Quantcast
Channel: SCN: Message List - SAP Single Sign-On
Viewing all 2732 articles
Browse latest View live

Re: AD FS with NW 7.02 using UME

March 2, 2016, 3:21 am
$
0
0

Hello Amrita,

 

SAML 2.0 Service Provider is supported starting from these versions:

  • SAP NetWeaver AS Java 7.20 (or higher)
  • SAP NetWeaver AS ABAP 7.02 (or higher)

If you decide to use the SAML Identity Provider available with the SAP Single Sign-On product (license required), you will be able to integrate any SAP and non-SAP cloud and on premise solution that is working as a standard SAML Service Provider and your users could be validated against the UME and/or the Microsoft Active Directory.

 

Regards,

Donka Dimitrova

Search

Re: AD FS with NW 7.02 using UME

March 2, 2016, 4:25 am
$
0
0

Thanks for the prompt response Donka!

 

One additional question on this topic. Supposing we want to integrate SAP Fiori into the landscape. In that case would it suffice to install SAP NW Gateway and to configure that as a SAML Service Provider?

Netweaver IDM would still be the IdP.

Re: AD FS with NW 7.02 using UME

March 2, 2016, 5:30 am
$
0
0

Hello Amirira,

 

There is a SAML IDP available with the SAP Identity Management product (license required) but with the SAP Identity Management product you get only the SAML IDP and not the Mobile SSO solution we offer with the SAP Single Sign-On product: SAP Fiori Client - SAP Library

See more details about the Mobile SSO with SAP Single Sign-On product here:

Mobile Single Sign-On for SAP Fiori - Step-by-Step Guide

See also this architectural guide for Fiori, where chapter 5 describes the Mobile SSO with SAP Single Sign-On:

http://a248.g.akamai.net/n/248/420835/e31e96ee7bd4894bbfb39d92d930463141dfb15172dc955b62d1bde2affde8e1/sapasset.download…

 

Regards,

Donka Dimitrova

SAML SSO is not working for SAP system with ADFS

March 2, 2016, 6:24 am
$
0
0

Hi All,

 

I am trying to configure Single Sign-on with ADFS for SAP System.

 

What I have done so far is:

====================

 

1) Run t-code SAML2 on SAP system and  downloaded Service Provider(SAP system) Metadata file and ADFS team has been uploaded in ADFS server.

2) Imported ADFS Metadata file + Digital Certificate in SAP system and done configuration as per guide lines.

 

SAML 2.0 at SAP Gateway and MSFT ADFS - SAP.com

 

How to access application:

====================

 

1) Once I access the URL: https://<SAPFioriHostName>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html

2) Our request routing to ADFS Federation Portal https://federation-sts-stage.xxxx.com/adfs/ls/ and got the ADFS Portal Sign On screen.

3) My request redirected to URL: https://<SAPFioriHostName>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html after providing ADFS User ID/Password.

 

 

But here, we are getting SAP Fiori login page, means, SSO is not working between ADFS and SAP system.

 

 

I have enabled SAML2 trace on my SAP system and got the below errors:

 

 

SAML20 SP (client 100 ):  Exception raised:

SAML20 CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Long text: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Diagnosis System Response Status 401 was returned. Access denied. Procedure Contact the administrator of the entity, to which access was attempted. The logon data prevent communication. Use an HTTP destination and configure the logon data and the SSL client values as needed. Procedure for System Administration

SAML20     at CL_SAML20_ABSTRACT_PROFILE->SOAP_SEND(Line 160)

SAML20     at CL_SAML20_ARTIFACT->RESOLVE_ARTIFACT(Line 61)

SAML20     at CL_SAML20_ABSTRACT_MSG->PARSE_MESSAGE(Line 216)

SAML20     at CL_SAML20_RESPONSE->CREATE_FROM_MSG(Line 46)

SAML20     at CL_SAML20_ABSTRACT_PROFILE->CREATE_MSG_OBJECT(Line 46)

SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 32)

SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)

SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 61)

SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2393)

 

 

Thanks,

Nagaraju

Re: SAML SSO is not working for SAP system with ADFS

March 2, 2016, 6:56 am
$
0
0

Hallo,

 

Any errors in dev_icm??

Have you imported the root and intermediate certificates of the ADFS signing certificate in STRUSTSSO2?

Are the Local and Trusted Provider enabled in SAML2?

 

Regards

Thomas

Re: SAML SSO is not working for SAP system with ADFS

March 2, 2016, 6:58 am

Re: AD FS with NW 7.02 using UME

March 2, 2016, 10:45 pm
$
0
0

One basic question

 

Mobile SSO = SAP Authenticator + Fiori Client to be installed on the Clients Device ?

Does this need a license ?

 

In case of Fiori deployment does the Gateway Server have to be configured as Service Provider with TOTP logic module?

Re: SAML SSO is not working for SAP system with ADFS

March 3, 2016, 12:26 am
$
0
0

Hi Thomas,

 

Yes, I have imported all three certificates of ADFS in my SAP system under STRUST and I can see those certs under STRUSTSSO2 as well.

 

Please find the dev_icm longs(few).

 

[Thr 8040] Thu Mar 03 06:43:11 2016

[Thr 8040] *** WARNING => Connection request from (9/10/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 8040]  {0018f32e} [icxxconn.c 2108]

 

[Thr 8040] Thu Mar 03 06:48:11 2016

[Thr 8040] *** WARNING => Connection request from (0/1/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 8040]  {0004f351} [icxxconn.c 2108]

[Thr 6640] *** WARNING => Connection request from (0/1/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 6640]  {0004f352} [icxxconn.c 2108]

[Thr 5792] *** WARNING => Connection request from (0/1/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 5792]  {0004f353} [icxxconn.c 2108]

 

[Thr 6640] Thu Mar 03 06:53:06 2016

[Thr 6640] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 6640]    session uses PSE file "D:\usr\sap\SM1\DVEBMGS00\sec\SAPSSLA.pse"

[Thr 2360] SSL_get_state() returned 0x00001180 "SSLv3 read client certificate A"

[Thr 6640] SecudeSSL_SessionStart: SSL_connect() failed --

[Thr 6640] secude_error 536872221 (0x2000051d) = "Server's certificate (chain) is untrusted (or incomplete)"

[Thr 2360] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL

[Thr 2360]    session uses PSE file "D:\usr\sap\SM1\DVEBMGS00\sec\SAPSSLS.pse"

[Thr 6640] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 2360] SecudeSSL_SessionStart: SSL_accept() failed --

[Thr 2360] secude_error 536875074 (0x20001042) = "received a fatal SSLv3 bad certificate alert message from the peer"

[Thr 6640] ERROR in ssl3_get_server_certificate: (536872221/0x2000051d) Server's certificate (chain) is untrusted (or incomplete)

[Thr 6640] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=SAPhostname.uomsg2.net, OU=I0020272204, OU=SAP Web AS, O=xxxx, C=IN"

[Thr 6640] ERROR in get_path: (27/0x001b) Found root certificate of <CN=SAPhostname.uomsg2.net, OU=I0020272204, OU=SAP Web AS, O=xxxx, C=IN> which does not fit the given PKRoot

[Thr 6640] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=SAPhostname.uomsg2.net, OU=I0020272204, OU=SAP Web AS, O=xxxx, C=IN> which does not fit the given PKRoot

[Thr 6640] << ---------- End of Secude-SSL Errorstack ----------

[Thr 2360] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 6640] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 2360] WARNING in ssl3_read_bytes: (536875074/0x20001042) received a fatal SSLv3 bad certificate alert message from the peer

[Thr 2360] << ---------- End of Secude-SSL Errorstack ----------

[Thr 2360]   SSL NI-sock: local=10.35.20.54:8001 peer=10.35.20.54:56947

[Thr 2360] <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000006C07A50)==SSSLERR_SSL_ACCEPT

[Thr 6640]   SSL NI-sock: local=10.35.20.54:56947 peer=10.35.20.54:8001

[Thr 2360] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c   1713]

[Thr 6640] <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000006C07730)==SSSLERR_PEER_CERT_UNTRUSTED

[Thr 6640] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0013f386} [icxxconn.c 1989]

 

[Thr 10424] Thu Mar 03 06:53:11 2016

[Thr 10424] *** WARNING => Connection request from (0/1/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 10424] {0013f389} [icxxconn.c 2108]

 

[Thr 2360] Thu Mar 03 06:58:11 2016

[Thr 2360] *** WARNING => Connection request from (1/2/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 2360]  {0004f3c8} [icxxconn.c 2108]

[Thr 7756] *** WARNING => Connection request from (1/2/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 7756]  {0004f3c9} [icxxconn.c 2108]

 

[Thr 11104] Thu Mar 03 06:58:12 2016

[Thr 11104] *** WARNING => Connection request from (1/2/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 11104] {0004f3ca} [icxxconn.c 2108]

 

[Thr 10676] Thu Mar 03 07:03:10 2016

[Thr 10676] *** WARNING => Connection request from (2/3/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 10676] {0018f40f} [icxxconn.c 2108]

 

[Thr 8040] Thu Mar 03 07:08:11 2016

[Thr 8040] *** WARNING => Connection request from (7/8/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

 

Thanks,

Nagaraju

Search

Re: SAML SSO is not working for SAP system with ADFS

March 3, 2016, 1:13 am
$
0
0

Hallo,

 

the ICM trace indicates that there is something wrong with your certificates (chain).

Has SSL been setup in the ABAP stack?

 

Regards

Thomas.

Re: SAML SSO is not working for SAP system with ADFS

March 3, 2016, 3:54 am
$
0
0

Hi Thomas,

 

yes, it has done with self signed SSL. Do we need SSL with CA signed one? if yes, right now, we have working with Self signed SSL which is working fine to access our application with HTTPS.

 

 

Thanks,

Nagaraju

Re: SAML SSO is not working for SAP system with ADFS

March 3, 2016, 4:12 am
$
0
0

Hallo,

 

no need to get them signed by a CA.

You can add your own CA via STRUSTSSO2, select “Database” under menu “Certificate”.

 

Where did you import the root and intermediate certificates of the ADFS signing certificate in STRUSTSSO2? This should be under SSL Client standard.

 

Regards

Thomas.

Re: SAML SSO is not working for SAP system with ADFS

March 3, 2016, 5:38 am
$
0
0

Hi Thomas,

 

1) I tried to select Certificate-->Database  but here I am unable to see add option, but I can see Create but here it does not ask to add any cert.

 

Seems to be I already added my cert in SSL Server Standard.

 

ADFS certs added under SSL Client Standard.

 

Thanks,

nagaraju

Single sign on for ERP and Java stack

March 3, 2016, 8:05 am
$
0
0

Hi All,

 

We have a ERP 6.0 ehp6 and NW Java 7.3 systems.

 

Requirement is to show SSO capabilities of ERP and NW Java individually. (please note that this is Not about SSO between ERP and NW Java)

 

We want to configure SNC for ERP so that users can directly login using SSO and similarly SSL for NW java.

 

We don't want to integrate with Windows AD or use any LDAP.

 

Please let me know how can this be achieved. And most importantly does certificates we create in Strust in abap and keystore in java sufficient to achieve this.

 

Thank you.

Re: Single sign on for ERP and Java stack

March 3, 2016, 10:21 am
$
0
0

Hello Siva,

 

AD or LDAP user is prerequisite for SSO. Wiithout using aa user from and LDAP you cannot configure SSO.

 

Step 1: Prerequisites - User Authentication and Single Sign-On - SAP Library

Prerequisites

●  Create and configure on the Active Directory Servers (ADS), which act as a Kerberos Domain Controllers (KDC),  a service user for the AS Java.

○  The password of the user must never expire.

○  The user must be enabled to use DES encryption.

●  On the ADS for each Kerberos Realm, register with the ADS service user a Service Principal Name (SPN) for every DNS name that can be used to access the AS Java with Kerberos authentication.


●  Prepare the UME configuration file for Kerberos authentication. The UME configuration file must contain attribute mapping for resolving the user id of the authenticated user principal name in the Kerberos Realm. You can add new mappings or use a pre-configured UME configuration file. For more information, see Configuring the UME.


Regards,

Yuksel AKCINAR

CL_SAML20_RESPONSE->VALIDATE_ASSERTION

March 3, 2016, 11:55 pm
$
0
0

Hi All,

 

I am having an issue with setting up SSO with ADFS as the Idp for SAP Fiori Launchpad.

 

I have managed to setup Fiori Dev and QA systems on the test ADFS system we temporarily created.

 

However, when we implement the same changes on the production ADFS, we get the below error:

 

CX_SAML20_CORE: The validation of message 'Response' failed. Long text: The validation of message 'Response' failed.

    at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 57)

    at CL_SAML20_RESPONSE->VALIDATE(Line 72)

    at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 86)

    at CL_HTTP_SAML20->PROCESS_LOGON(Line 303)

    at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)

    at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2491)

Caused by: CX_SAML20_CORE: Error in ST program SAML2_ASSERTION when importing XML data. Long text: Error in ST program SAML2_ASSERTION when importing XML data. Diagnosis Signature verification failed (for signer) or Enve System Response Procedure Check the trace of the current work process dev_w. At level 2 you can find further information about the error. Procedure for System Administration

    at CL_SAML20_ABSTRACT_MSG->VERIFY_SIGNATURE(Line 134)

    at CL_SAML20_ABSTRACT_MSG->DECRYPT(Line 107)

    at CL_SAML20_ABSTRACT_MSG->PARSE_XML(Line 252)

    at CL_SAML20_ASSERTION->CREATE_FROM_XML(Line 52)

    at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 32)

    at CL_SAML20_RESPONSE->VALIDATE(Line 72)

    at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 86)

    at CL_HTTP_SAML20->PROCESS_LOGON(Line 303)

    at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)

    at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2491)

Caused by: CX_SEC_SXML_ERROR: SSFW_KRN_VERIFY failed with: Signature verification failed (for signer) or Envelope failed (for recipient)

    at CL_SEC_SXML_DSIGNATURE->HANDLE_SSF_ERROR(Line 51)

 

 

We followed the following document

Search

Re: secure log in web client initiliazing expired Certifcate

March 3, 2016, 11:58 pm
$
0
0

Hi All

 

Thanks for pointing in the right direction. In the end the guys opened a call with MarketPlace. Last update I heard is they might have to patch.

 

They were happy to hear that expired certificates should be automatically removed next time the user tries to authenticate.

 

Regards

Colleen

Re: Error in SPNego Configuration SAP NW 7.4 (JAVA)

March 4, 2016, 12:41 am
$
0
0

Hi Matt,

 

Thanks for your link. I´ve configured SPNego but it doesn´t work yet. Now I want to ask you some further questions:

Our customer wants to use the OpenText VIM portal, which could be accessed by a Web-URL.

The users should be able to logon to this VIM-portal with their domain account. As written in the OpenText VIM Admin Guide, SPNego should be configured for that.

 

Therefore we have setup a newly-installed AS Java Server 7.4 and during the installation we have choosen the option "Java UME as datasource".

Than I´ve configured SPNego in Netweaver Administrator regarding your steps in the link you shared.

 

Now I have two questions:

Is it right to choose Java UME as datasource or is this wrong? Because user must use their domain-account to logon to VIM-portal...

 

 

Regards,
Manuel

Re: Bypassing SAML authentication on a ABAP System

March 4, 2016, 2:20 am
$
0
0

Hi Dimitar, great to know that there also is a HTTP header for this. Are there more HTTP headers around SAML? I cannot find any documentation even on x-sap-saml2. Do you have a reference?

I am specifically looking to replace saml2idp parameter by a HTTP header.

Regards,

Lutz

Re: SAML SSO is not working for SAP system with ADFS

March 4, 2016, 4:10 am
$
0
0

Hi All,

 

I am getting below error after uploading Server certs.

 

Please support me here.

 

 

 

More information about the exception during SAML 2.0 processing

 

SAML2-Exception:

CX_SAML20: Parameter XML_STRING was either incorrectly set or not set in method PARSE_XML. Long text: Parameter XML_STRING was either incorrectly set or not set in method PARSE_XML.
    at CL_SAML20_ABSTRACT_MSG->PARSE_XML(Line 33)
    at CL_SAML20_ABSTRACT_MSG->PARSE_MESSAGE(Line 255)
    at CL_SAML20_RESPONSE->CREATE_FROM_MSG(Line 46)
    at CL_SAML20_ABSTRACT_PROFILE->CREATE_MSG_OBJECT(Line 46)
    at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 32)
    at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
    at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 61)
    at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2393)


Intern data:SAPSYS:::ASMDASOLMAN:::SM1:::000:::WP#3

 

Thanks,

Nagaraju

Re: SNCWIZARD without SPNego

March 4, 2016, 6:16 am
$
0
0

Jason Moors wrote:


As I say it's not a big deal, just would be nice to configure in one place.

 

We've decided to make this possible:
You'll be able to configure the Kerberos keytab using ABAP t-code SPNEGO which can then be used for both, SNC and SPNego (like it is the case right now) - provided that you are using the "CommonCryptoLib" as SNC library.

 

In the near future you'll be able to use a new customizing switch for "deactivating SPNego". That switch will also be visualized in ABAP t-code SPNEGO.

 

Stay tuned - as soon as the SAP Note is available, I'll update this posting.

Viewing all 2732 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>