Quantcast
Channel: SCN: Message List - SAP Single Sign-On
Viewing all 2732 articles
Browse latest View live

SSO for AS ABAP system Web GUI

November 20, 2015, 1:06 am
$
0
0

Hello Experts,

 

We have installed PERSONAS add-on in our SAP ECC 6.0 EhP7 AS ABAP system.

 

Single Sign On via SAP GUI for Windows is configured w.r.t. Active Directory & works properly.

 

We have enabled the SICF service for webgui, & the system is accessible via browser as well.

 

Now the requirement is to enable single sign-on for webgui, something where it can accept a certificate from Active Directory & authenticate the login.

 

Could you please suggest how we can achieve this?

 

 

Best Regards,

Tanmeya

Search

Re: SSO for AS ABAP system Web GUI

November 20, 2015, 1:16 am
$
0
0

Hi Tanmeya,

 

for Kerberos-based single sign-on to a web application you need to enable SPNEGO support on AS ABAP. This is a feature that comes with the product SAP Single Sign-On. You will find helpful information at http://scn.sap.com/community/sso

 

Best regards,

Christian

Re: SSO for AS ABAP system Web GUI

November 20, 2015, 2:12 am
$
0
0

Hello Christian,

 

Thanks for your reply.

 

Could you please share a specific link to the configuration regarding this?

 

 

Thanks & Best Regards,

Tanmeya

Re: SSO for AS ABAP system Web GUI

November 20, 2015, 3:13 am

Re: SSO for Solution Manager 7.1

November 20, 2015, 3:24 am
$
0
0

Check the below points


Point 1


Check ur user id is there in R3 system or (the same userid as in portal).

If the same userid is not there . go for usermapping ,and try again .



Point 2


any way you did below work. could you please check once again


Setup parameters "icm/host_name_full ","login/accept_sso2"_ticket (parameter value "1") and "login/create_sso2_ticket" (value 2) – Already existing

3) Import the above frontend cert into backend (Strustsso2), added to certificate list and ACL.

4).Export certifcate from backend(ABAP) and import into Keystore.




Pls check the following Snotes 1405432& 1566201 & 0001405432



Re: SSO for AS ABAP system Web GUI

November 20, 2015, 4:28 am
$
0
0

Hi Tanmeya,

 

please have a look at http://help.sap.com/saphelp_nwsso20/helpdata/en/af/cc55377253420dacc666da46a6f21a/content.htm?frameset=/en/f0/549a4d52124a38a575295b15923f91/frameset.htm&current_toc=/en/ba/a0222bf5da4ed3a655eaef1e4a3b60/plain.htm&node_id=110

 

This is part of the documentation of the product SAP Single Sign-On, in particular of the Secure Login scenario. You can get a pdf file of the full Secure Login documentation at http://help.sap.com/sso , together with information about the other product features.

 

Best regards,

Christian

Re: SSO for AS ABAP system Web GUI

November 20, 2015, 4:34 am
$
0
0

Hi Tanmeya, please check with your infrastrukture people if you have a SAML2 Identity Provider (IDP) in your landscape (e.g. AD FS). SSO with SAML2 is easy to configure.

Regards,

Lutz

Re: SSO for AS ABAP system Web GUI

November 20, 2015, 5:13 am
$
0
0

Hello Tanmeya,

 

If I have understood you correctly, you already have SSO for SAPGUI working so you've already done all the AD and SAP work (Service User/UPN/SPN/Parameters/Keytab etc ....)

 

You just want to extend your SSO now to use SPNEGO for your WebDynpro.

 

If my understanding is correct then the SPNEGO wouldn't be that complicated (only validated on 702 SP14).

 

1. Add a new SPN to your existing AD service user:

 

eg: HTTP/<hostname>.<FQDN>

 

2. run tx SPNEGO on the ABAP side and fill in the UPN and password

 

3. Activate session management with tx: SICF_SESSIONS

 

Hope that helps if I have correctly understood your requirement.

 

KR,

 

Amerjit

Search

Re: java.lang.StringIndexOutOfBoundsException: String index out of range: -40

November 23, 2015, 1:06 am
$
0
0

In Log viewer i am getiing the below message:

ExceptionHandler.handleThrowable:Exception occurred during processing of Web Dynpro application sap.com/pb/PageBuilderlog1.png

 

Please help me into this.

Re: [enquiry] SAP Fiori setup with SSO enable

November 23, 2015, 1:21 am
$
0
0

Hello Gary,

 

Using SAP Single Sign-On product (license required) it is very easy to implement SSO for SAP Fiori (for PC or for mobile access). For example you can choose to use the SAML scenario. It is possible to configure the MS AD as user store for the SAML IdP and then users who try to authenticate from outside corporate network will have to use their MS AD User&Password for authentication. Using this scenario it will be possible also to implement Mobile SSO for SAP Fiori Client (supported out of the box with the mobile application SAP Authenticator).

You can also improve the security for the external access by implementing risk-based authentication and configuring the system to prompt users for two-factor authentication (OTP) in addition to their MS AD User&Password only when they try to authenticate to SAP Fiori from outside corporate network.

You can also chose the X.509 client certificate scenario and for this scenario it will be also possible to configure the MS AD as user store and users will be prompted again for their MS AD User&Password.

Q1/A1: For both scenarios the AS JAVA is necessary and you will not be able to "get rid of AS JAVA".

Q2/A2: If you are using the SAP IDM product it is possible to provision the users and their roles automatically to the AS ABAP server.

Q3/A3: Yes, the user needs to be available in the back end AS ABAP system and also in the SAP NW Gateway system.

Q4/A4: As I already mentioned both scenarios SAML and X.509 allow integration with AS AD and for both the user credentials will be checked against the MS AD.

 

See some details about SSO for Fiori and risk-based authentication:

Mobile Single Sign-On for SAP Fiori with SAP Authenticator

Risk-Based Authentication for Your Critical Business Processes

We also offer an implementation guide for Mobile SSO for Fiori, that you can use also to implement SSO for Fiori via the Browser for PC. Just skip the mobile device part and configure basic authentication instead of OTP authentication if you want to enable users to authenticate with their MS AD User& Password. For the last one you have to make sure that MS AD is configured as User store for AS JAVA. See the guide here: Mobile SSO for SAP Fiori - Step-by-Step Guide

If you want more details how the solution is working using SAP Single Sign-On product, we can organize a conference call and I can also demonstrate the solution to you and your team. If you find necessary just send me a message on <donka.dimitrova at sap.com>.

 

Regards,

Donka Dimitrova

Re: java.lang.StringIndexOutOfBoundsException: String index out of range: -40

November 23, 2015, 1:29 am
$
0
0

Hi Vijay,

 

I'm sorry but as said, this is the wrong place to ask such questions. I would suggest to check with support, whether they can help you.

 

Kind regards,

Patrick

Re: java.lang.StringIndexOutOfBoundsException: String index out of range: -40

November 23, 2015, 1:47 am

Re: java.lang.StringIndexOutOfBoundsException: String index out of range: -40

November 23, 2015, 1:48 am
$
0
0

This error indicates, that string calling by substring is null or its length is less than 40 symbols. It's error in code where substring used.

Re: [enquiry] SAP Fiori setup with SSO enable

November 23, 2015, 1:58 am
$
0
0

Dear Donka,

 

Thanks very much it is very detail.

BTW, I would like to calrify again that I cannot "get rid of AS JAVA".

 

Is it based on the case that i choose to use product SAP Netweaver Single Sign-On only?

(or actually i have no other choice...lol ?)

 

And is it because SAP Netweaver SSO have to be setup in AS JAVA? (install secure login server, etc..I read this before "http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/c040f4a9-0387-3010-9081-dbce2724215d&overridelayout=true"

 

If yes, is it recommended (or necessary) to setup a standalone NW AS JAVA to support "SAP Single Sign-On" product feature?

 

####

Acutally, I remember it should be able to make SAP ABAP Webgui SSO workable with something like below (long time ago i cant remember all step):

 

t-code: STRUSTSSO2

create cert

CA sign request

Mapping X.509 Certificates in Table USREXTID

 

I'm thinking, for SAP Fiori scenario, can it be done as the same?

(assume that i don't have to relate to AD user account anymore; or i just enable SNC SSO for Intranet while X.509 for Extranet access)

###

 

 

Regards

Gary

Re: java.lang.StringIndexOutOfBoundsException: String index out of range: -40

November 23, 2015, 2:00 am
$
0
0

Hi,

 

Do i have to make changes in Development component or somewhere else?

 

Thanks,

Vijay

Search

Re: [enquiry] SAP Fiori setup with SSO enable

November 23, 2015, 2:17 am
$
0
0

Hello Gary,

 

Yes, the AS JAVA server is necessary for the two scenarios, descibed by me, because both components the Secure Login Server (X.509) and the SAML IdP are running on AS Java server. It is not necessary to install a dedicated AS Java for this purpose. These components could be installed on an existing for the company AS Java server.

In general for Fiori SSO scenario it is possibe to use the SSO technologies supported by AS ABAP for Web UI  and this includes X.509 client certificates (as I alraedy mentioned).

SNC is configured when you use SAP GUI for Windows. When you implement SAP GUI for HTML, you configure SSL.

 

Regards,

Donka

Re: [enquiry] SAP Fiori setup with SSO enable

November 23, 2015, 2:38 am
$
0
0

Hello Gary,

 

Actually there is one more variant based on SAML technology and this variant doesn't require an AS Java server.

You can achieve SAML SSO with MS AD User&Password using our SAP Cloud Identity service. The user will authenticate against SAP Cloud Identity and the User&Password will be checked at the MS AD and if they are correct the SAP Cloud Identity IdP will issue a SAML assertion that could be used for authentication with SAP Fiori.

SAP Cloud Identity is a service running in the cloud. See more details about the SAP Cloud Identity integration with the on premise user store here in this blog:

How to Connect Your Cloud Applications with Your Corporate User Store

 

Regards,

Donka Dimitrova

Re: java.lang.StringIndexOutOfBoundsException: String index out of range: -40

November 23, 2015, 6:52 am

Re: Two-Factor authentication

November 24, 2015, 6:38 am
$
0
0

Hi Dimitris,

 

Certificates alone are not considered two factor. What is the second factor? Certificate based logon for SAP GUI required some SSO product like SAP NW SSO. Depending on your SAP system, you will be able to use logon policies (tx secpol) to enforce SSO only for some users, allowing the others to log on also using their password. However it's not clear to me, whether this should be proposed, as SSO also has side effects like reduced admin effort for stuff like password reset. So maybe you want to use SSO for all and just have different policies inside SSO, how the authentication for different users works?

 

Kind regards,

 

Patrick

Re: How to verify a logon ticket using SAPSSOEXT without verify.pse

November 24, 2015, 6:47 am
$
0
0

Hi Richard,

 

this forum is about the SAP NW SSO product. I would suggest to move this thread to the security forum, as this is the place where questions on ABAP app servers security features are usually discussed.

 

With regards to your question, did you have a look at sapgenpse?

You can create a pse with this command and then import the key into that pse.

 

Kind regards,

Patrick

Viewing all 2732 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>