Hi All -

We are experiencing an issue which someone may have had.

We are logging on to the AS ABAP system with SAML 2.0, and the nameID is the personnel number, which is in turn our user master ID.

To be clear:

User ID in SAP = PERNR

Personnel Nr    = PERNR

Infotype 0105/0001 = PERNR

The Identity Provider system reaches out to Active Directory and gets the personnel number for the logged on user, this is in turn what is presented back to the SAP ECC System. As you can see we have our user ID's created the same as the PERNR, so the infotype 0105/0001 is also set up to be the pernr.

The problem we face is that sometimes the user's personnel number is incorrectly keyed into the Active directory system. In this case the user is logged in to Self-Service with an incorrect user, and this is therefore a data breach. I would like to do some additional validation to address this issue.

I have set break-points in most of the SAML classes, and tried a number of different options, but am running out of ideas. We have also thought about using the email address, but found that not all employees have an email, and so this option was not selected.

Any input here will be appreciated.

I know SAP releases the SSO products but is it possible to achieve SSO via x.509/SAML certificates for free? Or are the SSO products absolutely required for this?

Would really appreciate some insight, thanks!

Joe

Dear Colleagues,

We have configured secure login client to allow sso to our abap systems. The configuration is working, but the first time the user logs in to an abap system he needs to select certificate in the secure login client. Besides the kerberos token we have a microsoft certificate. As soon as you select the right entry (kerberos) sso will work. As we are rolling the sap gui out to tousands of users I would like to prevent this pop-up. Any idea if this is possible?

Regards,

Alexander

We have Netweaver SSO up and running with CRM (ABAP stack) only, but we cannot seem to get it to work with Sol Man 7.1 SP 11 - CRM UI for Service Desk.  Is it because Sol man is dual stack or some other issue?

Hello,

We recently changed our authentication procedure for our SAP netweaver to authenticate user thanks to SAML2 + SAP ID provider.

So far so and all is working fine.

The minor issue we're facing is with the logout option.

When user is clicking on the [Log Off] button (top right corner of the webUi he logout from the system.

The problem is that if user re-open the browser and try to open the webui again then all behaves like if the user never log out.

I mean unless the user clear his broser cache of all cookies then IDP logon screen where he normaly has to provide credential is not dispalyed.

It behaves like if the [Log Off] is not deleting the cookies that was created when he initaly logged in.

Is our expectation wrong?

We would expect that [Log Off] would delete that cookie so user would not be automaticaly reauthenticated but would be redirected to the IDP logon screen.

If our expectation is correct then any idea why it's not behaving like this ?

please advise

thanks

hello

I would like to know whether it is possible with NW SSO to send an automated mail with a randomly generated code as part of the 2 factor authentication scheme

thanks in advance and best regards

Michele

Dear all,

searching on Internet I couldn't find a basic tutorial on this topic.

I have a SAP Enterprise Portal 7.4 application that has to access to Sharepoint 2010 document repository. Is there a tutorial on how I can manage this scenario?

I found tons of documentation regarding integration with Sharepoint 2007 (Windows Server 2003 and IIS 6), but nothing updated to the following version.

This good post (Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security and Identity Management - SCN Wiki) unfortunately doesn't cover my scenario, since it clearly says that it is applicable only from Sharepoint 2010 to SAP EP.

Any help is really welcome.

Best regards,

Dario Zanelli

Join the SAP Single Sign-On Customer Engagement Initiative

Interested in sharing your feedback on planned features for SAP Single Sign-On? Join our upcoming customer engagement initiative! We plan to collect customer feedback on existing product features and enhancements planned for the 2015 development cycles. These include risk-based authentication, mobile single sign-on, two-factor authentication, and other. Find out more and contact Regine Schimmer to register. April 13, 2015

Configuring SAML 2.0 Authentication for your Secure Login Server

Check out Donka Dimitrova's latest blog to learn how you can “exchange” a SAML assertion for an X.509 client certificate and implement end-to-end single sign-on also for non-SAML systems in a SAML enabled network. March 12, 2015

Reusing Kerberos Token for Issuing X.509 Client Certificates with Secure Login Server

In her latest blog, Donka Dimitrova explains how you can reuse Kerberos tokens for issuing X.509 client certificates with Secure Login Server and achieve end-to-end single sign-on across your corporate landscape. Her new step-by-step guide shows you in detail how to implement this scenario. March 5, 2015

Hey all,

I am trying to configure SSO with SAML2.0 for fiori apps, and have a NW JAVA instance where I have installed my federation service component.

But when I go to - Authentication and Single Sign-On: SAML2.0 --> (enable SAML 2.0 Support) Local Provider Configuration

I don't see the option for Operation Modes, so can't select the identity provider option. And by default its picking up as Service Provider Option (see screen shot).

Can someone please suggest what component or config am I missing, so the Identity Provider option shows up. As in the scenario I am planning I need to make this NW JAVA stack as a Identity Provider and my Gateway system as a Service Provider.

Please let me know if I can provide any other information.

Thanks

Ray

Dear Guru,

We have been trying to configure Secure Login Client (SSO 2.0 SP04).

Upon installation of the Secure Login Client, we were able to acquire Kerberos Tokens, but none for SPNEGO (X.509 Certificates). We have been getting errors like "Supplied credentials not accepted by server".

Installation Reference: scn.sap.com/docs/DOC-40179

Issue was encountered during phase 3 of the reference. We followed the instructions to a tee, and got lost due to some SP differences. Although, we did manage to extract the Root CA and Registry Entries.

Any thoughts or advise on where to check. Thank you.

Regards,

Tom

Where we come from

Since we first released it in 2011, SAP Single Sign-On has become a very popular product (thanks to all of you for that). Many customers decided to increase the security of their SAP landscape and the efficiency and satisfaction of their end users by implementing it. Even customers who were already using a product for SAP GUI Secure Network Communication (SNC) decided to switch to the SNC support that comes with SAP Single Sign-On.

Back then however, switching an SNC product was a tricky thing. SNC requires matching libraries on the frontend and the backend, and different SNC products are not interoperable. This left customers with the big bang approach. All frontend and backend systems had to be updated at the same time to avoid broken connections.

What is new

In the current version of SAP GUI and many RFC clients we have now added a capability that will significantly simplify the SNC product migration. SAP GUI was enabled to support 2 SNC products within the same SAP GUI installation. This can be configured by customers using newly introduced environment variables and specifying the required SNC product for each SAP GUI connection.

How to migrate to SAP Single Sign-On SNC

1. In the beginning, an old SNC product is still installed and the environment variables SNC_LIB, SNC_LIB_32 or SNC_LIB_64 point to this.
2. You ensure up-to-date versions of SAP GUI and relevant RFC clients are rolled out to your frontend systems. See OSS note 2025528 for the list of recommended versions.
3. You install the Secure Login Client component of SAP Single Sign-On on the clients and set the newly introduced environment variables SNC_LIB_2, SNC_LIB_32_2 or SNC_LIB_64_2 to the location of the Secure Login Library that comes with the Secure Login Client.
4. You replace the old SNC product on a backend with SAP CommonCryptoLib and update the SNC name for the system on the clients to specify p/sapsso as the product name (e.g. p/sapsso:CN=ALX,O=SAP-AG,C=DE). If the connection is managed through a message server then this change can be done centrally without modifying the individual clients.
5. Once all backend systems have been updated to use SAP Single Sign-On you may uninstall the old SNC product from the clients and update SNC_LIB, SNC_LIB_32 or SNC_LIB_64 to point to the Secure Login Library. Now the environment variables SNC_LIB_2, SNC_LIB_32_2 or SNC_LIB_64_2 can be removed as they were only needed for the migration.

With this approach you are able to upgrade your landscape to SAP Single Sign-On step by step. So now is the time to get started

Hi !

I've been setting up SSO using the SPNego wizard via http://server:port/spnego for a 740 Portal system.

Using the wizard, I was able to successfully setup SSO for Sandbox & Dev.

For Production, I see the below error when I use the Manual option under Add:

Error during generation of encryption key with type AES256-CTS-HMAC-SHA1-96: Illegal key size. Check the crypto policy file in use and also SAP Note 1240081

If I use the Keytab option under Add, I'm able to proceed successfully & SSO also works fine on Production.

In Dev & Sandbox I see 4 keys; whereas, Production does not show me the AES256 key.

Is there something amiss with my Production box, that the first option does not work ?

SP's levels are the same...SP 7...even SAP JVM...

Kindly help advise.......

Thanks a lot !

saba.

Looking to set up SSO from BOE to HANA using SAML and coming up short on what is hopefully just some missing configuration. If anyone has experience getting this running, I'd be grateful for feedback or links to more comprehensive documentation.

We are running BOE 4.1 SP5 and HANA rev 92 (on a multiple node installation). The plan is to 1) enable SSL logins on HANA, 2) set up BOE as the IdP, 3) create the SAML provider in HANA and establish trust between the two systems.

1. HANA is accepting Open SSL connections thanks to this very helpful document. Confirmed via HANA Studio login.
2. On the BOE side, an IdP Base64 certificate was generated in the CMC via the HANA Authenitcation dialog.
3. The IdP cert was appended to the trust.pem file (on the master node) as per this blog post. The SAML provider has been created in HANA with the Subject/Issuer set to match the BOE cert. We also used sapgenpse to add the cert to saplogon.pse and sapsrv.pse in $SECUDIR (again on the master node).

Everything has been restarted after the last configuration change.

A test user has been set up in HANA with the SAML provider enabled, user name matching a BOE enterprise account. When testing from the CMC, we see the following error message: Connection Failed: The test of the HANA SSO ticket used to log onto the HANA DB has failed due to: [10]: invalid username or password. (FWM 02133)

The HANA tracelog, set to debug, shows some errors in SAMLAuthenticator (ERROR in libxmlsec) before it culminates in this block:

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882796 i Authentication   SAMLAuthenticator.cpp(00400) : Unable to verify XML signature

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882934 d Authentication   ManagerAcceptor.cpp(00273) : Injecting logon name into method:

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882986 d Authentication   SAPLogonManager.cpp(00360) : Store chosen for assertion ticket validation: saplogon.pse

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883114 w Authentication   SAPLogonManager.cpp(00504) : The base64 decode of the received ticket failed. SSO_RC return value: 1281

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883121 d Authentication   SAPLogonManager.cpp(00513) : Use SSO Validation PSE >>>saplogon.pse<<<

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883123 d Authentication   SAPLogonManager.cpp(00514) : Received Base64 Ticket >>>SAML 2.0 assertion ticket...<<<

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883167 i Authentication   MethodSAPLogon.cpp(00275) : unsuccessful login attempt with SAPLogon/SAPAssertion ticket!

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883181 d Authentication   ManagerAcceptor.cpp(00273) : Injecting logon name into method:

[22277]{-1}[63/-1] 2015-02-02 20:10:23.884313 d Authentication   Connection.cc(03617) : [PRE AUTHENTICATION] logon name:

[22277]{-1}[63/-1] 2015-02-02 20:10:23.884359 d Authentication   Connection.cc(03684) : [POST AUTHENTICATION] logon name:

It looks like the ticket is received but not being parsed. It's not clear to me if this is related to the certificate or some other configuration element, or exactly what the missing piece is.

Good day!

We are going to implement an authentication of users in kiosk by theirs contactless cards as described in note 1970286.

But we have a business requirement to make an additional check before login - user must enters some secret word, password, private information before he/she will be logged in.

So the scenario is:

1) User puts his card to the reader

2) As described in the note he gets a one-time certificate

3) The system shows a window to enter secret word

4) Log in

How can we achieve it? Thanks in advance.

ps Login to ABAP server through a browser

Dear all,

we have implemented SSO where we have 30 BI licences and 10 BO licences.

i have set up authorizations in BI for all 30 users and tested successfuly.

when i am importing related Roles in BO i can able to see only 10 BI users is is because i have 10 BO licences or anything else.

i dont have much knowldge on Licencing part so requesting you all to please guide me on same.

Now that we have enabled SSO  we login to AS JAVA with the X509 certs , would anyone know how we can login as Administrator and to temporarily disable the x509 cert ?

Thank you

Jonu Joy 

This week, SAP released the latest support package for SAP Single Sign-On 2.0. Support Package 5 contains a number of new features and functions as we continuously enhance the product to fulfill customer requests and upcoming security demands. Here is an overview of all that's new with SP5:

Two-Factor Authentication

• Support for 8-digit passcodes (SAP Authenticator mobile app)
• Support strong digest algorithms (SHA-256 and SHA-512)
• Two-factor authentication using out-of-band (OOB) tokens, such as SMS, Email or other

Mobile Single Sign-On

• Option to use two-factor authentication for mobile single sign-on scenarios (use passcode as second factor in addition to initial authentication via password)

Enhanced Support of Risk-Based Authentication

• Enhanced policies for risk-based / context-based authentication
• Control the authentication process with a policy script (server-side JavaScript)
• Risk-based authentication now also available for the Secure Login Server (in addition to the SAML Identity Provider)

SSH Agent Support for Secure Login Client

• Secure Login Client can run as SSH agent, providing a secure way to use keys and certificates stored in the Microsoft Crypto Store for SSH public key authentication

RFID-Based User Identification

• New detailed documentation is now available! Check out Martin Blust's blog RFID-Based Identification of SAP Applications Using Employee Badges.

Please refer to the release note for detailed information on new features and fixes. Documentation for SAP Single Sign-On 2.0 is available at the SAP Help Portal.

You can download the support package from the SAP Service Marketplace (login required). Enjoy!

Hello,

I have an issue with a RFC Destination, since the certificate was changed (on server side).

When I press "Connection Test" I get the following message:

SSL handshake with evatr.bff-online.de:443 failed

We have already uploaded the new certificate in transaction STRUST and still getting the same error.

I have noticed that the algorithm changed from SHA-1 to SHA-256.

Therefore I checked the SAPCRYPTOLIB version:

New enough...

Here is the RFC Destination in SM59:

SSL is active and the correct list is selected:

Also HTTPS is enabled in Services in transaction SMICM:

Also I spoke to the guys from the networking and they said that SSLv3 communication isn't blocked and the systems are allowed to connect to the internet. They are sure that the problem is not network related.

I have no clue what to do now.

In the attachments you can find a ICM-Trace, where I tried a "Connection Test".

Thanks in advance.

Best regards

Dennis

Dear Expert,

I am trying Single Sign-On configuration by using SSO2 logon ticket between gateway and HANA DB. As the trust relationship is single direction trust from gateway to HANA (only HANA trust gateway and gateway do not need to trust HANA), we have achieved that in our DEV system, but now it does not work in our AT system. We have checked out that all necessary configuration is completed from both gateway side and HANA side, just as we did in DEV system.

we used the SAPSSOEXE method to verify the logon ticket issued from gateway, but failed that way, which means the logon ticket issued from gateway cannot be accepted by HANA. Here are the level 2 trace file details below,

---------------------------------------------------

trc file: "tracefile", trc level: 2, release: "720"

---------------------------------------------------

[Thr 6628] Wed Mar 19 19:26:56 2014

[Thr 6628]    Initializing SAPSSOEXT Version 8

[Thr 6628]    Built at Jul 10 2013 00:18:47 using release 720, patch 436

[Thr 6628]    PC with Windows NT on multithread environment with (SAP_CHAR/size_t/void* = 8/64/64)

[Thr 6628] DlLoadLib success: LoadLibrary("sapsecu.dll"), hdl 0, addr 0000000010000000

[Thr 6628]    using "C:\Users\C5180597.GLOBAL\Desktop\Xian‘ an Su\07_SAML+WEB Dispatcher\SAML 2.0 config\PSE test tool\windows64\ssosample\C\sapsecu.dll"

[Thr 6628]    Initializing SSF Library Version

[Thr 6628]    SAPSECULIB Version 5.4.28M-6

[Thr 6628] Ticket key as new PSE loaded

[Thr 6628] *** ERROR => SsfVerify failed (see note 1055856). [ssoxxsgn.c  144]

[Thr 6628]  SsfVerify returned 7 :: SSF_API_UNKNOWN_PAB :: Priv.Addr.Book (PSE file) not found.

[Thr 6628] MYSAPSSO2 ticket last error from SSF: ERROR in af_open: (4356) PSEFile

[Thr 6628] ERROR in secsw_open: (4356) PSEFile

[Thr 6628] ERROR in sec_parse_PSEInfo_cont: (4356) PSEFile

[Thr 6628] ERROR in d_PSEFile: (18) decoding error for : "PSEFile"

[Thr 6628]  .

[Thr 6628]  SsfVerify returned null for SignerList.

[Thr 6628] *** ERROR => ValidateTicket failed with rc = 20 and ssf_rc = 7. [ssoxxapi.c  235]

[Thr 6628] *** ERROR => Validate ticket failed with rc=458772. [ssoxxext.c  542]

[Thr 6628] *** ERROR => MySapEvalLogonTicketEx returns 458772. [ssoxxext.c  969]

The verify PSE file and logon ticket are both Ok.  Could you please help resolve this issue?

Best regards,

Xian' an

Our SAP server is supposed to call an external web service, which requires authentication via an SSL certificate. So in STRUST I have created a new client certificate, which has been imported on the external server. Also we have received the servers' certificate, which has been added to this new entry in STRUST.

In SOAMANAGER I have set this new STRUST entry to be used for authentication at the web service provider.

Now when our SAP machine calls the remote web service, authentication fails.

In the ICM logs the following error messages are given:

[Thr 140543812142848] SecuSSL_SessionStart: SSL_connnect() failed  (536875072/0x20001040)

[Thr 140543812142848]    => "SSL API error"

[Thr 140543812142848] >>            Begin of Secu-SSL Errorstack            >>

[Thr 140543812142848] 0x20001040   SAPCRYPTOLIB   SSL_connect

[Thr 140543812142848] SSL API error

[Thr 140543812142848] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 140543812142848] 0xa0600266   SSL   ssl3_read_bytes

[Thr 140543812142848] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 140543812142848] <<            End of Secu-SSL Errorstack

[Thr 140543812142848]   SSL_get_state()==0x21d0 "SSLv3 read finished A"

[Thr 140543812142848]   No certificate request received from Server

[Thr 140543812142848]   SSL NI-hdl 401: local=10.156.32.11:62224  peer=10.206.58.12:16101

[Thr 140543812142848] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x7fd2d0099410)==SSSLERR_SSL_CONNECT

Any ideas what we might be missing here?