Quantcast
Channel: SCN : All Content - SAP Single Sign-On
Viewing all 865 articles
Browse latest View live

SAML2: AS Java configured as Service Provider performs no redirect to Identity Provider

February 11, 2016, 6:20 am
$
0
0

Hi community,

 

I have configured SAML2 on AS Java 7.4 exactly like described here:

http://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0+and+ABAP+Systems+Supporting+SAP+Logon+Tickets

 

I performed all steps from the chapters:

  1. Creating SAML 2.0 Service Provider on “Hosting4All”
  2. Creating SAML 2.0 Identity Provider (No SAP IdP, but F5)
  3. Configuring Trust on the SAML 2.0 Identity Provider Side
  4. Configuring Trust on the SAML 2.0 Service Provider Side
  5. Configuring Identity Federation on SAML 2.0 Service Provider of "Hosting4All"
  6. Configuring an Application to Require SAML 2.0 Authentication (in that case, /irj for the Enterprise Portal)

 

My configuration did not include any ABAP systems, as I wanted to start with AS Java and IdP first.

 

When accessing /irj now, no redirect is performed to the F5 IdP (Network Debugger in Chrome does not list anything like this).

 

Is there a common obstacle?

 

Thanks and regards, Jannis

Search

SSO using AD/ADFS and Mobile

May 18, 2016, 1:17 pm
$
0
0

I need my AD users to login to my NW SSO using single sign on, and use the same SSO with my Fiori based mobile devices. What all products do I need, What all add-ons? Can some one pass me configuration guides for this? When I look up, I don't see guides other than the SAML configuration guide for mobile devices. Please help.

GRC 10.1 End user Logon SSO with LDAP

April 27, 2016, 1:15 pm
$
0
0

Hello All,

 

 

Could you please help me in configuring SSO between LDAP and GRC for End user logon funtionality.I do not see a post which talks clearly talks about this

 

I have configured the LDAP server in GRC and created a LDAP Connector which is working fine and our security team is able to sync all the LDAP Users into GRC system.

 

 

As part of GRC ARM End user Logon now I need to configure SSO between LDAP and GRC

 

 

user should be  able to access GRC system with his LDAP authentication for requesting SAP access in the landscape.

We don’t create a ID for the User in SAP GRC but he will be able to access GRC system with his LDAP authentication.

 

 

if this can be achieved by exchanging the certificates between LDAP and GRC.

What kind of certificate should i ask our LDAP team to provde to add in strust of GRC.

 

 

i have gone through sap notes 1733442 which only talks about approaches to follow but ,there is no detailed process availabe for it.

 

 

 

im trying to acheieve SSO by  the below approach as explained in the note

 

 

SSO via Browser with Certificate Auth (As we do in SAP)

 

 

1 Sync all AD users into GRC ABAP without password. -

2 Setup Certificate issuer to Authenticate against AD.

3 Setup GRC ABAP to trust that Certificate Authority/issuer

4  Login into Certificate Generator App on computer get the certificate in browser, access GRC 10 application URL

 

 

 

 

 

Please let me know.

 

 

Regards,

 

 

Shakeel Samdani

 

Message was edited by: Matthias Kaempfer

SAP Single Sign-On using SAML 2.0 on linux.

May 19, 2016, 6:59 am
$
0
0

Dear Experts,

 

Our Company wants to Implement SAP Single Sign-On Using SAML 2.0.

 

Our Environment is totally on Suse Linux. and we have

 

SAP ECC

SAP IDES

SAP Netweaver 7.4 (Gateway)

SAP BW

SAP BO

All systems are on Release 7.4

 

We dont have AS JAVA Instance.

 

Please let me know how to configure Single Sign-On using SAML 2.0

 

I have searched alot but could not find any document that can be helpful.

I would be really thankful, if any one provide Step by Step documentation.

 

Regards,

 

John.

SAP Single Sign-On vs SPNEGO

May 19, 2016, 11:04 am
$
0
0

Hi All,

 

Can some one explain the difference between SPNEGO and SAP Single-Sign-On? I see the Identity provider configuration and I am confused that the SAP SSO system will act as the repository of users like AD? Or will it Sync and keep another copy of the users in the SSO system? Please help me understand. Thanks.

End user device SSO to NW ABAP via Kerberos

May 19, 2016, 5:41 pm
$
0
0

Hi there,

 

I'm looking for guidance on whether the following scenario is possible & if so what the architecture/flows would look like.

The scenario is as follows:

  • multiple end user Windows desktop devices that are part of a Windows domain
  • devices run a third party application
  • third party application communicates with a third party "gateway" server that connects to a SAP NW ABAP environment via RFC
  • at present the users of the application must provide a separate user id/password to authenticate
  • we would like to leverage the existing Windows/Kerberos token on the devices instead

 

I understand that Kerberos can be used for a given RFC connection but have not seen any details on whether an RFC connection can be used for multiple simultaneous Kerberos connections.

 

Is this possible & if so what's required?

 

Thanks in advance.

 

Tim

SSO works with GUI but not with webgui html

May 23, 2016, 3:59 am
$
0
0

Hi Mentor,

 

We use SSO with Kerberos authentication for SAP GUI (for ECC6.0 ABAP) and it works very well. So while logging through SAP GUI we dont have to provide any passwords.

But the same isnt working for WEBGUI, while when I execute webgui from SICF tcode, and html page prompts for client, username and password, rather I want this to  function as SAP GUI, I believe there is some additional setting that I am missing which needs to be enabled for WEBGUI.


Please check attached screenshot.

 

Your help would be much appreciated.

 

Thanks

Ayush

Hiding the Secure Login Client

April 24, 2014, 4:57 pm
$
0
0

Hi,

 

We have recently implemented the NW SSO 2.0 with Kerberos authentication (without Secure login server). Before we roll this out to end users, we feel if there is an option to hide the Secure login client from being displayed to end users. Many users have admin rights on their PC's and with secure login client we have options to choose the  different certificates for SAPGUI to use for SSO. We basically want to use kerberos token to use for SSO to SAP systems but want to hide the secure login client to end users.

 

Can you please let me know if there is any options doing it?

 

Thanks

 

Thilip Kumar

Search

SSO solutions for SAP Fiori for multiple scenarios

May 27, 2016, 8:47 am
$
0
0

Hi All,

 

We are looking for SSO solution for SAP Fiori application running on our NWGW system connected to backend ECC systems.


Here are the scenarios where we are looking for end to end SSO (which means users don’t need to enter user/password anytime)..


1. Laptops/Desktops 

    1. Company owned laptops/desktops
      • Connected from company network (within office or connected via VPN) - pre-authenticated based on windows user/password
      • Connected outside company network - no windows pre-authentication happened.
    2.     3rd Party or Bring Your Own Laptops/Desktops


2. Mobile Devices (iOS, Android, Windows based)

    1. Company Owned
    2. Bring your own Device

3.Factory RF Terminals


Based on what i have read so far, i am not able to find out a single solution which can cover all the scenarios mentioned above.


We have tested SAML2 (ADFS as IDP and NWGW as SP), SSO works fine for Laptops/Desktops based on windows user/password as these are pre-authenticated.


But how about machines which are connected via internet, mobile devices and RF terminals.


Appreciate your help.


Thanks

Davinder

SSO for successfactors

August 4, 2015, 4:39 am
$
0
0

Dear All,

 

We have implemented SSO for enterprise portal with Windows Active directory in our landscape. The flow will be like, user will login to his laptop with Active directory user. With sharepoint concept, URL to access PI JAVA will be assigned to a link - when the user clicks the link, it will automatically login to PI system without prompting for any user name/password.

 

Wondering, if we could do the SSO configuration to access our Successfactors instance with windows active directory user. Kindly help me with the procedure and details.

 

Regards,

Malar.

otpadmin redirects to otp

March 13, 2016, 10:42 pm
$
0
0

I’m trying to use the OTP Login Module. Strangely whenever I’m calling the admin web-module with the URL http://java-as:port/otpadmin it redirects to the otp user interface (http://java-as:port /webdynpro/resources/sap.com/sso~otp~wd/OTP#). Tracing didn’t give me any further clue. Why is this happening? Any idea is highly appreciated.

Service Provider has received SAML2Response from Identity Provider whose destination does not match requested URL

May 18, 2016, 10:00 am
$
0
0

Hello all . . . hoping for a little luck here.

 

We've configured a brand-new SAP Portal (our "service provider") for single sign-on via SAML2 authentication, using WebSphere as our identity provider.

 

I can confirm that I'm receiving information from the identity provider, as the troubleshooting wizard produces results. Unfortunately, no amount of Google-fu has turned up a response to the error I'm seeing. The error is weird because it's citing the use of Port 80, rather than the standard of 50000. The error, specifically, says, "Service Provider has received SAML2Response from Identity Provider [https://websphere.mycompany.com/idp/shibboleth] whose destination [https://portal.mycompany.com/saml2/sp/acs] does not match requested URL [http://portal.mycompany.com:80/irj/portal]."

 

My Service Provider settings configuration does state that /irj/portal should be the default redirect once a successful SAML assertion is received, but I have nothing which points to port 80.

 

 

I'm also attaching a defaultTrace file where I've cranked up the debugging, just to see what else I can see. Any ideas?

SAP single sign on options

June 7, 2016, 11:51 am
$
0
0

We want to enable single sign on for our ECC systems. Our ECC systems user accounts are different from our windows account. We can maintain the windows account id in the ALIAS field of the user account. We are hoping to leverage this ALIAS field for single sign on.

 

These are the potential scenarios that needs to be handled.

1) From Cloud solutions to log on to ECC systems

2) External facing portal to ECC systems

3) Log on to ECC via SAP gui.

 

Do we need SAP single sign on product to make this happen? Or is there tools like OKTA that can provide the same service. We are trying to determine which would be the best option for our use case. Thanks.

NWBC SSO Tranaction SNCWIZARD

February 9, 2016, 11:59 pm
$
0
0

Hello everybody,


what are theconditions for thetransaction"sncwizard" ?
I want toset upon the systemaSSOforNWBCandneed thetransaction.

However, I getthe error message "SNC productnot supported".


System:
WindowsServer 2008EnterpriseSP2
SAP_BASIS: 740SP9
SAP_APPL: 617SP7


best regards

Metin Kirdas

SSO2.0 SP4 Kerberos token - different domain setup issue

November 26, 2014, 8:01 pm
$
0
0


Hello,

 

We are trying to setup SAPGUI SSO using SAP Netweaver SSO2.0 sp4 based on Kerberos tokens. Our SAP system is hosted in a cloud and we have created a service user SL-ABAP-ED1 in the domain "abc.xyz.domainA.com". The spn has also been registered and can be viewed as SAP/SL-ABAP-ED1. Our users are trying to login into SAPGUI installed on a Win 2012R2 terminal server. We have installed Secure login client 2.0 SP4 on the terminal server. For the end user, we can see the Kerberos token in the secure login client profiles as firstname.lastname@domainB.org. There is no domain trust between domain.com and domainB.org as we have been told that when using SSO2, trust is not required between different domains.

 

On the server, keytab has been created

    Version  Time stamp                 KeyType   Kerberos name

          1  Wed Nov 26 17:14:47 2014   DES       SL-ABAP-ED1@abc.xyz.domainA.com
          1  Wed Nov 26 17:14:47 2014   AES128    SL-ABAP-ED1@abc.xyz.domainA.com
          1  Wed Nov 26 17:14:47 2014   AES256    SL-ABAP-ED1@abc.xyz.domainA.com
          1  Wed Nov 26 17:14:47 2014   RC4       SL-ABAP-ED1@abc.xyz.domainA.com

 

 

T:\usr\sap\ED1\DVEBMGS00\SLL>sapgenpse seclogin -l -O domainA\SAPServiceED1
running seclogin with USER="ed1adm"
listing credentials for user "domain\SAPServiceED1" ...

0 (LPS:OFF):
         (LPS:OFF): T:\usr\sap\ED1\DVEBMGS00\Sec\SAPSNCSKERB.pse


1 readable SSO-Credentials available

 

 

In the profiles, we have the parameter snc/identity/as = p:CN=SL-ABAP-ED1

In the SAPGUI, we have enabled SNC option and SNC name is p:CN=SL-ABAP-ED1@abc.xyz.domainA.com. Here, we have tried all different combinations - p:CN=SL-ABAP-ED1, p:CN=SAP/SL-ABAP-ED1; p:CN=SAP/SL-ABAP-ED1@abc.xyz.domainA.com. None of them work.

 

Every time we get the same error message

 

"GSS-API(mai): No credentials were supplied. Unable to establish the

security context target= "p:CN=SL-ABAP-ED1" Error in SNC

 

In the Secure login client trace files, we see the following errors

 

[2014.11.26 20:16:07.376000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 18 returned error

[2014.11.26 20:16:07.376000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.377000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 17 returned error

[2014.11.26 20:16:07.377000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 23 returned error

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm  3 returned error

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.379000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' failed (user name is Firstname.Lastname@domainB.org)

[2014.11.26 20:16:07.379000][TRACE][sbus.exe            ][sbus.dll    ][  4732] } 80004005

 

 

In another trace file, we have following messages

 

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] { PSEProxy::getOwnCertificate

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] }        0

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] { PSEProxy::getOwnCertificate

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] }        0

[2014.11.26 20:16:07.379000][INFO ][saplogon.exe        ][GSS         ][  4164] Cli-40000000: No own key found

[2014.11.26 20:16:07.379000][ERROR][saplogon.exe        ][GSS         ][  4164] Have no certificate and got no kerberos ticket

[2014.11.26 20:16:07.379000][ERROR][saplogon.exe        ][GSS         ][  4164] Cli-40000000: --> Msg ClientHello         create  failed : errval=70000, minor_status=0

 

 

Can someone provide any information as to what is missing?

 

 

 

Thanks & regards,

Sid

Search

Mapping of ADFS SAML2 properties to portal logon ID

July 12, 2016, 6:10 pm
$
0
0

We had SAML2 configured and working fine, using a property from AD called employeeID. This was a short name that matched the names used in our portal (731).

That field is no longer maintained by the AD group, so I must find a different way to map one of the available properties into a portal user.

I would like to use Distinguished Name, but unlike (for example,  SNC in the ABAP system) there is no place in the portal UME to enter a DistinguishedName. It looks like I might be able to create a field under the "customized information" tab of the user record in portal.

Please point me to options here. Should I attempt to add a field and do a mapping (how?) or take another path.

Just to be clear we are not using SLS, our data source is UME, and this is for logon purposes.

SSO for Fiori apps

July 13, 2016, 6:57 am
$
0
0

Hi All,

 

 

We are configuring SSO in portal  for fiori.

 

We are facing the issue while we changing an entry in portal for SingleSign-On for Fiori Mobile Apps.

 

Alias of Application - "otp_logon_ui_resouces"

 

If we changed the entry, We are getting the blank page if we logged on with new window.

 

Relevant screen shot below and Kindly suggest us.

image (3).png

 

We are getting the blank page if we logged on with new window

Error.JPG

 

Thanks,

Prabu K

SAML2 for Java desktop application

July 13, 2016, 6:43 am
$
0
0

Hi,

 

I have to enhance a Java desktop application that is consuming SAP ODATA services via Olingo library.

The https connection authentication is currently done by basic authentication.

This should be enhanced to X509 client certificates but as well to SAML2 authentication.

In my understanding the application as to behave like a browser to use SAML2 to be able to handle HTTP redirect, Forms and Cookies.

Is there a easy way to do this? Any SAP JAVA library that can be used? Has anybody done this already and give me some hints how to handle the SAML2 authentication process?

 

Thx

Stefan

SNCAX.DLL issue

July 13, 2016, 1:32 pm
$
0
0

Hi, I have installed SECURE_LOGIN_CLIENT_20 on my laptop, and rebooted my laptop.I am currently running the sncwizard as mentioned in Single Sign-On with Kerberos.

 

 

I get the error "Front End control SNCAX.DLL not installed. Please see screen shot. Could any one please help me out? I haven't installed Single Sign-on Server 2.0 on this specific server, but I am skeptic whether that's needed. When I search my laptop C drive, i don't see the file SNCAX.DLL in my computer. Please help. Thanks

 

Capture3.JPG

Single Signon between Portal and Solman NWA/SLD

July 1, 2016, 6:12 am
$
0
0

Hi,

 

I would like to know whether the single sign on is possible between SAP Portal and Solman NWA/SLD URLs.

 

We imported the certificates and SSO is working fine between Portal and Solman SAP GUI.

 

We created an URL iViews for NWA and SLD in Portal Content and when we try to access, it is asking for the username and password for SLD.

 

SLD: http://hostname:port/sld

 

For NWA, it is throwing an error that Webdynpro application is expired.

NWA: http://hostname:port/nwa

 

We created an URL iView for ChaRM url and it is working fine but the same is not working for the SLD and NWA URLs.

 

Regards

V. Suresh Kumar

Viewing all 865 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>