Hello,

I do have a basic question about selecting the "best" strategy for implementing Single Sign On at least for our SAP systems (ABAP & JAVA) or at least to understand the difference, benefits and limitations.

I have gone thru a lot of documents and also the short videos here in the community about "SAP (Netweaver) Single Sign On 2.0" and do like this approach.

Our SAP Account Executive - who also recommended this forum to get useful information - told me that "SAP Single Sign On 2.0" would require additional licenses while the classic/included SSO does not.

I know from other customers that SSO with SPNEGO works "out of the box" for JAVA systems without additional licenses.

I'm just wondering where the difference or limitations are and which part causes the additional licenses.

Requirements from our side is that this SSO solution should cover ABAP and JAVA systems (no 3rd party systems required, just optional) and must work with GUI and web.

Thanks, for your help,

Michael

Hi,

I already have CUA configured to synchronize users with my LDAP Server. I'd to use authenticate SAP users at my LDAP Server. I saw the note 793191 - FAQ: User master synchronization with LDAP directories informing that is not possible to synchronize userPassword attribute. Is there a way to achieve LDAP Authentication? With Enterprise SSO is it possible?

Thank you.

Hi All,

We are planning to implement Kerberos authentication using our Window AD. I have below queries regarding the same.

1. Our ERP is ECC 5.0 with SAP_BASIS 640 patch 31, will this support Kerberos authentication.

2. If supports, we have different user id's in Windows AD and ECC for the same user. Will this supports. (For example in Windows AD we      have SSOTEST, same user has TESTSSO in ERP)

3. Is Kerberos authentication required separate license.

If possible provide links for the same.

Regards,

Sree

Dear Colleagues,

We are using Secure Login Kerberos Token for our SSO in the SAP GUI. SAP GUI Version is 7.30 Patch 5 and Secure Login is Version 2, Support Package 3, Patch level 2.

In rare cases endusers are not able to login via SSO. When we check the PC and open SAP Secure Login Client we detect that there is no Kerberos Token to select. At the moment our solution is to reinstall the whole SAP Secure Login Client with the SAP GUI for the user.

We are not sure why a kerberos token would suddently not be available in the sap secure login client. Any idea in which area to look?

Regards,

Alexander

Hi All,

We have implemented the SAP Netweaver Single Sign-On 2.0 in our SAP HR system, configured the SPNEGO and SNC parameters, created a user in the AD etc. and the configuration is working fine.

We are able to logon into ABAP side through SSO (With Secure login client installed on the PC).

We are using SAP HR renewal in our SAP HR system so a high number of users access to the system through the SAP Netweaver Business client and not through SAP GUI.

We know that we can logon into the abap side with a different user that logged on the domain with secure login client so a new token is generated and the "new user" can be log on into SAP with SSO.

The question is, is there any way in order to do the same behaviour with SAP Netweaver Business client?

The http SSO with NBWC is done with the service principal names created in the AD:

HTTP/hostname.xxx.ddd

So we are not able to logon into the system (with NWBC) with a different user than logged in the domain and we would like to do that to resolve the incidents in the users PCs.

How can we do that?

Many thanks and best regards,

Hi All,

I am having EHP1 for NW 7.3 installed on windows 2008 R2 and I am trying to do SSO with ADS.

I am following the steps as below :

1. Created administrator user user1 and disabled "Use Kerberos DES encryption type for this Account" and checked "Password never expire option"
2. setspn -a HTTP/javahost.mydomain.com user1
3. Logged into javahost:port/nwa

1. Generated Keytab file in Domain server:

ktab -a user1@MYDOMAIN.COM -k keytab

1. Imported the keytab into the JAVA system :

http://javahost:port/spnegoKerberos Realm--> edit --> Keys--> Update Keys -> uploading keytab file --> browse --> selected file and IMPORT --> Save.

1. Activate the REALM.
2. Adjusted the authentication stack:

EvaluateTicketLoginModule SUFFICIENTSPNegoLoginModule              OPTIONALCreateTicketLoginModule SUFFICIENTBasicPasswordLoginModule REQUIREDCreateTicketLoginModule REQUIRED-->Save.

1. Did the necessary settings in the browser.When tried to open the URL http://<server>:<port>/XMII/Menu.jsp

I get a Windows security and "Upload Protected Area" message to enter credentials as shown in pictures.

I am able to Login through LDAP User credentials.

It skips SAP login page and but it shows the windows security prompts.How to skip SAP Login page as well as Windows Security Prompts??

Please Help out to resolve this Issue.

Thanks in advance!!!

I came across (again!) with the requirement to enable SSO on links contained in emails that are generated by the Extended Notifications for Business Workflow.

e.g. for Timesheet Approval the WDA link contained in the email be something like

https://<erp-host>/sap/bc/webdynpro/sap/HRMSS_A_CATS_APPROVAL?<params>&<etc.>

The generated links/URLs point directly to WDAs in the backend ERP system, and by clicking on the link(s) the WDA page prompts for logon.

I can see this as a big inconvenience to end-users especially if SSO (e.g. kerberos) is already enabled in the SAP Portal.

I have seen the need for SSO for such links in emails (e.g. in Outloook) over and over, and searching SDN yields no simple solution.

(Worth mentioning the work-around which isn't guaranteed to work all the time, that is for the end-user to open an existing IE window which is already logged on to the Portal; and by clicking on the WDA link in Outlook, the link will open in the same IE session and thereby inheriting the SSO cookie, then opening the WDA without prompting for logon. This method doesnt work all the time and end-users just wont remember and understand)

A couple of solutions to this problem that already suggested by SDN members are the following

- Single-sigon to BSP pages Single Sign On to BSP pages

- Using X509 certificates

Another solution which I authored in my previous customers is to

- create a Portal web application which has Kerberos SSO set; containing a target JSP/HTML page that will redirect to the original URL. The original URL is passed as a parameter

e.g.

https://<portal>/<sso-web-app>/redirect.html?target=https://<erp-host>/sap/bc/webdynpro/sap/HRMSS_A_CATS_APPROVAL?<params>&<etc.>

The redirect.html will authenticate against the Portal using Kerberos SSO if the user didnt have the MYSAPSSO2 cookie yet, once authenticated the browser will then be redirected to the the target ABAP web page

Applying this solution to the original requirement of Extended Notifications require a bit of ABAP coding to generate the URL in the mentioned URL format

i.e. email link will contain

https://<portal>/<sso-web-app>/redirect.html?target=<url to WDA or BSP>

What if there is an easier way? With no changes or nor custom code to the Extended Notifications (SWN_SELSEN)?

Here is my simple and if you agree, elegant solution.

1. Create and deploy a web application with active Kerberos SSO. Details of this application I will write in a separate blog.

The target HTML page in this application will contain a Javascript that does the reassembly and redirection to the WDA/BSP URL, something like:

<script>

var wdaurl = "https://<erp-fqdn>" + location.pathname + location.search;

window.location = wdaurl;

</script>

Note: You can also use KM page to host the HTML file instead of creating and deploying a custom web application. I will share the details of activating the SSO on KM, as by default KM documents have "basic authentication" as the default authentication method.

2. This is where the magic comes in. I've grown to appreciate the role of Web Dispatcher as I wrote in this blog

Are you loving your SAP Web Dispatcher enough?

My solution still utilises the Web Dispatcher but I don't see why the following steps cannot be implemented on any ICM (e.g. the ICM of the Portal)

In your SAP Portal Web Dispatcher, you activate the HTTP modifications (URL rewriting) parameter. The mod file will contain the following rule

RegIRewriteUrl ^/sap(.*) /<sso-web-app>/redirect.html

Note, this has to be the Web Dispatcher fronting your Portal so that traffic will to go to your Portal first and by having the above URL rewrite rule, any URL with path starting with /sap* (for any WDA and BSP) by default will pass by the SSO Web App:

/<sso-web-app>/redirect.html

If the session isn't authenticated yet, the browser will SSO via Kerberos; once authenticated the page will then be redirected to the target WDA/BSP page by the Javascript.

Now that we have the SSO and redirection mechanism in place, what then do we do with the Extended Notification?

Well not much apart from setting the WD_HOST parameter to point to your Portal.

To explain why, lets go back to our original URL. The original email link will be like:

https://<erp-fqdn>/sap/bc/webdynpro/sap/HRMSS_A_CATS_APPROVAL?<params>&<etc.>

Setting that parameter will generate something like

https://<portal-fqdn>/sap/bc/webdynpro/sap/HRMSS_A_CATS_APPROVAL?<params>&<etc.>

Because of the Web Dispatcher URL rewriting rule (i.e. any path which starts with /sap* will open the /<sso-web-app>/redirect.html). The Kerberos SSO happens, and then the URL will then redirected back to the actual ERP WDA by the Javascript. The original URL which is

https://<erp-fqdn>/sap/bc/webdynpro/sap/HRMSS_A_CATS_APPROVAL?<params>&<etc.>

This time, the browser already has the MYSAPSSO2 cookie and thus will no longer be prompted for logon

Author:   Bruce Mitchell, SAP Basis, Atos UK&I, http://uk.linkedin.com/in/brucemitchell/

Summary:     How to provide Single Sign-On from Core SAP HCM to SuccessFactors, without an SAP NetWeaver Portal

Atos are an SAP partner and global Value Added Reseller of SAP solutions, committed to supporting businesses in their drive for innovation and agility.

Atos are a SuccessFactors Consulting Partner.

http://atos.net/en-us/

Background

SAP offer customers cloud based HCM solutions following their acquisition of SuccessFactors. At the same time they are committed to investment in Core SAP HCM solutions (on-premise). This is clear from recent innovations such as the Corbu user interface, HR Renewal and HCM Processes & Forms. In addition, ESS and MSS services are now delivered for Web Dynpro Abap and are Portal agnostic ^[1].

Customers looking to deploy new HCM services will likely consider a hybrid on-premise Core SAP HCM system with a flexible cloud-based SuccessFactors deployment. This is where Single Sign-On capability from Core SAP HCM to SuccessFactors can be valuable.

The Problem

SAP and SuccessFactors describe an SAP NetWeaver Portal as the standard method for Single-Sign-On from SAP HCM to SuccessFactors. Crucially the customer may not choose to have a NetWeaver Portal in their landscape. This is where a gap exists between existing published documentation on integration from SAP HCM to SuccessFactors.

The Solution

An SAP NetWeaver AS Java system with SAP’s IDMFEDERATION component can act as a SAML 2.0 Identity Provider.  A user redirected to this Identity Provider will be provided with a SAML 2.0 assertion to access the SuccessFactors system without prompting for a username/password. Wherein Single Sign-On to SuccessFactors can be achieved with a plain NW AS Java installation, rather than a full NW Portal.

Figure 1: Customer landscape delivering SSO from HCM to SuccessFactors

SAP NetWeaver Identity Management - IDMFEDERATION

Deploy the IDMFEDERATION component to your SAP NetWeaver AS Java to activate SAML 2.0 Identity Provider functionality ^[2].

You can deploy this software on a NW AS Java release 7.2 SPS 2 with SAP Note 1471322 applied, or AS Java release 7.2 SPS 3 or later.

You can use the identity provider for Single Sign-On with SAP or non-SAP service providers. As an identity provider, the AS Java can provide cross-domain Single Sign-On (SSO).

Documentation to support configuration of NW AS Java and SuccessFactors [performed in SuccessFactors Provisioning system] is available. See details provided below.

Single Sign-On from SAP HCM to SAP NW AS Java (Logon Tickets)

Establish a trust relationship between SAP HCM and the Identity Provider (SAP NW AS Java). AS Java will then accept SAP Logon Ticket’s from SAP HCM and will enable Single-Sign-On.

Further Information and Documentation

SuccessFactors

Your SuccessFactors implementation team can provide you with information on supported technologies and protocols. SAML 2.0 is supported for Single Sign-On as it is an internet standard protocol.

SuccessFactors and Single Sign-On

Dimitar’s very useful document on configuring Single Sign-On from an on-premise SAP NW Portal to SuccessFactors, with lots of detail and screenshots:

http://scn.sap.com/docs/DOC-29737

SAP cookbook on Single Sign-On from an on-premise SAP NW Portal to SuccessFactors:

http://www.service.sap.com/~form/sapnet?_HIER_KEY=701100035871000575187

Since existing documentation focusses on using an SAP NW Portal for SSO to SuccessFactors, the guides describe creating a URL iView link for SuccessFactors. In cases without a Portal an equivalent alternative link should be created using customer’s preferred development methods, such as Web Dynpro Abap or a HTML link.

SAP NW IDM

Implementation Guide found at the following location has more detailed information on configuring a SAML 2.0 Identity Provider:

http://help.sap.com/saphelp_nwidmic_72/helpdata/en/64/38385003ce4f2d88602fbf0de78f2f/frameset.htm.

Notes

There are likely to be further innovations in this fast moving area in the months to come. At time of writing for example, SAP Logon tickets are NOT accepted by SuccessFactors.

[1] SAP Note 1588625

[2] IDMFEDERATION is also available as part of the SAP NetWeaver SSO solution, which requires an SAP license. However if SAP NW Identity Management is used only in combination with SAP Applications then it is included in the SAP [Business Suite] Runtime License.

Dear Members,

Need valuable comments and solutions with regards to my question below.

My requirement is to configure Single sign on for ABAP application server. I have 2 requirements

1.) This is my SRM server (EHP2 FOR SAP SRM 7.0) where in ABAP SNC configured based on below document 2 video

http://scn.sap.com/docs/DOC-40178

--> Successfully configured and single sign on working based on AD user id and password.

2.) secondly I want to configure a solution for /sap/bc/nwbc/srm based on 8001 or 8000 ports. Let me make one thing clear this is only ABAP based server.

Always I am getting a pop-up for user id and password. But the problem is now the authentication is done from AD not from the ABAP user master record.

How can I achieve this? I tried the 2 video step by step but still I am facing issue, I traced from SPNEGO transaction and found the below:

SPNegoValidateToken: Error when parsing received SPNego token via sec_kerberos_spnego_ParseToken with error return code:

I am not clear what is missed by me and what yet had to be implemented.

Basically how can I achieve single sign on for 8000 ports on ABAP system.

Appreciate quick response.

Thanks & Regards,

Mohammed Imran

Dear Experts,

I am looking for a way to access the userid from a SAP Logon Ticket in a Java web application deployed on Netweaver AS Java server.  How can I extract the userid from the SAP Logon Ticket cookie using Java or Javascript?

Thanks,

Hello All,

i am facing issue during login from gui after installing SSO 1.0. please find below error.

Hi All,

I am configuring the SSO 2.0 for NWBC with SPNego. The back-end system is SAP ECC 6.0 EHP7, NetWeaver 7.40, Kernel 741.

After the configuration, SPNego authentication failed, resulting in a logon prompt. Therefore, I tried to troubleshoot SPNego using the instruction the note  1732610 - SPNego ABAP: Troubleshooting Note

Following is the screenshot of the HTTP analyzer that I used:

As can be seen from the screenshot, I think the only missing part is the creation of HTTP Security session between the browser and AS_ABAP. It seems that:

• AS_ABAP did return 401 return code
• The browser did transferred the SPNego token in the "Authorization" header, the token is long so it should not be NTLM format

How can I continue the troubleshoot the issue? At least I know that HTTP Session Management for the client I used has been activated.

At the server side, the configuration is fine when I check the work process trace. Then I tried use the report "SEC_TRACE_ANALYZER" to analyze SPNego runtime. However, I cannot access the SPNego Tracing in SPNEGO transaction. So how can we activate the function?

I then tried to execute the report "SEC_TRACE_ANALYZER" but I don't know exactly how to use it. After having clicked on Activate User Trace, I navigate to the URL of NWBC using a web browser, then executed the report, but nothing shows (both keeping SAPSYS as the user and change to my own user shows no output)

I really don't know how to continue the troubleshooting. Would you please provide some feedback to troubleshoot this issue?

Best regards,

Duy

Hi All,

We have 3 different SAP servers, with sids: ECD, BWD, HRD.

for each user, a user with the same username is created in all three systems.

the user does not want to maintain 3 different passwords, instead only single password to be used in all systems. i.e. when he changes the password in system ECD, the changed password should work in other systems BWD and HRD as well.

if we were using SAP EP, we checked the possiblity of username based SSO and having portal login using only on system ECD.

but we are not using the portal, and all the users will access 3 sap systems using SAPGUI.

is there any way, where one system's password will work to login to other systems.

thanks in advance,

Madhu_1980

Hi All,

We are implementing SSL for AS ABAP with the certificate signed by Secure Login Server 2.0. After the root CA certificate is exported from the secure login server and distributed to clients using Microsoft Group Policies, the certificate cannot be accessed with Firefox, resulting in the warning about the "invalid security certificate" (The certificate is not trusted because the issuer certificate is unknown). IE and Chrome can access the certificate in certificate store so there is no warning shows.

According to the requirement:

• The manual installation of the root CA certificate in Firefox certificate store on each individual clients is not possible
• No add-on should be installed in the browser, including Firefox Secure Login Security Module Plug-in (downloaded from Secure Login Server)

What are other available options to import the root CA certificate to Firefox browser on many workstations on the same domain?

I would be very grateful for any contribution regarding this issue.

Best regards,

Duy

Hello,

I am currently configuring SAP SSO for ABAP in a Windows environment. (2012)

I downloaded all the latest files.

Created user SLLServiceSAP on the AD server

.

I set my profile parameters:

### SSO

snc/enable = 1

snc/gssapi_lib = C:\usr\sap\DEV\SLL\secgss.dll

snc/identity/as = p:CN=SLLServiceSAP@bowieresources.com

snc/data_protection/max = 3

snc/data_protection/min = 2

snc/data_protection/use = 3

snc/r3int_rfc_secure = 0

snc/r3int_rfc_qop = 8

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/permit_insecure_start = 1

snc/force_login_screen = 0

snc/accept_insecure_r3int_rfc = 1

snc/extid_login_diag = 1

snc/extid_login_rfc = 1

I set my environment variables:

SECUDIR C:\usr\sap\DEV\DVEBMGS00\sec

SNC_LIB C:\usr\sap\DEV\SLL\secgss.dll

I installed the Secure Library on my SAP server, Ran all setup/config commands successfully with no errors.

/sec contains:

I ran the Secure Client install on my workstation:

My SAPLogon 'Network' Tab reads: p:CN=SLLServiceSAP@bowieresources.com

My 'SNC' Tab reads:

When I execute a logon, I receive:

Any insight/help would be much appreciated.

Thanks,

Diana

Hello,

I have the requirement no to use single sign on for some systems with sensitive data, but  would like to check during sap logon procedure the  from our central active directory password.

is there any best practice configuration or SAP / AD Win Addon solution available to connect SAP NW abap 7.40 at Win2012 sever with our active directory. Nearly all win based applications can handle a PW check from application to AD. Is there any SAP or Partner implementation helpful to expand the SAP client internal User-PW check?

Thanks in advanced for alternatives to the standard client SSO or any idea in the direction using active directory password within sap-logon.

Please give me a short feedback if you need more details.

regards,

Bernhard Mair

Goethe-Institut München

Hi gurus,

I think I have followed all the steps to enable single sign for sapgui using the Secure Login Client, Secure Login Library, and spnego for ABAP.  When I try to login with sso, I see this message (also see picture attached):

GSS-API(maj): No credentials were supplied  Unable to establish security context target="p:CN=KerberosSID"

I took a secure login client trace and it looks like this:

----------------------------------------------------------------------------

Trace file   : "C:\Documents and Settings\JOESMITH\My Documents\Downloads\SECURE_LOGIN_CLIENT_20\sec-02596.trc"

Trace level  : 2

Process id   : 2596

----------------------------------------------------------------------------

[YYYY.MM.DD HH:MM:SS.MIL][LEVEL][PROCESS             ][MODULE      ][THR_ID]

[2014.02.05 11:39:03.033][ERROR][sbus.exe            ][LOADER      ][  4612] ERROR(0xA0800200) in DLL->get_DLL_WINSCARD(): Cannot load DLL

[2014.02.05 11:39:03.033][ERROR][sbus.exe            ][LOADER      ][  4612] ERROR(0xA0800200) in DLL->sec_get_API_locked(): Cannot load DLL

[2014.02.05 11:40:14.518][WARN ][sbus.exe            ][Kerberos    ][  6320] Getting kerberos ticket for 'SAP/KerberosSID@MYDOMAIN.COM' with algorithm 23 returned error

[2014.02.05 11:40:14.518][WARN ][sbus.exe            ][Kerberos    ][  6320]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.02.05 11:40:14.518][WARN ][sbus.exe            ][Kerberos    ][  6320] Getting kerberos ticket for 'SAP/KerberosSID@MYDOMAIN.COM' with algorithm  3 returned error

[2014.02.05 11:40:14.518][WARN ][sbus.exe            ][Kerberos    ][  6320]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.02.05 11:40:14.518][WARN ][sbus.exe            ][Kerberos    ][  6320] Getting kerberos ticket for 'SAP/KerberosSID@MYDOMAIN.COM' failed (user name is joe.smith@mydomain.com)

[2014.02.05 11:40:14.534][ERROR][sbus.exe            ][Kerberos    ][  6320] ERROR(0xA2600202) in KERBEROS->sec_kerberos_clientGetTicket(): No Kerberos ticket for the requested service

[2014.02.05 11:41:44.166][WARN ][sbus.exe            ][Kerberos    ][  7728] Getting kerberos ticket for 'SAP/KerberosSID@MYDOMAIN.COM' with algorithm 23 returned error

[2014.02.05 11:41:44.166][WARN ][sbus.exe            ][Kerberos    ][  7728]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.02.05 11:41:44.166][WARN ][sbus.exe            ][Kerberos    ][  7728] Getting kerberos ticket for 'SAP/KerberosSID@MYDOMAIN.COM' with algorithm  3 returned error

[2014.02.05 11:41:44.166][WARN ][sbus.exe            ][Kerberos    ][  7728]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.02.05 11:41:44.166][WARN ][sbus.exe            ][Kerberos    ][  7728] Getting kerberos ticket for 'SAP/KerberosSID@MYDOMAIN.COM' failed (user name is joe.smith@mydomain.com)

[2014.02.05 11:41:44.166][ERROR][sbus.exe            ][Kerberos    ][  7728] ERROR(0xA2600202) in KERBEROS->sec_kerberos_clientGetTicket(): No Kerberos ticket for the requested service

Any ideas are appreciated!

Warm Regards, CM

Hello All

Using   this   URL  for  configuration  time                              

http://scn.sap.com/community/sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-for-sap-gui-for-windows-with-kerberos-integration

Implementing  SAP  ERP 6 SR3 ABAP Stack  with  SSO 1.0

SNC Configuration   done successfully   here it is attach  screen  shots

While using   SAP  GUI 7.30    with SNC   it shows  error

Thanks

Tejas Gandhi

Hi experts,

I'm starting to work with SAP JAM and I'm looking for a way to gain acces directly to JAM from a company web page through a log in module.  I need to give the access data on this web site and enter to my JAM account, how can I do this with SSO?

What  components I need to use? What resources I need to install and where?

Hope you can help me with this

Thanks,

Jose

Dear Experts,

We have configured SAP NW SSO with Using Kerberos Authentication.

• LDAP server is connected
• Active directory users got imported to SAP NW
• Users are able to access SAP MII

Everything went fine, left with an issue

The requirement is on loading the SAP MII URL: http://<hostname>:<port>/XMII/Menu.jsp in Internet Explorer, It should auto-authenticate and display SAP MII Menu page directly.

But it gives a windows security logon prompt as shown below:

When I enter the User (LDAP) credentials it logs in successfully.

Log Viewer diagnosis:

On loading the http://<hostname>:<port>/XMII/Menu.jsp in Internet Explorer, I see the logs as given below:

When I enter the User (LDAP) credentials it logs in successfully and the logs are as shown below:

The same set of logs occur for the Authentication stack:sap.com/tc~wd~dispwda*webdynpro_dispatcher

Just an additional info,When we run nslookup command as in the note: 1313880    SPNego with DNS aliases,we get the below output:

Any help would be appreciated with points