Quantcast
Channel: SCN: Message List - SAP Single Sign-On
Viewing all 2732 articles
Browse latest View live

Re: SAML SSO is not working for SAP system with ADFS

March 4, 2016, 6:57 am
$
0
0

Hallo,

 

the clue is in your dev_icm:

[Thr 6640] secude_error 536872221 (0x2000051d) = "Server's certificate (chain) is untrusted (or incomplete)"

(...)

[Thr 2360]    session uses PSE file "D:\usr\sap\SM1\DVEBMGS00\sec\SAPSSLS.pse"

(...)

[Thr 2360] secude_error 536875074 (0x20001042) = "received a fatal SSLv3 bad certificate alert message from the peer"

 

SAPSSLS.pse indicates that the certificates in "SSL client SSL Client (Standard)" are not correct or not complete.

The ADFS certificates will have been automatically added by the SAML2 transaction/configuration under "SSF SAML2 Service Provider ...".

It's not sufficient to add the ADFS certiifcate to "SSL client SSL Client (Standard)": the intermediate and root certifcates which are used to sign the ADFS certiifcate need to be added here!

Those root intermediate certificates can be extracted from the ADFS certificate.


Refer to http://service.sap.com/sap/support/notes/1094342 how to extract the root and intermediate.


Regards

Thomas.

Search

Re: GSS-API(maj): No credentials were supplied Unable to establish the security

March 4, 2016, 7:12 am
$
0
0

Hi Samuli Kaski ,


I have the same issue (GSS-API(maj): No credentials were supplied Unable to establish the security).


sapgenpse seclogin -l doesn't display the userPrincipal Name whereas I used the command below to generate pse :


sapgenpse keytab -p SAPSNCSKERB.pse -X <UPN password> -a <UPN>
#############################################################################
License Disclaimer SAP NetWeaver Single Sign-On
You are about to configure trust for single sign-on or SNC Client Encryption.
Please note that for single sign-on you require a license for
SAP NetWeaver Single Sign-On.
As exception, the usage of SNC Client Encryption only without SSO is free
as described in SAP Note 1643878.
#############################################################################

WARNING: it is recommended to use -y instead of -X
Please enter PSE PIN/Passphrase: **********
Please reenter PSE PIN/Passphrase: **********

!!! WARNING: For security reasons it is recommended to use a PIN/passphrase
!!! WARNING: which is at least 8 characters long and contains characters in
!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.

keytab: Created new keyTab entry.
keytab: KeyTab content stored:

    Version  Time stamp                 KeyType   Kerberos name

          1  Fri Mar  4 11:24:07 2016   DES       <UPN>@domaine
          1  Fri Mar  4 11:24:07 2016   AES128    <UPN>@domaine
          1  Fri Mar  4 11:24:07 2016   AES256    <UPN>@domaine
          1  Fri Mar  4 11:24:07 2016   RC4       <UPN>@domaine
keytab: Created PSE /usr/sap/<SID>/DVEBMGS00/sec/SAPSNCSKERB.pse.


sapgenpse seclogin -p SAPSNCSKERB.pse -O <sidadm>


sapgenpse seclogin -l
running seclogin with USER="<sidadm>"

0 (LPS:OFF):
         (LPS:OFF): /usr/sap/<SID>/DVEBMGS00/sec/SAPSNCSKERB.pse

1 (LPS:OFF): CN=<UPN>@domaine
         (LPS:OFF): /usr/sap/<SID>/DVEBMGS00/sec/SAPSNCS.pse

2 (LPS:OFF):
         (LPS:OFF): /usr/sap/<SID/DVEBMGS00/sec/SAPSNCSKERB.pse


3 readable SSO-Credentials available

 

I don't have any CN for SAPSNCSKERB.pse

 

Could you help me?

 

Regards

GSS-API(maj): No credentials were supplied Unable to establish the security

Re: Bypassing SAML authentication on a ABAP System

March 4, 2016, 8:56 am
$
0
0

Hello Lutz,

 

I think it should work with HTTP header "x-sap-saml2idp" but I will be able to confirm this on Monday. Perhaps the HTTP headers are not documented yet. I will notify the info developers about this.

 

Best regards,

 

Dimitar Mihaylov

Re: Error in SPNego Configuration SAP NW 7.4 (JAVA)

March 4, 2016, 9:52 am
$
0
0

Hi Manuel,

 

In my organization we use the ECC system as an ABAP user store for the UME in our Portal. If I were doing it over today, I might choose LDAP datasource instead, but it works fine with the ABAP datasource, I would fully expect it to work with the Java UME datasource as well.

 

In this case, SPNego is being used to authenticate your domain user to your Java engine. From there, you may need to ensure that you have SSO tickets correctly configured between the Java engine and other systems, such as your VIM portal. For instance, this is a standard part of setting up a Java Portal against an ABAP backend system, involving creating the SAPJSF user in the ABAP system and configuring that in the UME, and creating a SAPLogonTicketKeypair in the portal and importing that into STRUSTSSO2 in the ABAP system (plus a couple of ABAP profile parameters relating to accepting logon tickets). This establishes trust between the portal and the ABAP system, so that SSO can occur between the two.

 

So, my guess at this point is that you probably need to configure that SSO trust from your Java engine to your VIM portal.

 

Cheers,

Matt

Re: SAML SSO is not working for SAP system with ADFS

March 4, 2016, 10:16 pm
$
0
0

Thanks Thomas for your support.

 

After uploading root cert & intermediate cert. I am getting below error.

 

And I verified the below Class and Method to check the XML_STRING paramter does not exists. So, we are searching for SAP Notes, but could not find out right notes and even in scn blogs are we could not find out the similar issue.

 

I would be great if someone help us to fix the issue.

 

SAML2-Exception:

CX_SAML20: Parameter XML_STRING was either incorrectly set or not set in method PARSE_XML. Long text: Parameter XML_STRING was either incorrectly set or not set in method PARSE_XML.
    at CL_SAML20_ABSTRACT_MSG->PARSE_XML(Line 33)
    at CL_SAML20_ABSTRACT_MSG->PARSE_MESSAGE(Line 255)
    at CL_SAML20_RESPONSE->CREATE_FROM_MSG(Line 46)
    at CL_SAML20_ABSTRACT_PROFILE->CREATE_MSG_OBJECT(Line 46)
    at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 32)
    at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
    at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 61)
    at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2393)

 

Thanks,

Nagaraju

SSO from BI launch pad to BPC 10.0 NW

March 6, 2016, 4:36 am
$
0
0

Hello Experts



 

BPC 10.0 NW reports are published to BI Launch pad.To view the reports from BI Launch Pad, the user has to select the connection and again enter the same user ID and pwd to access the BPC report which was used initially at the time of BI Launch pad Log in.

 

Is there a single sign on facility In BI launch pad, wherein the user only has to enter the user ID and pwd only once ie at the time of logging into BI launchpad.


Any guidance on the same?


regards

Re: AD FS with NW 7.02 using UME

March 7, 2016, 12:02 am
$
0
0

Hello Amrita,

 

Mobile SSO for the SAP Fiori using the SAP Single Sign-On product (license required) includes:

1) SAP Authenticator

2) SAML Identity Provider

3) SSO AUTHENTICATION LIBRARY 2.0

The SAP Authenticator itself is available for free but could be used for free only as a client for RFC 6238 passcodes generation solution. The server side for the two-factor authentication with OTP (one-time passwords) and also the Mobile SSO support via the SAP Authentication application requires license for the SAP Single Sign-On product.

 

Regards,

Donka Dimitrova

Re: Single sign on for ERP and Java stack

March 4, 2016, 8:02 am
$
0
0

Thank you Yuksel.

 

As per advise I am concluding that we need to configure SNC for ERP and SSL for NW JAVA using Kerberos certificates and they Must be mapped with Windows AD.

 

Please let me know how do we acquire certificates required for SNC and SSL ?

 

Regards.

Search

Re: Single sign on for ERP and Java stack

March 7, 2016, 12:41 am
$
0
0

Dear Siva,

 

You can implement single sign-on based on X.509 client certificates for AS ABAP (SNC) and for AS JAVA (SSL) using the Secure Login Server of our SAP Single Sign-On product (license required).

See here chapter 1.1.3.2 Workflow with X.509 Certificate Request Using Secure Login Server:

http://help.sap.com/download/sapsso/secure_login_impl_guide_en.pdf 

 

Regards,

Donka Dimitrova

Re: SSO from BI launch pad to BPC 10.0 NW

March 7, 2016, 12:56 am

Re: Error in SPNego Configuration SAP NW 7.4 (JAVA)

March 7, 2016, 5:57 am
$
0
0

HI Matt,

 

Thanks for your quick response!

 

But we have our LDAP as User Source and not the ABAP-system.

So the error must be between LDAP -> Java System -> VIM Portal.

It is not necessary to connect an ABAP system to my Java System because it´s a Standalone Java System which only should connected to VIM Portal...

 

Are there any steps to do for configuring LDAP <-> Java-System?

 

Regards,
Manuel

Re: Error in SPNego Configuration SAP NW 7.4 (JAVA)

March 7, 2016, 8:47 am
$
0
0

Manuel,

 

Can you confirm for me, is the Opentext VIM Portal a separate instance, or is this a component installed into an SAP Enterprise Portal? I had been thinking this was a separate instance, a separate server, but after digging around I don't think this is the case.

 

If it's a software component installed into an SAP portal, then you don't actually configure SPNego for VIM; you just configure it for your Enterprise Portal, i.e. for the NetWeaver AS Java that contains your portal.

 

Whether you configure your user store to be the Java UME, the ABAP datasource, or the LDAP datasource is relatively immaterial for purposes of configuring SPNego; it will work with all three, as long as you correctly configure reference user mapping. If you choose LDAP as the datasource, and ensure that the user accounts have matching names between Active Directory and your ECC system, then you will probably have the easiest time of it. There is lots of documentation in SAP Help and all over SCN about configuring LDAP as a user store for AS Java, so it shouldn't be hard to find that with a quick search.

 

The SPNego configuration itself should be exactly as described in either Andy's or my own blog (Andy's is closer to your release version, however, so go with his).

 

If, after configuring SPNego, you find that SSO works fine when users first access the portal, but then they are asked to login again when they navigate to an iView that talks to the backend ECC system, that indicates that the SSO trust between the portal and ECC is not correctly configured, or the reference user mapping between the Java UME and ABAP datasource is not correct. Is this the symptom you're seeing? Or is the initial access of the portal still prompting for a login, right away?

 

--Matt

Re: Error in SPNego Configuration SAP NW 7.4 (JAVA)

March 7, 2016, 9:37 am
$
0
0

Hi Matt,

 

Another quick response - I very appreciate your informations in this case - thanks for that

 

Yes, I have the following constellation:

Active Directory -> SAP AS Java -> VIM Portal

 

And yes, the VIM-component is installed in my Standalone-SAP-AS-Java System.

 

The following procedure is requested from our customer:

 

The user (Domain-User, AD) should be able to logon to VIM-portal-URL.

 

So I want to know how should this work? Is it OK just to have the users in our AD or do we have to configure AS Java Identity Management to AD-Server?

 

Regards,
Manuel

Re: Error in SPNego Configuration SAP NW 7.4 (JAVA)

March 7, 2016, 9:40 am
$
0
0

The users can just be in AD, if you configure the AS Java to use LDAP as the user store, and set up the reference to your ECC users.

Secure login server x.509 certificate for Cloud applications

March 7, 2016, 1:12 pm
$
0
0

Hi All,

 

We want to implement SSO in our landscape which has huge SAP landscape and in future couple of cloud applications will be added.

 

We were planning to utilize SAP NW SSO 2.0 product for this.

 

I know that SAML will support single sign on of cloud application.

 

Is it possible to implement SSO for cloud applications using Secure login server and it's x.509 certificates ?

 

 

Regards

Siva.

Search

Re: Secure login server x.509 certificate for Cloud applications

March 8, 2016, 12:11 am
$
0
0

Hello Siva,

 

You can use the SAP Single Sign-On product (license required) for such scenarios. Cloud applications usually support mainly SAML technology but if you decide to implement SSO based on X.509 client certificates for your on premise SAP systems you can also install our SAML Identity Provider (IDP) and to use the X.509 certificate for the authentication to the SAML IDP. This way your users will get the required SAML assertion for the respective Cloud applications.

If you are running a Microsoft Domain, you can implement "One Login". You can use the Kerberos tokens issued for the user by the Microsoft Domain in the morning for authentication to the Secure Login Server (X.509 issuer) or the SAML IDP and this way your users will have SSO to on premise and cloud applications.

I can organize a presentation of the  AP Single Sign-On product capabilities for you and your team and we can discuss the implementation variants. If you are interested in such session just sent me a message on donka.dimitrova at sap.com.

 

Regards,

Donka Dimitrova

Re: Bypassing SAML authentication on a ABAP System

March 8, 2016, 1:32 am
$
0
0

Hi Dimitar,Lutz,

 

Header x-sap-saml2idp is supported in ABAP SAML 2.0 since the following SPs:

 

7.02 SP 16

7.30 SP 12

7.31 SP 13

7.40 SP 08

7.50 SP 01

 

Best regards

Angel

Single Sign-On certificates on SAP market place doens't work ie11

March 8, 2016, 2:24 am
$
0
0

Hello,

 

i was using sso certificates and they where working always. When they expired after renew them, they don´t work any more, the sap support url is correct and I didn´t make changes on my settings.

 

I´m using Windows 8.1 Enterprise x64 and IE 11.0.9600.18161, with Firefox it works but doens´t have the possibility to assign a name to the certificates and if your are using many to check every time wich one you need is just wasting time.

 

Any ideas?.

 

Thanks and regards.

 

Dario.

Re: Single Sign-On certificates on SAP market place doens't work ie11

March 8, 2016, 2:42 am
$
0
0

Hello Dario,

 

You can edit properties of the certificate on IE options as seen below.

 

IECert.jpg

 

 

Regards,

Yuksel AKCINAR

Re: Single Sign-On certificates on SAP market place doens't work ie11

March 8, 2016, 2:49 am
$
0
0

Is it Firefox?. In internet explorer I have already the certificates renamend, the problem is that they don´t work any more.

Viewing all 2732 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>