Hello,
Need your kind advice on the SSO issue.
When we try and access SSO server through MPLS it gives us an error "No Host Found" where as when connected to vpn it works fine. Please suggest what could be the issue.
Thanks,
Nitin Sherry
↧
Error : No Host Found
↧
How to configure SAP NetWeaver for SAML 2.0 SP and SSO,SLO.
Dear All,
I need to configure SSO and SLO for the saml2.0 SP.But i referred below help link.
Single Sign-On with SAML 2.0 - Security and Identity Management - SCN Wiki
Configuring AS Java as a Service Provider - User Authentication and Single Sign-On - SAP Library
Here i got only Enable SAML 2.0 support.But i don't know how to configure remain steps.
Server Version is 7.4 SP-12 as java and back end server oracle.
Thanks and regards,
Durga Rao V.
↧
↧
Connecting External System with SAP ABAP Server using SNC
Hi Esxperts,
We have our SAP servers configured with SNC. And we want to connect external GRC tool with SAP server.
Please let me know how to configure external GRC application to use with SNC connection to the SAP server.
We have enable SNC with sap sso security product in SAP ABAP system.
What are the required configuration from External system side?
Thanks,
sanket.
↧
SSO issue in Upgraded Netweaver 7.4
Hi experts,
We have completed the SAP Portal Upgrade from Netweaver 7.0 to 7.4 .
In Netweaver 7.0 , we have configured SSO between windows active directory to Portal with help of SAP note 1457499 & attached configuration guide. it worked fine before the upgrade process.
but now in the Netweaver 7.4 which is not worked so again we configured the SSO as per the below SCN Link step 4 for Configuring the SSO between Java & Windows active directory.After completing that configuration also still SSO is not working.
please provide us your valuable suggestion to fix the SSO in Netweaver 7.4.
SSO configuration in SCN :Single Sign-On with Kerberos (Enable Single Sign-On on SAP AS JAVA)
Regards
Sebastian A
↧
SNCERR_CONTEXT_EXPIRED during Citrix Timezone redirection
Hello,
We have a environment to provide connectivity to our remote users. They can join the local environment using RDP or VDI to connect to our systems when VPN access is not possible. Everything works well but when we activate the time-zone redirection feature SSO stops working if time-zone of the remote user is equal to or greater than 10 hours (as this is the lifetime of the Kerberos tickets).
Error we get is SNCERR_CONTEXT_EXPIRED.
I have already tried all the standard available solutions and a incident is already opened with SAP but so far no solution there.
I hope to get some help here.
Thanks.
Anand
↧
↧
Authorizations for AD user while implementing SSO using NWSSO2.0 X.509 certificates
Hello Experts,
We are implementing SSO for SAP GUI using NWSSO2.0 X.509 certificates based solution.
Is anybody aware which authorizations should be assigned to the service user we create in MS-AD server.
↧
GRC 10.1 End user Logon SSO with LDAP
Hello All,
Could you please help me in configuring SSO between LDAP and GRC for End user logon funtionality.I do not see a post which talks clearly talks about this
I have configured the LDAP server in GRC and created a LDAP Connector which is working fine and our security team is able to sync all the LDAP Users into GRC system.
As part of GRC ARM End user Logon now I need to configure SSO between LDAP and GRC
user should be able to access GRC system with his LDAP authentication for requesting SAP access in the landscape.
We don’t create a ID for the User in SAP GRC but he will be able to access GRC system with his LDAP authentication.
if this can be achieved by exchanging the certificates between LDAP and GRC.
What kind of certificate should i ask our LDAP team to provde to add in strust of GRC.
i have gone through sap notes 1733442 which only talks about approaches to follow but ,there is no detailed process availabe for it.
im trying to acheieve SSO by the below approach as explained in the note
SSO via Browser with Certificate Auth (As we do in SAP)
1 Sync all AD users into GRC ABAP without password. -
2 Setup Certificate issuer to Authenticate against AD.
3 Setup GRC ABAP to trust that Certificate Authority/issuer
4 Login into Certificate Generator App on computer get the certificate in browser, access GRC 10 application URL
Please let me know.
Regards,
Shakeel Samdani
↧
An error has occurred: SYSTEM_DOES_NOT_CREATE_TICKETS
Hi All,
I am unable to create a trusted connection between our NW Java & ABAP servers.
While trying to create a trusted system in the JAVA system I am getting the below error message.
An error has occurred: SYSTEM_DOES_NOT_CREATE_TICKETS
In the back end system I maintained both the sso2 parameters.
login/accept_sso2_ticket=1
login/create_sso2_ticket=2
Even we maintained the icm/host_name_full
Also we created the backend system in the portal and when trying to test the connection. We are getting the below error.
Need your help in getting this fixed. We are able to create the connection in our development and Quality servers. Issue is occuring in PRD server only.
Let me know if you need any further information on this.
Thanks,
Mahesh.
↧
Gateway Login page is coming after timeout with SAML ADFS Integration
Hi All,
We have implemented SAML with ADFS for Fiori, when we launching the application it asks for AD Credential but when we keep the session open for some time (till timeout) it redirect us to Gateway Login Page it is not redirecting us to AD Login Page.
Kindly help with your suggestions how we can redirect it to AD login at the time of time out.
we have maintained the logoff property with the same URL (https://hostname:port/sap/bc/ui2/flp/FioriLaunchpad.html ) which we are using for launching the application.
Regards,
Trilochan
↧
↧
ADFS 3.0 Abap SSO
Hi
I have already configured ABAP SSO with ADFS 2.0 successfully. Now, I have to perform this with ADFS 3.0.
I am facing one issue. In ADFS version 2,0 I have to export the IIS certificate from ADFS server and import it into SAP "SSL Client SSL Client (standard)" , in ADFS 3.0 IIS is no longer used. I dont know which certificate I need to export from ADFS 3.0. Please guide
↧
The metadata file retrieved from the SAML 2.0 Configuration of ABAP System is of type "WSFED" and not the required "SAML2.0"
Dear Guru's,
I'm trying to get Single Sign-On working between a Trusted Provider (CA Siteminder) and a Netweaver Gateway.
So far we went throught the tutorials to configure the Gateway so that it is linked with the Trusted Provider.
The guy responsible for the Trusted Provider then asked us to provide the metadata file of the Gateway.
We provided him the metadata file but when he is trying to load this metadata file into his system, it is complaining about the fact that it is a "WSFED" file instead of a "SAML 2.0".
Our metadata contains a node "m:RoleDescriptor"
<m:RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
This is the only reference to WSFED we could find in the entire metadata file we downloaded form the configuration.
Does any of you has a clue what the possible problem could be?
Thanks
Kind regards
Jérémy
↧
SAML Integration Auto Direct
Hello All,
We are using SAML 2.0 Integration for SAP Netweaver Business Client.
When We try to open our SWBC link https://<hostname>:44300/nwbc/?sap-client=100&sap-language=TR&sap-nwbc-node=root&sap-theme=sap_corbu It firstly directs us to It's login page.
And If we click Continue in NW Portal Login, It directs us to IDP login Page. After successful login, goes to NWBC screen.
Because of we have only one IDP source, We want to disable first screen that we Select the IDP source and click continue and make the users direct to IDP login page automatically.
Is there any way to do it?
regards
Tutku
↧
IE and Firefox pop up Windows Login Window
I configured Kerberos and X.509 SSO foe SAP CRM system. It is working good for SAP GUI, but if I login first time in CRM Web UI the both browsers pop up Windows Loging Window. But it doesn't happen on next login. I implemented the all recommendation for security in this browsers.
Is it possible to avoid Windows Login for first time?
↧
↧
HANA does not accept mysapsso2 ticket
hi all, we are trying to get an SSO working by generating a mysapsso2 ticket from portal and importing the cert onto the HANA xs trust manager , but when we try accessing HANA it still prompts with a login page
GET https://acp-as.abcd.com.au:1443/sap/hba/r/sb/core/odata/modeler/SMART_BUSINESS.xsodata;o=DMGERP/Catalogs(%27HANA_CATALOG_MODELER%27)/Chips?filter=id%20eq%20%27SAP_SB_MODELER_ASSOCIATION%27%20or%20id%20eq%20%27SAP_SB_MODELER_AUTHORIZATIONHTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: application/json
Accept-Language: en
Accept-Encoding: gzip, deflate
X-CSRF-Token: Fetch
sap-language: EN
MaxDataServiceVersion: 3.0
X-XHR-Logon: accept="iframe"
X-Requested-With: XMLHttpRequest
Cookie: spUserid=1211; _userid=acv%5Cjjoy; sap-usercontext=sap-language=EN&sap-client=100; MYSAPSSO2=AjExMDADAgAAtwb3J0YWw6SkpveYgAB2RlZmF1bHQBAARKSk9ZAgADMDAwAwADUE9QBAAMMjAxNjAzMjAyMjUyBQAEAAAACAoABEpKT1n%2FASQASwggEgBgkqhkiG9w0BBwKgggERMIIBDQIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHtMIHqAgEBMD4wNTELMAkGA1UEBhMCQVUxJjBNAAkBgNVBAMTHXBvcC1hcy0wMS5pbnRlcm5hbC5tZ2MuY29tLmF1AgUAsU3KRTAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQATREHATAcBgkqhkiG9w0BCQUxDxcNMTYwMzIwMjI1MjQ2WjAjBgkqhkiG9w0BCQQxFgQUmT5nIUin9v!VaK04v62jYUi41W8wCQYHKoZIzjgEAwQwMC4CFQDVsRU1Zy9Fh3bIgAgpz3uxPfcebwIVAL05xsnt4uNNv0QIRroC7vfECzJd; SAP_SESSIONID_ADP_100=FTnsVkEUDIMh4KiA6C4DlHaC7lfu7hHlgPUAUFakICs%3d
HTTP/?.? 401 Unauthorized
Content-Type: text/html
Content-Length: 2003
WWW-Authenticate: Basic realm="SAP HDB System"
Date: Sun, 20 Mar 2016 23:07:49 GMT
Content-Encoding: gzip
would anyone help with generating detailed from HANA db .
regards
Jonu Joy
↧
Fiori SAML AD
Hi,
I have a Fiori ABAP based system connected to ECC backend. I also have an SAP Netweaver 7.5 box to configure SSO. The apps need to be accessed from inside the network. what would be the best architecture to enable SSO?
From the docs I have read, I think there should be another AS Java system which should integrate between AD and Fiori - probably configure SAML steps as mentioned in Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet ?
But how do I setup the "identity provider" or in my language- integration with AD? Would I need to install SAP signle sign on or some other add-on to enable this?
Thanks in advance.
↧
SNCERR_CONTEXT_EXPIRED during Citrix Timezone redirection
Hello,
We have a environment to provide connectivity to our remote users. They can join the local environment using RDP or VDI to connect to our systems when VPN access is not possible. Everything works well but when we activate the time-zone redirection feature SSO stops working if time-zone of the remote user is equal to or greater than 10 hours (as this is the lifetime of the Kerberos tickets).
Error we get is SNCERR_CONTEXT_EXPIRED.
I have already tried all the standard available solutions and a incident is already opened with SAP but so far no solution there.
I hope to get some help here.
Thanks.
Anand
↧
SNCWIZARD without SPNego
Hi,
I've used the SNCWIZARD to configure SNC SSO via the Secure logon client, and used SPNego to configure the keytab, however we don't want to enable Spnego via HTTP.
Does anyone know if it is possible to disable SPNego (via RZ10 parameter) but still use the SPNEGO transaction to maintain the keytab, or do we need to create a separate SAPSNCKERB.pse file?
Many thanks,
Jason
↧
↧
SSO for SAP on a standalone windows server
Hi Experts,
We are implementing SLC and the Sell side systems are installed in DMZ, not joined to the Windows domain. The servers are Windows 2012 R2. In our landscape, for all other systems, installed in LAN, we have in place, SSO using Microsoft Kerberos SSP. The customer wants to use the same technology for the Sell Side system as well. I know we can use SNC for Standalone windows servers using SNC Client encryption but SSO is not possible without the SAP Single Sign on , for which the customer does not have a license .
Can someone tell me if it is possible to setup SSO using the Microsoft kerberos wrapper library using Local accounts and a keytab, the way it can be done for unix systems. I haven't been able to find any evidence so far but would like an expert opinion. SAP will not support as the Microsoft Kerberos SSP is an unsupported product as far as SAP is concerned w.r.t Single Sign on.
Regards
Joyee
↧
SAP Fiori Portal Single Sign on with windows Active Directory
Hi Dear,
we are going to configure SSO on SAP Fiori with windows Actvie Directory Server here is my setup
- SAP NW Gateway : Suse Linux
- SAP ECC : Suse Linux
- Active Directory : windows 2012 server
My question is
- am i need to purchase any additional plugin for GW and ECC server to enable sso or it is available i default system
- Is there any step by tep guide or document available please share link
- i have another issue as our active directory user name is greater then 12 character , can it cause our SSO configuration or SSO allow more then 12 character to login fiori portal
Please share your experience
↧
Service Provider has received SAML2Response from Identity Provider whose destination does not match requested URL
Hello all . . . hoping for a little luck here.
We've configured a brand-new SAP Portal (our "service provider") for single sign-on via SAML2 authentication, using WebSphere as our identity provider.
I can confirm that I'm receiving information from the identity provider, as the troubleshooting wizard produces results. Unfortunately, no amount of Google-fu has turned up a response to the error I'm seeing. The error is weird because it's citing the use of Port 80, rather than the standard of 50000. The error, specifically, says, "Service Provider has received SAML2Response from Identity Provider [https://websphere.mycompany.com/idp/shibboleth] whose destination [https://portal.mycompany.com/saml2/sp/acs] does not match requested URL [http://portal.mycompany.com:80/irj/portal]."
My Service Provider settings configuration does state that /irj/portal should be the default redirect once a successful SAML assertion is received, but I have nothing which points to port 80.
I'm also attaching a defaultTrace file where I've cranked up the debugging, just to see what else I can see. Any ideas?
↧