Hi All,

We have enabled SSO with ADFS SMAL2.0 for SAP Gateway system. Now we can connect SAP application with SAML SSO with user mapping
option.

Our requirement is:

a) We have 200K end users to access our SAP Fiori
application.

b) All 200K user ids are created in ADFS but not in SAP GW system.

We are planning to Sync all 200K user ids from LDAP to SAP GW but it is not a good approach and Security team will not accept to expose employee info.

So, We can see SAML SSO will provide a feature called on-the-fly Auto User creation.

I tried with below approaches to create user accounts on-the-fly basis:

Approach 1:

Name ID: Unspecified

UserID Source: Assertion Subject NameID

UserID Mapping Mode: User Alias

Allow Identity Provider to Create NameID: YES

This settings are working for user mapping with (a) User Alias and (b) Mapping in USREXTID table, type SA.

But if any new user who does not mapped with user id in SAP, they are unable to access SAP fiori.. here we want to create Auto User creation in SAP system.

Approach 2:

NameID=Persistent

Account federation=Interactive Account linking.

here, when I access my SAP Fiori application, after ADFS authentication, I prompt with SAP logon screen to enter SAP User id/password and check the federated local user account.

Once I did that, I successfully connected SAP Fiori tiles and second time login onwards, I am entering to SAP Fiori apps with SAML SSO.

But, here, I am seeing auto User creation option enablement.. as we have 300K users and it’s tough to create accounts and send all user credentials to users.

Please find the screenshots and help me to fix the issue.


I referred

SAP note: 0001799402 - Automatic account creation for SAML 2.0 SP

https://wiki.scn.sap.com/wiki/display/Security/Automatic+User+Account+Creation+and+Update+using+SAML+2.0+in+AS+ABAP

https://help.sap.com/saphelp_nw73/helpdata/en/2e/25659ad6834ce5b7f6c394fca79ee3/content.htm

http://scn.sap.com/community/sso/blog/2012/12/12/automatic-user-creation-in-as-abap-using-saml-20

Please help us here to fix the issue.

Thanks,

Nagaraju

+91-9008488440

Hi Dear,

we are going to configure SSO on SAP Fiori with windows Actvie Directory Server here is my setup

• SAP NW Gateway : Suse Linux
• SAP ECC : Suse Linux
• Active Directory : windows 2012 server

My question is

1. am i need to purchase any additional plugin for GW and ECC server to enable sso or it is available i default system
2. Is there any step by tep guide or document available please share link
3. i have another issue as our active directory user name is greater then 12 character , can it cause our SSO configuration or SSO allow more then 12 character to login fiori portal    

Please share your experience

Hi all,

while using NWBC url directly using brower, it's prmpting USer ID & Password.

Any settings are missing. Please advise

Venkatesh Babu

Dear All,

I am searching for a solution to Integrate our ABAP gateway (Net weaver 7.5 SP01) to integrate with Microsoft Active Directory. To synchronize user ID and  password from AD.

We have SSO, but this is a gateway server we are using for Fiori Launchpad only with ABAP Stack.

While using Fiori Launchpad from Mobile or tablet, user has to enter the Fiori user ID and password. We would like to avoid this and make the user ID same as the AD ID.

How can we achieve this? Which document to follow.

I found some configuration related to this in SPRO

SAP Netweaver --- > Application Sever --- > System Administration ---> Directory Integration

Configure LDAP Connector

Define LDAP Users

Configure LDAP Server

If we use SAP SSO, the AD Integration not required and the login procedure will be handled by SAP Secure login client. This is good if we use only laptop or Desktop. Will not work for Fiori Launchpad from Mobile devices.

Looking for a solution and guidelines to proceed further.

Thanks in advance.

Regards,

Abu Sandeep

Hi,

I have configured SP initiated SSO with Siteminder IDP for SAP FIORI Launchpad. The setup works well. We have 60mins ideal timeout for SAML sessions and SAP HTTP Sessions.

Everything works well but issue only occurs if anyone keep the Launchpad ideal for more than 60mins ( break for Lunch as usual the culprit).

How do we handle this timeout and request user to logon again?

Here is the Sec_diag logs.

SAML20 <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

SAML20

SAML20 <ns2:SubjectConfirmationData NotOnOrAfter="2015-06-26T16:01:57Z"

SAML20 Recipient="https://mysap.avaya.com:443/sap/saml2/sp/acs/110" />

SAML20 </ns2:SubjectConfirmation>

SAML20 </ns2:Subject>

SAML20 <ns2:Conditions NotBefore="2015-06-26T15:59:57Z"

SAML20 NotOnOrAfter="2015-06-26T16:01:57Z">

SAML20 <ns2:AudienceRestriction>

SAML20 <ns2:Audience>GWP-SP</ns2:Audience>

SAML20 </ns2:AudienceRestriction>

SAML20 <ns2:AudienceRestriction>

SAML20 <ns2:Audience>https://mysap.avaya.com</ns2:Audience>

SAML20 </ns2:AudienceRestriction>

SAML20 </ns2:Conditions>

SAML20 <ns2:AuthnStatement AuthnInstant="2015-06-26T16:00:26Z"

SAML20 SessionIndex="czjOI2bdNDR+NbqsraJGAsfLRV0=j+KycA=="

SAML20 SessionNotOnOrAfter="2015-06-26T16:01:57Z">

After 60mins, when user trying to use same sessions.. they get below error

SAML20 CX_SAML20_CORE: The validation of message 'Response' failed. Long text: The validation of message 'Response' failed.

SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 57)

SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 60)

SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)

SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)

SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)

SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2517)

SAML20 Caused by: CX_SAML20_ASSERTION: All 'SubjectConfirmation' elements are invalid. Long text: All 'SubjectConfirmation' elements are invalid.

SAML20     at CL_SAML20_ASSERTION->VALIDATE_SUBJECT_SSO(Line 116)

SAML20     at CL_SAML20_ASSERTION->VALIDATE_ASSERTION(Line 27)

SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 50)

SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 60)

SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)

SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)

SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)

SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2517)

SAML20 Caused by: CX_SAML20_ASSERTION: Attribute 'NotOnOrAfter' of element 'SubjectConfirmationData' is invalid. Long text: Attribute 'NotOnOrAfter' of element 'SubjectConfirmationData' is invalid.

SAML20     at CL_SAML20_ASSERTION->VALIDATE_SUBJECT_SSO(Line 92)

SAML20     at CL_SAML20_ASSERTION->VALIDATE_ASSERTION(Line 27)

SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 50)

SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 60)

SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)

SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)

SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)

SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2517)

<ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

SAML20

SAML20 <ns2:SubjectConfirmationData NotOnOrAfter="2015-06-26T16:01:57Z"

SAML20 Recipient="https://mysap.avaya.com:443/sap/saml2/sp/acs/110" />

SAML20 </ns2:SubjectConfirmation>

SAML20 </ns2:Subject>

SAML20 <ns2:Conditions NotBefore="2015-06-26T15:59:57Z"

SAML20 NotOnOrAfter="2015-06-26T16:01:57Z">

SAML20 <ns2:AudienceRestriction>

SAML20 <ns2:Audience>GWP-SP</ns2:Audience>

SAML20 </ns2:AudienceRestriction>

SAML20 <ns2:AudienceRestriction>

SAML20 <ns2:Audience>https://mysap.avaya.com</ns2:Audience>

SAML20 </ns2:AudienceRestriction>

SAML20 </ns2:Conditions>

SAML20 <ns2:AuthnStatement AuthnInstant="2015-06-26T16:00:26Z"

SAML20 SessionIndex="czjOI2bdNDR+NbqsraJGAsfLRV0=j+KycA=="

SAML20 SessionNotOnOrAfter="2015-06-26T16:01:57Z">

SAML20 <ns2:AuthnContext>

SAML20 <ns2:AuthnContextClassRef>

SAML20 urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>

SAML20 </ns2:AuthnContext>

SAML20 </ns2:AuthnStatement>

SAML20 <ns2:AttributeStatement>

SAML20 <ns2:Attribute Name="uid"

SAML20 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

SAML20

SAML20 <ns2:AttributeValue>sAMAccountName</ns2:AttributeValue>

SAML20 </ns2:Attribute>

SAML20 </ns2:AttributeStatement>

Thanks in advance.

Santosh Lad

Hi experts,

I'm using X.509 certificate, I have two Servers, both available on SAPGUI and WebGUI.

But I'm facing some problems.

I can logon using SSO in Server A, both SAPGUI and WebGUI.

I can logon using SSO in Server B, only SAPGUI, but WebGUI still prompts logon page asking for ID and Password.

It seems that my Secure Login Client works well, and the configurations on Server A and B works because I can SSO in SAPGUI.

So what might be the problem that causes my failed to logon to Server B in WebGUI?

We currently use NTLM single sign on for SAP on Windows. As soon as kerberos is enabled on an SAP system, it breaks sso on all PCs that don't have SAP Secure Login.  If we install SAP Secure Login on a PC, it breaks sso for any systems for which spnego/kerberos isn't enabled yet.

It is not feasible for our company to roll out kerberos and secure login client as a "big bang" without testing.  How can we transition so we do this in development first, then consolidation, then production?

Current Solution:

sec/libsapsecu = $(DIR_EXECUTABLE)\sapcrypto.dll

snc/gssapi_lib = $(DIR_EXECUTABLE)\gx64ntlm.dll

snc/identity/as = p:OURDOMAIN\SAPServiceSID

In su01, on the SNC tab, we specify p:NEXEOSOLUTIONS\<User Id>

New solution:

spnego/krbspnego_lib = $(DIR_EXECUTABLE)\SLL\sapcrypto.dl

In su01, on the SNC tab, we specify p:CN=<User Id>@OURDOMAIN.COM

Dear, experts.

    Please help me with this subject.

    I'm new in SAP Portal and I'm totally newbie about SSO and External Portal Systems.

    Can you guys help me, how can we configure or connect a external portal using Single Sign-On? We would like to connect a portal built in .NET with the SAP Enterprise portal 7.4 using SSO.

     I've been Reading the topics like SSO to Non SAP Systems with SAPSSOEXT, however I've got confused about the terminology, how it Works and what are the steps that we should take.

     Could you please suggest me how to proceed with this? Or any other idea to connect SAP Portal with Non SAP system?

Thanks in advance.

Regards,

SAP GUI and Enterprise Portal

Many customers use transaction iViews in the SAP Enterprise Portal to launch the SAP GUI for Windows. This allows them to provide role-based access to SAP GUI transactions to their end users. In addition the Portal is also able to issue logon tickets, which in the past were sometimes used for SAP GUI single sign-on to an ABAP backend system.

Need for change

The described way of integrating SAP GUI access with the Portal has two drawbacks:

• Using the logon ticket for single sign-on is an outdated approach, as modern single sign-on technologies based on industry standards are more secure and more flexible to integrate
• Logon tickets can only be used for authentication. They do not allow SAP GUI to protect the data transmission against network sniffers

Entering SNC with SAP Single Sign-On

Using Secure Network Communication (SNC) based on SAP Single Sign-On for secure authentication and data protection has become a best practice for SAP customers world-wide. The product supports Kerberos and X.509 certificates as security tokens, which are superior to logon tickets. Implementing the solution for the standalone SAP GUI for Windows is pretty straight forward. Doing the same for SAP GUI for Windows launched from a Portal transaction iView is also easy, if you know which parameters to set.

How do I combine the 2 scenarios?

Let's assume you have an iView in the Portal that successfully launches a SAP GUI for Windows connection. Let's also assume that you already have successfully configured SAP Single Sign-On for SAP GUI and the respective ABAP backend system. Now you want to bring the two scenarios together.

To do this, you just need to set 4 parameters in the Portal configuration for the System object.

In the User Management section of the "Basic" properties you need to set the Logon Method to X509CERT. Please note that this is required even if you are not using X.509 certificates for SNC at all, but rather Kerberos.

In addition there are 3 properties in the list of all parameters that you need to set:

• SNC Mode = 1 --> This activates SNC for this system.
• SNC QOP = 9 --> This implies that the maximum security level of SNC should be used. The value 9 includes both single sign-on and data protection.
• SNC Partner Name --> This is the SNC name of the ABAP backend system, which is what we need here. The parameter "SNC Name" refers to the Portal itself and is not relevant in this scenario.

These are the same settings as in SAP Logon, where you find them on the "Network" tab for the connection:

With these settings in place, SAP GUI for Windows launched from the Portal will use the same SNC connection settings as the standalone SAP GUI for Windows, providing you with single sign-on and secure data transfer, powered by SAP Single Sign-On.

Please note: SAP GUI authenticates to the ABAP backend using the credentials that are part of the SNC security token, for example the authenticated Windows user. This is independent of the Portal session, where the end user could have used a different identity to authenticate.

I’m trying to use the OTP Login Module. Strangely whenever I’m calling the admin web-module with the URL http://java-as:port/otpadmin it redirects to the otp user interface (http://java-as:port /webdynpro/resources/sap.com/sso~otp~wd/OTP#). Tracing didn’t give me any further clue. Why is this happening? Any idea is highly appreciated.

Hello Experts

Currently we have SNC/SSO with MIT Kerberos.Could you please let me know procedure to migrate it to SAP cryptolib.

Thanks in advance

Karthik

Single Sign-On and Data Protection for SAP GUI in an Enterprise Portal Scenario

Read the latest blog by Christian Cohrs and learn how easy it is to provide single sign-on and secure data transfer for SAP GUI in an Enterprise Portal scenario, leveraging the functionality of SAP Single Sign-On. March 18, 2016

Single Sign-On with Kerberos: New Videos Available!

Check out our new videos about setting up Kerberos-based SSO for Application Server ABAP. Learn step-by-step how easy this is using the SNC Wizard and Kerberos transaction. Watch now. January 27, 2016

Protect your AS Java Application with Two-Factor Authentication based on One-Time Passwords

Do you want to protect your application running on AS Java using two-factor authentication based on time-based one-time passwords? Check out Donka Dimitrova’s latest blog and learn how to configure this step-by-step. January 13, 2016

hi all, we are trying to get an SSO working by generating a mysapsso2 ticket from portal and importing the cert onto the HANA xs trust manager , but when we try accessing HANA it still prompts with a login page

GET https://acp-as.abcd.com.au:1443/sap/hba/r/sb/core/odata/modeler/SMART_BUSINESS.xsodata;o=DMGERP/Catalogs(%27HANA_CATALOG_MODELER%27)/Chips?filter=id%20eq%20%27SAP_SB_MODELER_ASSOCIATION%27%20or%20id%20eq%20%27SAP_SB_MODELER_AUTHORIZATIONHTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0

Accept: application/json

Accept-Language: en

Accept-Encoding: gzip, deflate

X-CSRF-Token: Fetch

sap-language: EN

MaxDataServiceVersion: 3.0

X-XHR-Logon: accept="iframe"

X-Requested-With: XMLHttpRequest

Cookie: spUserid=1211; _userid=acv%5Cjjoy; sap-usercontext=sap-language=EN&sap-client=100; MYSAPSSO2=AjExMDADAgAAtwb3J0YWw6SkpveYgAB2RlZmF1bHQBAARKSk9ZAgADMDAwAwADUE9QBAAMMjAxNjAzMjAyMjUyBQAEAAAACAoABEpKT1n%2FASQASwggEgBgkqhkiG9w0BBwKgggERMIIBDQIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHtMIHqAgEBMD4wNTELMAkGA1UEBhMCQVUxJjBNAAkBgNVBAMTHXBvcC1hcy0wMS5pbnRlcm5hbC5tZ2MuY29tLmF1AgUAsU3KRTAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQATREHATAcBgkqhkiG9w0BCQUxDxcNMTYwMzIwMjI1MjQ2WjAjBgkqhkiG9w0BCQQxFgQUmT5nIUin9v!VaK04v62jYUi41W8wCQYHKoZIzjgEAwQwMC4CFQDVsRU1Zy9Fh3bIgAgpz3uxPfcebwIVAL05xsnt4uNNv0QIRroC7vfECzJd; SAP_SESSIONID_ADP_100=FTnsVkEUDIMh4KiA6C4DlHaC7lfu7hHlgPUAUFakICs%3d

HTTP/?.? 401 Unauthorized
Content-Type: text/html

Content-Length: 2003

WWW-Authenticate: Basic realm="SAP HDB System"

Date: Sun, 20 Mar 2016 23:07:49 GMT

Content-Encoding: gzip

would anyone help with generating detailed from HANA db .

regards

Jonu Joy

   Hi ,

I am unable to make the single sign-on from my browser Internet explore 11, to SAP OSS ( support.sap.com ) because active x problem.

I check active x control and all seems ok , but when i try to apply sap passport it always givbe me the same error:

any idea?

Hi All,

I was hoping you could clarify if it is possible to use SSO with SuccessFactors in the following scenario:

A user is forced to login to SuccessFactors even though they are already logged into the local network, but SuccessFactors uses the password from the active directory of the local network.

I am a bit confused as to how we would go about achieving this, or if it is even possible! Any guidance would be greatly appreciated.

Thanks

John

Hello Team

We are in process to implement SAP NW SSO using Kerberos in our SAP environment.  I am looking for recommendation on some of the setup requirement in following scenarios

SAP Production CI + 10 Application Server

1.  Service user id   - I understand everyone recommend to create service id for each SAP instance to reduce the impact with service id credentials issues. 

        -  But anyone have tried to create Service user id for each Production Application server for single Production.  For e.g. - 10 SAP Application servers will have 10 service id  but one SPN.  With this setup, we have to create separate SAPSNCKERB.pse for each application server.

2.  We are sharing the Kernel directory but not "SEC".  Each application server has /usr/sap/SID/D<Instance no>/sec ( /usr/sap/ABC/D00/sec)

     -  Should we create Kerberos Keytab PSE for one server and copy them to rest of in "secudir" path.

3.   Should we setup SNC parameters in Default or Instance profile ( we are not using SNCWIZARD but I have noticed SAP updated all SNC in default if I use the Wizard)

Let me know if you have any further recommendation.

Thank you

Santosh.

Gurus,

Love the SSO "Space" here on SCN.  I'd like to share something I'm seeing and let you folks tell me what you think!

We have about a 150 folks using the so-called "ICWEB" client...aka Interaction Center webclient .... AKA CRM.

Here's our CRM netweaver stack version and other info:

SAP_BASIS 740     SAPKB74012

SAP_ABA 740     SAPKA74012

Kernel = unicode 7.42v225

OS = AIX 6.1

SP05 for Secure Login Library

All End User PCs have:

Windows7 Enterprise SP01

IE10

32-bit systems

Secure login client 2.0 SP5

SPnego has been configured, and it works great about 99% of the time.  By "working great", I mean when the end user accesses our "ICWEB" URL they get in without the need for their SAP CRM password.

Our URL is something like http://SAPwebDispatcher.ourdomain.com:PORT/sap/crm_logon

99% of the time, they get right in to ICWEB and are either prompted to select their business role (if they have more than one) or they get right to the ICWEB interaction center (if they only have one business role).  that's what we want!

but the other 1% of the time, the end-users are prompted still for credentials, like so:

When this happens, the only work around that "works" is to go up to the top of the IE window, where you see the "Logon" tab for ICWEB:

Just to the left of "Logon" is the little circular arrow thingee:

And if the users click on that one or two times, we do get past the login screen and am able to get into ICWEB.

This has been very strange.  I've seen it before on my PC and a few others have reported it.  But it is rare so much that I wouldn't begin to think to open an incident since this cannot be consistently reproduced.

So.....knowing what I have described what do you folks think?

I looked at the latest patches for SP05 and SP06, but the notes for each of those updates don't mention anything like this as being "resolved" in any new patches for SLC.

I look forward to some ideas!

Thanks as always

NICK

Environment:

CRM ISA Standalone(Hosted on NW 7.3)  using CRM Standalone authentication with email address.

Biller Direct (Hosted on NW 7.0) Standalone using CRM Standalone authentication with email address.

Both are using the same CRM system for authentication.

Question:

Is there any way we can do SSO from CRM ISA to Biller Direct?

Hi Experts,

is it possible to define in the Secure Login Server Destination Management a LDAP Destination with more then one LDAP host? We do use this destination in order to map a specific LDAP attribute and use this as the certificate CN.

Thanks for helping

Carsten

Hi,

I have set quite a few servers to connect with SSO to ABAP Stacks. It is not a problem when it is a single instance system but I struggle with distributed systems. The central instance will start without a problem but the additional dialogue instances (on different servers) do not start and I have to disable snc on those servers. The error is always

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="<SID>adm"  NetWkstaUser="<SID>ADM"

N  SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=\\sapprod\sapmnt\P01\sys\global\sll\secgss.dll

N    File "\\servername\sapmnt\SID\sys\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N    FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7

N  SncInit():  found snc/identity/as=p:CN=<…>

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=<….>"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N          sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

We have several distributed systems and it is the same problem on all systems. Only the central instance can use SNC.

I have added screenshots of the snc.exe from the central instance and the app server to this post. Irrespective of using the (replicated) pse on the app server or using the one on the central instance (via SECUDIR variable), snc cannot log in to the pse.

Does anyone know how what the problem might be?

Regards

Andreas