Hi Patrick
the second factor to be checked will be the existence of the PC certificate and the certification authority can be Active Directory.
We would like to use either the X.509 or the kerberos (preferred) option for tfa.second.factor.login.module.
Sorry but i'm not familiar with the sso or two-factor and the above answer is the one i have from the requestor. Hope is what you need.
Dimitris
I actually resolved this issue myself, so for anyone who is interested, here is the answer.
The public key can be provided as an X.509 certificate (go to NWA -> Configuration -> Certificates and Keys; select TicketKeyStore; export SAPLogonTicketKeypair-cert).
This certificate can then be imported on the target machine using Certificate Manager (run certmgr from the command prompt). Then export it from Certificate Manager as a DER encoded binary X.509 file.
This file can then be passed to SAPSSOEXT with the -crt parameter.
Richard
Hi Dimitirs,
when the certificate is the second factor, then please what is the first one? If you are using software certificates or kerberos tokens on a windows front-end, they are protected by the user password. If you are now using a user password as first secret, you have two passwords, which even may be the same. Usually for two factor you will hav to have something in Hardware or at least some smartphone with an authenticator app. You can also just use Kerberos or X.509 based auth (user logs in and then can access the SAP system using the X.509 or Kerberos tokens), but this then is only SSO.
Sorry, I still do not get it.
Regards,
Patrick
Hello Dimitris,
Based on your first message it seems to me that your customer would like to limit the authentication of certain group of users on specific PCs (for example shared PCs/kiosk PCs). Using the Risk-based authentication solution of our SAP Single Sign-On product it is possible to implement such complicated security requirements, like for example the one that you have from your customer now.
Here you will be able to find my blogs that describe the solution:
Risk-Based Authentication for Your Critical Business Processes
Stronger security for your business data at risk
Also if you are interested to find more info about this solution and the SSO technologies and the two-factor authentication supported by our product, I will be glad to do a presentation and a demo to you and your team and to discuss in details how out features could help you to implement the requirements of your customer.
If you are interested just send me a message on donka.dimitrova at sap.com.
Regards,
Donka Dimitrova
Hi Dimitris,
as I understand it, the certifictate is supposed to represent the PC, not the user. Is this correct?
Best regards,
Christian
Hi Donka,
it seems that that is the implemention we need but a can not reach the customer now to confirm.
I'll come back asap i confirm it.
Patrick,
First factor: SAP username & password
Second factor: Machine (not user) Certificate issued by Active Directory.
Dimitris
Hi Christian,
yes, that is correct.
Dimitris
Hello Dimitris,
Is this request about SAP GUI login or about Web (browser) login?
Regards,
Dimitar
Hi Donka Dimitrova,
you said, that there are plans to add two factor authentication.
We're interested in using exactlly that: Leave the first channel (UserID/Pass) like it is and add another one.
Thanks in advance!
Cheers
Hi Dimitris,
thanks for the clarification. So the use case is the customer wants to restrict authentication for certain users to certain systems? Or are they allowed to access from anywhere but only from some systems they are permitted to execute certain actions?
BTW: this is not real two-factor authentication, maybe have a look at the wiki for a definition. In case of two factor authentication, both components are belonging to the user, must be one physical and one secret component and have to be presented in one authentication request. A PC or certificates belonging to a PC are usually not considered to be a user component. Mobile phones with token generators are usually ok as well as a replacement for the physical component.
Kind regards,
Patrick
Hello Christian,
Yes, the SAP Single Sign-On product supports dual authentication and RSA (RADIUS) could be configured for the second authentication. In your case (because you want to keep the basic authentication for the first authentication phase) the behavior of the system will be the following: the user will be prompted first to provide his UserID&Password and if the password is correct then the user will be prompted to provide also a passcode (RSA). Here the user will have no chance to type another username, he will be able to type only a passcode and if the passcode is valid then the user will be authenticated successfully.
It is possible for example also to combine Kerberos (first authentication stage) & RSA/OTP/SMS (second authentication stage).
You can implement now such dual authentication also using X.509 client certificates issued by the Secure Login Server (not only with SAML) but you have to use the latest SP06 for SAP Single Sign-On 2.0 version.
See more detains in the implementation guide:
http://help.sap.com/download/sapsso/secure_login_impl_guide_en.pdf
If you have any further questions just let me know.
Regards,
Donka Dimitrova
what is exact your issue? Create issue in under Web Dynpro Java
that iView is related WD-JAVA application iView.
Hi Vijay,
I have posted same in web dynpro java community.
Please help me or provide any input on this issue which can help me to reslove this issue.\
Thanks
Hello Kai.
We are using:
Version: 2.0
Support Package: 3
Patch Level: 2
And still getting profile "Locks" whenever a user has a corrupted UPN data. It's a problem because affects all the other users trying to use that profile.
Which Service Pack has resolved this or provides a feature to disable it?
Thanks
Sebastian,
there is no way to turn off profile locking. But such locks should only occur if the configuration of SLS is corrupted somehow, not if user data don´t fit during enrollment.
Could you explain what "corrupted UPN data" means? Did you configure LDAP/ADS based user name mapping, and you don´t get a value for userPrincipalName?
-- Stephan
Hi Stephan!
Our Certificates X.509 are granted via SLWC using LDAP authentication against AD.
Certificate CN is UPN (user principalname) in this format "id@domain.corp"
We have encountered AD users were the UPN returns without .corp, or using ,corp (comma instead of a dot).
When this users try to authenticate, the profile gets lock.
Error Message
Cannot send an HTTP error response [500 com.sap.securelogin.library.core.ProfileConfigException: The user variable : (AUTH:UPN) can not be resolved but is used. (details: )].
We know is an AD user problem, but we are looking for avoid the profile lock while reviewing and fixing more than 20.000 AD accounts...
thanks!
This false lock was fixed in SLS 2.0 SP06.
-- Stephan
Hi Vijay ,
Many thanks Quick response ,,,Really appreciated
Really I am confusing this note, I am bring you back with scenario whcih one we are going to implement SSo between J2ee Apps (WAR /EAR) on Tomcat server & SAP portal , is it any specific doc for this ..Please advise,,its a very urgent...
Thank you in Advance !!!!
Best Regards,/Sudhir Jati
Hello Amerjit,
Yes, your understanding is correct.
We have the SSO for SAPGUI already configured & in use by business.
We would like to extend the same to the WebGUI for AS ABAP system.
As suggested I'll check on the SPNEGO part, and see how I can leverage it's functionality in my scenario.
Best Regards,
Tanmeya
Dear All
We would like to deploy SSO for SAP Cloud For Customers but we can have ADFV V3.0 and not V2.0
Would you have some technical documents or Specifications to provide ? Are there differences between v2.0 and V3.0 ?
Thank you very much
Jérémie Waltman
Lagardère Sports & Entertainment