Hi Experts,
We have plane to configure SAP SSO for Non SAP Web url, can you please guide me for this configuration.
Thanks in Advance.
Jana
↧
SAP SSO for non-sap systems like Web URL(HTTPS/HTTP)
↧
Webdispatcher and ABAP backend as two distinct Service Providers ?
Hello,
We have two distinct business scenarios :
Fiori : End Users Access to the SAP Netweaver Gateway 7.4 through its HTTPS URL : https://srv-sap-gwpa.domain:44320/
HR Renewal : End Users Access to the SAP Netweaver Gateway 7.4 through the SAP WebDispatcher : https://srv-sap-wdsp.domain:44320
Both scenarios work fine ...
We had a request to configure SAML 2.0 for both scenarios, ADFS being the Identity Provider.
I believe that a Service Provider is called here a "Relying Party".
When configuring separately, Fiori OR HR Renewal, it works fine, users are authenticated into ADFS and their redirected to Fiori (Netweaver GAteway URL) or HR Renewal (SAP WebDispathcer).
The Problem is that we obviously need to configure both scenarios together, and here it does not work as expected, Fiori Users are bot redircted after authentication to the NEtweaver GAteway but are redirected to the Webdispatcher ... which is blocking for us
For Each scneario Webdispatcher (HR Renewal) and Netweaver Gateway (HR Renewal) we have a distincts Assertion Consumer Service (ACS) URL in ADFS :
We are really not familiar with ADFS, but there might be some trick, somehow , somewhere, to indicate to ADFS to redirect the URLs to the correct Service Provider/Relying Party.
Any help , hint would be appreciated
ADFS Settings For WebDispatcher :
For Netweaver Gateway :
Thanks
↧
↧
Is SSO Mandatory for an embedded set up..
Hello Experts,
I have an Embedded setup system, and I'm implementing fiori in it. So is SSO mandatory for this kind of set up?
If "Yes" how should I configure SSO in Embedded setup.
Regard's
Abhi.
↧
SSO for successfactors
Dear All,
We have implemented SSO for enterprise portal with Windows Active directory in our landscape. The flow will be like, user will login to his laptop with Active directory user. With sharepoint concept, URL to access PI JAVA will be assigned to a link - when the user clicks the link, it will automatically login to PI system without prompting for any user name/password.
Wondering, if we could do the SSO configuration to access our Successfactors instance with windows active directory user. Kindly help me with the procedure and details.
Regards,
Malar.
↧
Question about SSO 2.0 Installation
Hello Community,
I am new to the SSO field and a little bit confused.
I would like to install an identity provider on AS Java.
According to the documentation there are following requierments:
- To support the identity provider extensions, the host SAP NetWeaver Application Server (AS) Java must be of the following releases:
- AS Java 7.3 SPS 13 or later
- AS Java 7.31 SPS 15 or later
- AS Java 7.4 SPS 10 or later
- To support the newest user interface improvements, the host SAP NetWeaver Application Server (AS) Java must be of release AS Java 7.2 SPS 4 or later.User interface improvements include functions to add authentication contexts and map them to log-in modules, to configure metadata and metadata access, and to delete the identity provider configuration.Otherwise the host AS Java must be of the following releases:
- AS Java 7.2 SPS 2 with 1471322
![Information published on SAP site]( "Information published on SAP site")
applied - AS Java 7.2 SPS 3 or later
- AS Java 7.2 SPS 2 with 1471322
- You must have SAP Single Sign-On (SAP SSO) 2.0 or SAP Identity Management 7.2 or later installed in your system landscape.For more information about licensing SAP products, consult your key account manager.
The point that is confusing me is the last. I can't find an installation guide for SSO 2.0 only configuration guides for identity provider on AS Java. I searched SAP Single Sign-On 2.0 – SAP Help Portal Page but also couldnt find an installation guide for 2.0
So what is ment by the last requierment and where can I find a installation guide to it?
System is AS Java 7.3 SPS 11 (this has to be updated)
Kind regards
↧
↧
Approval procedure field is disabled for requester
Hi Friends,
Approval procedure field is disabled for requester user while creating a RFC in ZMCR .I have checked the Authorization object CRM_APPRVL for requester user and he has full access to this object. but still it is not working.
I manually added the Auth object SM_APP_AP to the requestor role and provided administrator access , then approval procedure field is enabled but the problem is he has full access to approve all RFC. I know that he has full administrator access thats why he is able to approve all RFCs. I tried giving other acess except administratr , but that time approval procedure was disabled .Only with the administrator role the particular field is enabling.
Could anyone help me to get the right authorization object to fix this issue.
Regards,
Lakshmanan V
↧
Featured Content in SAP Single Sign-On
Single Sign-On with Kerberos: New Videos Available!
Check out our new videos about setting up Kerberos-based SSO for Application Server ABAP. Learn step-by-step how easy this is using the SNC Wizard and Kerberos transaction. Watch now. January 27, 2016
Protect your AS Java Application with Two-Factor Authentication based on One-Time Passwords
Do you want to protect your application running on AS Java using two-factor authentication based on time-based one-time passwords? Check out Donka Dimitrova’s latest blog and learn how to configure this step-by-step. January 13, 2016
SP6 for SAP Single Sign-On 2.0 Now Available
SAP just released the latest support package for SAP Single Sign-On 2.0, including various enhancements in the areas of mobile single sign-on and risk-based authentication as well as new certificate lifecycle management for ABAP application servers. For more information and to download the new SP6, read Martina Kirschenmann’s blog. October 9, 2015
↧
SAP system to IIS Non-SAP sso with X 509 certificate
Hi Experts,
Can you please share your knowledge or links regarding this installation/configuration.
Scenario :
My client has IIS (Non-SAP) and NW servers.
Once employee's login with domain user thought browser based portal, no need to login another application (SAP or Non-SAP).
However, we are recommended to configure with X 509 certificates.
Thanks
Srini T.
↧
Secure Login Webclient, Java Plugin Support
Dear all,
support for java plugins will end in the foreseeable future (see e.g. https://blogs.oracle.com/java-platform-group/entry/moving_to_a_plugin_free).
Is there already a roadmap regarding a "java free" successor of the SAP Secure Login Webclient?
Regards,
Matthias
↧
↧
Olap bics with sso connection is not working
Hi Experts,
I have configured SSO againt SAP BW and i can able to import Roles which i created in SAP BI. I am trying to create olap bics connection using authentication mode SSO getting the following message : Issuer of SSO ticket is not authorized.
What do i need to configure ?
SAP BO/BI Versions Here:
SAP BW 7.4
BO 4.1 SP6 (14.1.6.1805)
any help would be much appreciated 
Thanks,
Haris
↧
Implementing SSO with SAML2 on SAP Fiori
Hello,
I am implementing the SSO with SAML2 for Fiori application. The version of the ABAP server is 7.4.
the connection to the fiori app will be from the inetrnal network so there will be no access from the internet.
I followed the instructions of the following document http://scn.sap.com/docs/DOC-42915 regarding the implementing of SSL, configuration of the windows ADFS and the gateway services in SICF.
when i logon to the fiori App using the following URL :https://<serverName>:<serverport>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html i reach the page of the ADFS
After filling my AD username and password i reach the Fiori logon page.
My username in the AD is the same of the ABAP server, My question is why the mapping of tha BAP user with AD user doean not work so i can login directly to Fiori?
Attached is the debug trace of the "Security Diagnostic tool".
Thanks in advance for your help,
Hassan
↧
X.509 Certificate and SAP Server certificate
Hi Team,
We have configured SAP Netweaver SSO 1.0(using X.509 certificate) on our SAP system. We have used only secure login library and secure login client( Without secure login server) . We are about to complete the configuration but stuck with up X.509 certificate. SNC is activated on SAP system.
As of now, we have completed below steps:
Install Secure login library:
1. Installed SLL on SAP application server
2.Environment variable SECUDIR is set properly
3.Test Secure login library is working fine. Output of snc is shown below.
Product version : Secure Login Library 1.0 SP 4 Patch 3
: CryptoLib 8.3.7.11
: aix-6.1-ppc-64
GSS library : available
GSS library name : libsecgss.so
PSE directory : (existing) /usr/sap/GO0/DVEBMGS00/sec
PSE file : (existing) /usr/sap/GO0/DVEBMGS00/sec/pse.zip
STRUST cred file : (existing) /usr/sap/GO0/DVEBMGS00/sec/cred_v2
SNC config file : (existing) /usr/sap/GO0/DVEBMGS00/SLL/gss.xml
PSE accessible : yes
PSE logged in : yes
PSE credentials : MasterPassword SystemDefault
Kerberos keyTab : Not existing
------------------------------------------------------------------------------
SNC keys registered : 1 entries
1: STRUST certificate CN=GO0, OU=SAP Security, O=SAP Trust Community
Trusted certificates:
from STRUST :
1: CN=GO0, OU=SAP Security, O=SAP Trust Community
4. SAP Parameter configuration
5.Import X.509 Certificate
We have SAP server certificate response signed by CA. So we have exported SAP server certificate in PSE format and imported on system PSE. Is this correct way of importing X.509 certificate into SAP system?
Install secure login client:
1.Installed SLC
2.Configured X.509 Certificate SNC Name in SAP GUI
3.User mapping in SU01 - X.509 Certificate
I assume that X.509 certificate to be available to all user station and it should be visible in secure login client. Do I need to provide SAP server certificate( .cer) to CA team to publish to all users station. ie Microsoft Certificate Store
Is both SAP server certificate signed by CA and X.509 certificate same?
While importing X.509 certificate into SAP system, I have followed below steps. Is it correct?
We have SAP server certificate response signed by CA. So we have exported SAP server certificate in PSE format and imported on system PSE.
Please advice.
Thanks !
↧
SNCWIZARD without SPNego
Hi,
I've used the SNCWIZARD to configure SNC SSO via the Secure logon client, and used SPNego to configure the keytab, however we don't want to enable Spnego via HTTP.
Does anyone know if it is possible to disable SPNego (via RZ10 parameter) but still use the SPNEGO transaction to maintain the keytab, or do we need to create a separate SAPSNCKERB.pse file?
Many thanks,
Jason
↧
↧
NW7.4 with Quest SSO and SNC encrypted connection outside domain with password
Hello,
We've got NW7.4 ABAP with 3th party SSO Quest/Dell. With possiblility for unencrypted connection and manual login with password.
My question is: Is possible encrypted connection from SAP GUI to NW ABAP when I'm not loged into domain for SSO?
If yes, what must be set into SAP GUI SNC tab?
Scenarios
1. SAP GUI (Quest SSO lib + DC login) ->>> NW AS ABAP (Quest lib + domain token) = SNC connection + SSO are OK
2. SAP GUI (SNC client encryption lib) ->>> NW AS ABAP (Quest lib + domain token) = Is it possible?
Can I use "SNC client encryption" lib or Quest lib on Fronend side?
thaks
Martin
↧
Kerberos authentication Failed: NTLM token found in authorization header
Hello,
We are facing some issues with kerberos authentication (using SAML2). We are switching from an identity provider server (Site A) to another (Site B)
The Identity provider configuration is: NW AS Java 7.4 + SAML2 and IDM federation ( with SPNego).
The Service provider is an Abap server.
Authentication Stack is kerberos followed by Login/Password (PasswordProtectedAuthentication using https).
Redirection to Idp is working fine but kerberos does not work and we go to the login password form. After checking traces we have this message.
"NTLM token found in authorization header during SPNego authentication"
I think it is an issue with the server aliases or the Active directory Service user So no kerberos token was generated. But we are unable to find the issue.
This is my spn configuration:
- Service user (Site A): SAPServiceSSP
- Service user (Site B): SAPServiceSSPRA
- setspn -l SAPServiceSSP
SAP/SAPServiceSSP
HTTPS/<Site A alias >.domain.com
HTTP/<Site A alias>.domain.com
HTTP/<sp alias>.domain.com
HTTPS/<sp alias>.domain.com
- setspn -l SAPServiceSSPRA
HTTPS/<Site B alias >.domain.com
HTTP/<Site B alias>.domain.com
SAP Secure login client is correctly installed and Kerbors works fine with the other systems and the old configuration (Idp from site A).
Thank you and regards,
Mehdi.
↧
Best way for upgrading?
Hello,
at the moment we are using the "old Secure Login Libery1.0" for SSO for our ABAP & JAVA-systems
On the clients there is also an old software (Secude Secure Login 5.0.4.2) installed
We got the new challenge to implement kerberos for our mobile solution (non SAP).
What do you think is the easiest way to handle this project?
Upgrading to SSO2 and implementing the new clientsoftware on all clients?
Kind Regards
Bernd
↧
Implementing SAP SSO for GUI
Hello experts,
We are planning to implement SAP SSO for GUI,
System Status
- SAP_BASIS 701 07
SAP_APPL 604 07 - The users are using system from say,
Daomain A and Domain B. - End users windows version : Windows7
- Windows Active idrectory : Windows 2008 R2
- Which method should we use, SSO using X.509 certificate or SSO using Kerberose?
- Is SPnego required for the SAP GUI SSO?
- Is license required even if we do not use SPNego for SAP SSO?
- Where to find License information for NWSSO, approx. cost?
↧
↧
SAP SSO SSL File
Hello Experts,
I am in process of installing and configuring SAP Netweaver SSO in our entire landscape.
I have read the installation guide for SSO 2.0 which statest the SSL pacakage can be downloaded from Market Place but i did not find it in the mentioned path.
I did some research and found that the SAPCRYPTO package can be used insteated of it. Can you please suggest is it possible and if it will bring some other difference?
Kind Regards,
Mohit
↧
Single Sign On for Citrix XenApp
Hi Everyone,
We are trying to implement SAP Single Sign-On 2.0 using Citrix apps and Secure Login Client.
According to the implementation guide there are two options:
. Secure Login Client with a Published Desktop
. Secure Login Client with a Published SAP Logon
In our scenario we have published apps instead of virtual desktops and Citrix is running with XenMobile profiles.
The guide doesn't specify whether Secure login client is going to work for a published app running on XenMobile profile or not.
Has anyone faced the same issue?
Thank you.
↧
Migration from Kerberos V5 to CommonsCrytolib
Hello,
we want to migrate from a non-SAP kerberos solution to SAP SSO 2. The existing systems (ABAP stack) have SNC and kerberos authentication activated using the standard MIT solution Kerberos (krb5) also in the client side.
We want to migrate to CommonsCryptolib but we are facing the following issues:
- With Krb5 in SU01 snc user mapping is: p:xxxxxxx@domain.com but with SAP SSO it should be: p:CN=xxxxxxxxxx@domain.com
- If we switch to CommonsCryptolib the Kerberos MIT client does not work. therefore, we would need to setup the SAP Secure Login Client however we do not have access to the systems configured with the krb5.
We are aware that SAP does not provide any support for non-SAP solution. However could you provide me any recommendations on how to migrate to SAP SSO without impacting the client side?
Regards,
Mehdi.
↧