Hello,

I have implemented SSO to AS Java (SAP Portal) using X.509 Client Certificate.

When I try to logon without passing through the Web Dispatcher (direct call to the SAP Portal in Intranet) my SSO works properly and I'm able to logon without writing any user and password, thanks to my X.509 Client Certificate.

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details

1. com.sap.engine.services.security.server.jaas.ClientCertLoginModule      SUFFICIENT  ok          true       true

        \#1 Rule1.AttributeName = CN

        \#2 Rule1.getUserFrom = subjectName

2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok                     true

Central Checks                                                                                                   true                  #

My problem arises when I try to call my SAP Portal from the Internet passing through my SAP Web Dispatcher, so I've got the following error:

LOGIN.FAILED
User: N/A

Authentication Stack: ticket

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
1. com.sap.engine.services.security.server.jaas.ClientCertLoginModule      SUFFICIENT  ok          exception             true       Authentication did not succeed.
        \#1 Rule1.AttributeName = CN
        \#2 Rule1.getUserFrom = subjectName
2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          false                 false      #

How could I manage my X.509 Client Certicate when I have to pass through my Web Dispatcher?

Thanks!

Fabrizio

Hi ,

I have configured SSO between SAP EP 7.3 and ADFS 2.0 by enabling SAML2.0 Authentication in SAP EP 7.3.

Its working fine. I need to customize the error message that is displayed during SSO on SAP EP 7.3. How Can I do this?

Regards,

Eben Joyson

Hi SSO and SAML2 experts,

We have several SAP Enterprise Portal systems. The SSO configuration is setup using SAML2, with the Portal as SAML2 service provider
and Touchstone as identity provider. When users click on link https://<server>:port#/irj/portal, they will see the SAP Netweaver Login screen with an Identity Provider box (which is Touchstone in our case). Once the user click on "continue" button at the signup screen, he/she will be redirected to the Identify Provider (Touchstone) , which is another screen. At that point (the touchstone screen), the user has options either to use a certificate or a Kerberos id, before signing up into the portal.

My question is this: Is it possible to bypass the initial SAP Netweaver Sign-up screen? In other words, can some thing be done(configurations/custom codes/other creative methods) so users would not be presented with the SAP logon screen, instead go directly to IdP Touchtone screen? The issue here is "user experience". Users need to click on "continue" on the SAP Netweaver login, then being redirected to IdP Touch stone screen, click again, finally land into portal.

Any feedbacks would be greatly appreciated!

Best regards,

Qian Kang

qiankang@mit.edu

qiankang@mit.edu

Hello,

I've not found a suitable answer in the documentation yet, so I wanted to ask this question here.

I have a requirement to use SAP NetWeaver Single Sign-On to authenticate two separate user groups. One group is via Windows AD and the other would be via SiteMinder to a second Windows AD.

The environment includes: ECC6, CRM2007, BW3.5

Questions:

1) is it possible to setup mixed authentication for the two user groups I've listed above?

2) does anyone have experience with this to share?

3) would SiteMinder require a separate application server to handle the user groups behind it?

Appreciate your input.

Paul

Hello,

I have mixed authentications on my BI4.0 platforms:

* some users authenticate with Enterprise

* some users authenticate with their SAP account

We would like to put in place the SSO and unify the login workflow.

This is pretty clear to me concerning "standard users", the one that authenticate today via Enterprise:

* I will configure  Windows AD authentication/aliases and then kerberos SSO

Concerning "SAP" accounts, can I do the same?

Is it possible for a BO user to have a windows AD alias AND a SAP alias ... Will Windows AD SSO work and enable SAP access too?

If I configure Windows AD+BO SSO, will I get access to report needing special SAP authorization?

Thanks

We are currently implementing SAP BW and are trying to connect the Microsoft SQL Server Reporting Services product.  We've been able to connect to SAP BW and really like the functionality but we've encountered two problems:

1. Sessions - For some reason SSRS creates a lot of sessions (SM04)  when it calls the XMLA connector.  The sessions seem to stay there for about 20 minutes before they are cleaned up.  I've got a relatively simple report that creates 12 - 13 sessions every time it is run...if I run it a couple of times that is a lot of sessions on SM04.  I read some articles that say you need to add 'sap-client=' to the connection string to prevent this behavior, but it doesn't seem to work for me.  Here is my connection string: Data Source=http://mynetweaversite:8100/sap/bw/xml/soap/xmla?;Initial Catalog=ZBFM_M01;sap-client=100
2. SSO Ticketing - I've been able to get basic authentication working, but I can't seem to figure out how to get SSO ticketing working.  We've configured our Portal server for single sign on so I tried to fill that in and it keeps coming back with 'Unauthorized' when I try to test the connection.  Here is what my connection looks like:

I can connect with it setup like this:

Dear Expert,

Now I'm using BI 7.x of SAPGUI(7.30).

Please show me the step. How to configure SSO(Single Sign On) in BI?

With best regards,

Chenna

Hello All,

For few users X.509 Certificate in not available in Internet Explore due to that they are not able to use WebGui. Though they can use SAP GUI using SSO. Because in Secure Login Client they are enrolled automatically. But the same certificate in not coming up in Brower .

Does anybody know the solution? What could be the reason behind this?

Kind Regards

Manna Das

Hello,

Many of our end users have been complaning about the increasing number of passwords to remember so, we are considering impmenting SAP netwever SSO 2.0 in our SAP Landscape.

I have been reading the SSO documentation  : videos and wikis (incredibly eye-opening documents), secure login for SSO implementation guide ( a bit difficult to follow), and the  pdf presentations.

I would like here to ask a few questions to make sure that I am not missing anything.

Here is our infrastructure ; we have a SAP central portal EP 7.31 SPS4, open on the Internet through the sap webdispatchers, used by our internal users but also by our external customers. The Portal UME is the SAP J2EE Database itself ( 4000 users )

We also have several SAP ABAP systems : ECC6 EHP4, ECC6 EHP5, BW 7.3, SCM 7.02, PI/NFe 7.02, etc

SAP SSO based on sap logon ticket is implenteted between the porta land ECC/BW.

Classic Scenario:

The users switch on their computer every morning , they log in to their Microsoft Active Directory account, and

we want the users to reuse their Windows authentificattion to seamlessly access both the SAP Portal and the SAP ABAPsystems.

Implementing SSO based on Kerberos would require as a prerequisiste to ehp/upgrade or patch all our systems to the latest version,

which is currently not an option for us (downtime, transport freeze, etc ...)

I understand that SPNego for ABAP is now becoming available for AS 7.02, (Note 1870595 - SPNego correction instructions for AS ABAP 7.02) but it is still too restrictive ( limited languages, etc ...)

So we are considering implementing SSO based on X.509 certificates, because that option supports most platforms and clients.

Here are my concerns /questions :

1/ By configuring the Secure Login Server, users will receive a short term X.509 certificate , we were  wondering if that short-lived certificate would remain alive when the windows session is put to sleep :

Let us say that a user start his windows session at 9h00 AM, he will then generate a short lived certificate and access the portal, then at 18h00 , he does not shutdown his windows session but choose "sleep" or "hibernate", he then goes back at home, where he no longer have access to the corporate network ( no Windows autentification)  but he still have access to the Corporate Portal over the internet. Can he reuse his host lived certificate to access the Portal without credential at 19h00 (provided that the certificate has not died) ?

This is an important point for us, because we have many users who continue their work from home, and access the corporate portal

So if we implement SAP SSO to the Portal, the idea is that the users no longer need to remember the password, even when being at home,

on their corporate computer.

2/ Currently , the SAP Webdispatchers have been installed as reverse proxy, and they communicate with the SAP backends though HTTP protocol

Internet ---HTTPS---->SAP Webdispatchers----HTTP----->SAP Portal and SAP ABAP WEB

We intend to install the  SAP Secure Login Server on the Portal itself, in order to use out of the box PKI, according to the impmentation guide SSL would need to be activated on the Portal.

Does that mean that HTTPS protocol would also need to be configured between the sapwebdispatchers and the SAP backends, and replace HTTP ?

Thank you very much

Best Regards

With the release of iOS 7 Apple enhanced its operating system with several security features. One of them is the so called enterprise single sign-on, which makes it possible to login once and access backend systems from various apps without the need to store any credentials on the device. In the following blog post, I would explain how that new feature can be used to achieve Single Sign On to a SAP NetWeaver system. In the example below a SAP NetWeaver Gateway system would be used, although any HTTP-based API or UI can be accessed, including web dynpro and web gui.

Here are some screenshots on what you might expect as a final result (click on the images to get a larger image):

When you start an app that would try to connect to a SAP NetWeaver Gateway system, iOS would detect that authentication is required and would show a popup asking you to enter your credentials:

The next time an app (either the same or another one) wants to connect to a configured system (either the same SAP NetWeaver Gateway system or another one configured), iOS would reuse the authentication information and would not show a popup anymore:

but it would still authenticate to the backend system and the app would receive a positive response:

The credentials would not be shared neither with the mobile app, nor with SAP NetWeaver Gateway. Instead iOS would "exchange" them for a ticket that would be used for the authentication in the SAP NetWeaver Gateway System. As long as the ticket is not expired (usually 8 hours), SSO would work. Afterwards, the user would be asked to enter his credentials again.

Technically this is based on Kerberos. In order Kerberos to work, one needs three things:

• a client - this is the iOS device
• an authentication server - in most enterprises this already exists, e.g. the domain controller in a Windows environment. iOS would access it in order to get a server ticket for the server an app wants to connect to
• a service server - this is the server a mobile app connects to, e.g. SAP NetWeaver Gateway. iOS would send the server ticket it obtained from the authentication server in order to authenticate. SPNEGO is used to send that ticket to the server.

All of those need to be configured, so that Kerberos could work

Configuration on the iOS Device

iOS provides the means to control which apps would be able to connect to which servers. This is done with configuration profiles and with iOS 7 a new SSO payload type has been introduced. Here is a sample configuration profile that needs to be installed on the device:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple/DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict>  <key>PayloadContent</key>  <array>    <dict>      <key>PayloadDisplayName</key>      <string>SSO Settings</string>      <key>PayloadType</key>      <string>com.apple.sso</string>      <key>PayloadVersion</key>      <integer>1</integer>      <key>PayloadUUID</key>      <string>d3fe4709-0cc6-4f51-afed-839c6ab1451c</string>      <key>PayloadIdentifier</key>      <string>com.sap.example.sso</string>      <key>Name</key>      <string>username@EXAMPLE.COM</string>      <key>Kerberos</key>      <dict>        <key>PrincipalName</key>        <string>username</string>        <key>Realm</key>        <string>EXAMPLE.COM</string>        <key>URLPrefixMatches</key>        <array>          <string>https://example.com/</string>          <string>https://example.com:443/</string>        </array>        <key>AppIdentifierMatches</key>        <array>          <string>com.apple.mobilesafari</string>          <string>com.sap.*</string>        </array>      </dict>    </dict>  </array>  <key>PayloadOrganization</key>  <string>SAP</string>  <key>PayloadDisplayName</key>  <string>SSO for SAP</string>  <key>PayloadVersion</key>  <integer>1</integer>  <key>PayloadUUID</key>  <string>f4544183-fc96-495f-a384-435cdb66e5b9</string>  <key>PayloadIdentifier</key>  <string>com.sap.example.sso.profile</string>  <key>PayloadDescription</key>  <string>SSO Configuration profile</string>  <key>PayloadType</key>  <string>Configuration</string></dict></plist>

The configuration profile can be installed by any means iOS supports, but usually that would be done via an MDM solution or pulled by the user from an HTTP server:

The most important attributes in the configuration profile are:

• PrincipalName - this contains the username. It is an optional value and if it is missing the user would be asked to enter the username upon installation.
• Realm - this is the Kerberos realm name. The realm must be accessible by the device - via connecting the device to the corporate network, VPN or using per app VPN (another new feature in iOS 7).
• URLPrefixMatches - this is a list of URL prefixes, where Kerberos would work. If an app tries to connect to a URL that matches some of those URL prefixes, Kerberos would be activated. Otherwise it will not be and a standard HTTP call will be made. Here you need to list all valid prefixes explicitly, e.g. https://*.example.com/ would not work.
• AppIdentifierMatches - those are the app identifiers of the apps that should be granted access to Kerberos. You need to explicitly mention the allowed app IDs, but you can use wildcards at the end, e.g. com.sap.*

The sample configuration profile above activates Kerberos for Safari as well as any app developed by SAP. Activation for Safari makes it possible to access even web gui or web dynpro via Kerberos. Of course, that can be disabled on SAP AS ABAP.

Configuration on the Authentication Server

iOS uses DNS to discover the Kerberos services, therefore they shall be registered within the DNS server that the iOS device uses (directly or via VPN). In order to test if that has been set up correctly, you might connect with a laptop to the same network the iPad/iPhone connects to and execute

nslookup -querytype=SRV _kerberos._tcp.EXAMPLE.COM

where EXAMPLE.COM should be replaced with your realm name. If you get an error (e.g. that the domain does not exist), then DNS is not configured correctly and you should contact your network administrators to change that.

In Windows environment, the domain controller advertises its Kerberos services automatically. Thus one just needs to make sure the iOS device is connected to the same DNS server (by modifying the Wi-Fi or VPN settings). In case of issues one might follow http://support.microsoft.com/kb/816587 or http://technet.microsoft.com/en-us/library/dd378871.aspx.

Configuration on the Service Server

SAP NetWeaver needs to be configured to use SPNEGO/Kerberos and to trust tickets issued by the Authentication Server the iOS devices use. For that you would need:

• a supported version of SAP NetWeaver Application Server - see SAP Note 1798979 for details
• a license for the product SAP NetWeaver Single Sign-On 2.0 (or higher)
• several configuration steps - more details on configuring Kerberos on SAP AS ABAP you can get by watching the videos here
• depending on the SAP AS ABAP and SAP NetWeaver SSO versions that you have, you might need to apply SAP Note 1902749 or 1902750 in order for Kerberos from iOS to work correctly

Hi SAP product experts,

recently I have configured SLS 2.0 SP1 PL3 to authenticate users against LDAP Server and wanted to use a custom value as the CN instead the default USERID (e.g. sAMAccountName). Configured everything as described in the Secure Login Implementation Guide (V.1.4) chapter 4.6.1.1.2 and it worked.

Bad news is that, if the attribute used in LDAP has no or empty value I receive 500 Internal Server Error from SLS and the Client-Authenticationprofile is in locked state.

I would suggest to improve this feature to fall back to default UERID if custom attribute has no values or is empty.

Reason: I already know some customers using the old SECUDE solution (SLS) and maintain a special value for some users in AD. The former SLS was able to ignore the attribute mapping and use the default USERID.

Thanks for feedback, maybe this can be solved by configuration?

Regards,

Carsten

Experts,

Please advise  the best process to create SSO Login for SAP Webgui for operating system Windows 2008 R2. Currently using Widows Active Directory or LDAP.

Hi all,

I'm trying to configure Netweaver Portal 7.4 SP3 as Identity Provider to issue SAML2 assertion tickets to establish trust connections between SAPUI5 apps and SAP NW Gateway.

Anyone has a how to, useful links or tutorial to configure all components¿?

We've configured SAP Portal as IDp and SAP NW GW to trust SAML2 tickets but a GW logon screen appears when SAPUI5 apps access to GW services.

Thanks in advance,

Kind regards

All,

I have an odd scenario where a user logs into Netweaver Portal 7.3 and within a portal based application we call an external non-SAP Web service which in turn calls a SAP CRM web service. (We have no control over the architecture and no access to CRM)

I would like to pass the SAP logon ticket details in the web service call so when the call finally reaches CRM the user is automatically logged in.

The service in the middle is a trusted system but it does not know (and does not need to know) about the user but simply pass the details on.

Please could I have some advice on how this might be achieve and where we would attach the SSO data. Does this go into the SOAP header or the HTTP request? Are the any classes/methods that we can use.

Thanks

Jon

Good Morning,

we have this problem with Netweaver Single-Sign-On(1.0 SP4 PL4):

1)Secure Login Client receives kerberos ticket but doesn't download X.509 certificate from server(and we don't know why)

2)In Secure Login Client Notification Viewer there are no apparent errors(view screenshot)

3)Our scenario is this:

                Secure login Server on an AS JAVA installed on SLES11(64bit) with SPNEGOLoginModule

                Secure Login Client installed with a SAP Gui on a windows server 2008 R2 (64bit)

                AS ABAP installed on a Red Hat Enterprise Linux Server 6.3(64bit)

                Microsoft Active Directory Server installed on windows Server 2008 R2(64bit)

We installed ROOT_CA and customer.reg from Secure Login Server in the client host. We used https with “Secure Login Server FQDN” and port 50001.

We tried to listen on the Secure Login Server with tcpdump to see if some request was coming from it but nothing appeared.

I am trying to get some official documentation around support of NW SSO 1.0 / 2.0 with windows 8.1. On the PAM for NW SSO 1.0/2.0, i can see support for windows 8. Considering that windows 8.1 was offcially released recently, will it be supported as well and when?

Thanks in advance.

Hi experts,

I am intend to create trust between XS engine and SAP gateway. When I log in HANA XS admin, open trust manager and create a trust store, I cannot create a certificate request according to the HANA platform admin guide chapter 15.3 (http://help.sap.com/hana/SAP_HANA_Administration_Guide_en.pdf) because there is no such creation icon on my screen, as shown in the screenshot below. Another icon "put cert reponse" is also missing from the screen.

however, according the SAP standard admin guide, there should be such icons exist there, see the screenshot from admin document below.

Without these two icons, steps about the trust relationship  creation cannot be executed. I am using HANA SYSTEM user, which contains all required authorizations. I am not sure what happen here, could you please kindly help?

thanks,

Best regards,

Xian' an

Introduction

In this blog I will explain how you can use the Kerberos protocol to set up "single sign-on" from an SAP NetWeaver Application Server Java (AS Java) to both SAP and non-SAP backends, including Microsoft Sharepoint.

How to solve Server-to-Server Authentication

Many companies today have very specific requirements regarding authentication and single sign-on. For client-to-server authentication and Single Sign-On, SAP NetWeaver Single Sign-On provides a variety of different options taylored to meet your needs. To find the best solution for you, check out the Overview on SAP NetWeaver Single Sign-On.

However, if a server (in many cases this is an SAP NetWeaver Application Server Java) needs to access another backend server on behalf of the user, many customers use a generic service user with extensive authorizations. This can cause issues from both a security and a compliance point of view, as the logs only show the service user.

What can you do, if you want to use the appropriate authorizations and the correct audit entries in the backend system?

And if you want your solution to work across different platforms for both SAP and non-SAP systems?

Kerberos Constrained Delegation

Support Package 2 for SAP NetWeaver Single Sign-On 2.0 offers a solution: Kerberos Constrained Delegation using the SSO Extensions Library (SSOEXT). This solution works for all backend applications that support the Kerberos authentication standard.

How Does it Work?

In a nutshell, SAP NetWeaver AS Java uses the component SSOEXT to request a Kerberos ticket from the Key Distribution Center (KDC) on behalf of the user who has logged on to the AS Java. The KDC is part of Microsoft Active Directory. For the connection between the two servers, this Kerberos ticked is used for authentication to the backend server. This works for all backend applications that support the Kerberos authentication protocol, such as Microsoft Sharepoint.

Configuring the Scenario

You will find the documentation on how to configure, use and troubleshoot the scenario together with more background information here:
SSO Start page on SCN --> Documentation Release 2.0 --> Single Sign-On Extensions Library

Requirements

• You need a product license for SAP NetWeaver Single Sign-On in order to download the component
• The extension for Kerberos constrained delegation must be installed on SAP NetWeaver Application Server
  (AS) Java 7.30 or higher

SP 2 for SAP NetWeaver Single Sign-On 2.0 Now Available

Single Sign-On from SAP NetWeaver Portal to Sharepoint

One of the new features of SAP NetWeaver Single Sign-On 2.0 SP 2 is support for Kerberos constrained delegation. Read Jens Koster’s document to learn how you can use the Kerberos protocol to set up single sign-on from an SAP NetWeaver Application Server Java to both SAP and non-SAP backends, including Microsoft Sharepoint. November 21, 2013

Why Secure Login Web Client?

In his latest blog, Frane Milicevic describes some use cases and benefits of Secure Login Web Client, a Web-based solution for requesting "short-lived" X.509 user certificates, which can be used for single sign-on in an SAP landscape. November 14, 2013