users I would like to prevent this pop-up. Any idea if this is possible?

Regards,

Alexander

Secure Login Client and Java

February 13, 2015, 1:29 am
$
0
0

Hi All,

 

We are having a project to implement NW SSO for NWBC for HTML, Citrix XenApp will be used as the desktop environment. The requirement is that no Java allowed to be installed on the web browser.

 

According to PAM, Secure Login Client is not support Microsoft Application Virtualization (App-V), so how can we deploy the Secure Login Client to Citrix environment?

 

If we want to use Secure Login Web Client instead of Secure Login Client, does Secure Login Web Client requires Java installed on users' web browsers? In the latest Secure Login implementation guide (SSO 2.0), it does not mentioned anything about Java runtime. However, because as far as I understand, Secure Login Web Client is a feature of Secure Login Server, while Secure Login Server is pure Java application, I suspect that Secure Login Web Client also require Java runtime to run. Is that true?

 

Best regards,

Duy

SSO with SAML and AD Domain

February 17, 2015, 4:52 am
$
0
0

Hi All,

 

I have the following question regarding NW SSO with SAML and Active Directory Domain:

  1. In the installation guide, I found that we need to perform SAP Application Server domain installation if we want to use Single Sign-On. As far as I understand, this requirement is true if we use Kerberos-based solution. But how about if SAML is used, is the SAP Application Server required to be in Windows domain?
  2. In the case the SAP Application Server has to be in domain, in the case the domain of client computers are on the different domain from the domain of SAP server, do we have to establish the trust between the two domain in the case SAML is used? I found that with SAML, we can provide cross-domain SSO solution but it's not very clear to me how to enable this scenario.
  3. I am looking for the configuration guide for SSO based on SAML with NW IDM Federation (the component of SAP SSO 2.0), especially about User Credentials Verification with Microsoft Active Directory. I think we need to do some configuration steps so that the Identity Provider on AS Java can contact Active Directory to get user credentials, could you please provides some hints about this?

 

Best regards,

Duy

Single Sign-On from CRM ABAP UI to access SAP Portal system

February 20, 2015, 3:45 am
$
0
0

Hi Experts,

 

We have configured a BI report in our CRM UI and this BI report uses a BeX Query, to run that BeX query the BW system is in turn automatically calling portal system to provide the output.

 

Now, we log-on to the CRM UI by providing the user name and password and when we try to view the above BI report it again requests for Portal authentication. So our requirement is how we can avoid this second authentication to portal.

 

CRM_UI_1.jpg

We have already done the normal SSO configuration by exchanging the certificates between CRM ABAP and Java PORTAL systems.

Could you please suggest if any further configuration need to be done so that portal system accepts logon tickets from ABAP ?

 

Regards,

Srikanth

Viewing all 865 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>