Hi Christian, would you please provide a full compatibility list?
So I don't get "Grundschutz" (encrypted network traffic) for my full SAP landscape without licensing an SNC product. Strange.
<derogatory comment removed by moderator>.
Regards,
Lutz
Message was edited by: Julius von dem Bussche (Moderator)
Hi
Maybe this helps you:
If you have an Microsoft ADFS running you could use this documentation
We have also only Fiori Launchpad with SSO and with ADFS it works also from mobile devices.
On the Fiori Gateway try tcode SAML2 as described in the document.
Regards,
Marco
Hi Christian, ABAP in Eclipse will not do either as long as you chose to install 64bit JRE? AiE documentation does not tell anything of limitations when using 64bit JRE ( SAP Development Tools ).
Regards,
Lutz
Hi Filipe,
Are you talking about the hash algorithm such as below?
Or does it mean we have to export the certificates again but using SHA-256?
Kind regards
Keo
Dear Donka and Marco,
Thanks a lot for your reply.
We are planning to use SAP SSO and if we do not want to publish the Fiori Launchpad in the Internet, still do we need SAML technology?
Regards,
Abu Sandeep
Hello Abu,
The Mobile SSO solution available with the SAP Single Sign-On product requires SAML Identity Provider for the authentication to the AS ABAP back-end of the SAP Fiori. This solution is available for both scenarios - when the user is accessing the system from inside corporate network and also when the user is accessing the system from outside corporate network.
It is up to your company to decide if you want to allow also external access but the SAML SSO is mandatory for both.
Regards,
Donka Dimitrova
Dear Marco Noe,
Thanks for the information about Tcode SAML2. We got the link and configuration steps in Gateway Server.
We have a Secure Login Server Installed and would like to use certificate for Mobile SSO.
Secure Login Server with Netweaver 7.5 JAVA engine has option to enable SAML 2.0 support.
Do we need to enable SAML on both the servers? What is the difference doing in two servers ?
X.509 configuration requires Secure Login Server and Mobile SSO required SAML2.0, Let me know whether my statement is right.
Thanks in advance.
Regards,
Abu Sandeep
Hello Abu,
I would like just to clarify for you the following:
As part of the SAP Single Sign-On product you get:
1) Secure Login Server for issuing X.509 Client Certificates
2) SAML Identity Provider for issuing SAML assertions.
Both solutions are deployed and running on SAP NW AS JAVA.
Secure Login Server could be configured to accept SAML assertions for authentication but you do not need the Secure Login Server when you implement Mobile SSO based on TOTP (see the guide provided by me above).
In order to implement Mobile SSO solution based on TOTP, you need to implement our SAML Identity Provider and to configure the trust between the SAML IDP and your AS ABAP system as SAML SP (this all is described in the guide, provided by me above).
If you have any further questions just let me know.
Regards,
Donka
We have Portal 731 and configured SPnego and SAML2.
We want the external users to use SAML2 and internal users SPnego, but what we notice is that SAML2 is getting checked first before SPnego even though we defined the login authentication stack as below.
EvaluateTicketLoginModule - Sufficient
SpnegoLoginModule - Optional .
CreateTicketLoginModule - Sufficient.
SAML2LoginModule - Optional.
CreateTicketLoginModule - Sufficient.
BasicPasswordLoginModule - Requisite .
CreateTicketLoginModule - Requisite
Hi Colin
We had a similar function with longer lifetime certificates before rolling out the SAP authenticator app. Before then we placed rewrite rules within the web dispatcher to block client certificates for a device that was lost. i.e. SSL_CLIENT_CERT_SUBJECT as per SAP Note 1612828.
This was in addition to the recommendation that Stephan has made, i.e. locking associated accounts.
Rgrds
Craig
Hello Senthil,
You can achieve this using the risk-based authentication solution coming with SAP Single Sign-On product (license required).
See some info about risk-based authentication solution in these blogs:
Risk-Based Authentication for Your Critical Business Processes
Stronger security for your business data at risk
Regards,
Donka Dimitrova
Hello,
Need your kind advice on the SSO issue.
When we try and access SSO server through MPLS it gives us an error "No Host Found" where as when connected to vpn it works fine. Please suggest what could be the issue.
Thanks,
Nitin Sherry
Dear All,
I need to configure SSO and SLO for the saml2.0 SP.But i referred below help link.
Single Sign-On with SAML 2.0 - Security and Identity Management - SCN Wiki
Configuring AS Java as a Service Provider - User Authentication and Single Sign-On - SAP Library
Here i got only Enable SAML 2.0 support.But i don't know how to configure remain steps.
Server Version is 7.4 SP-12 as java and back end server oracle.
Thanks and regards,
Durga Rao V.
Hi Fillipe,
We have same issue. We have .NET application which is connecting to SAP using RFC call with connection parameters Username, pass, Host, sys no and client. Now we are enabling SNC in .NET application.SAP environment is configured with SNC (without SSO similar to Configuring SAP SNC without Single Sign-On on UNIX/Solaris/Linux) . At client side (SAP GUI) instead of SCE library file we have used Secure login client 1.0 library files and configured SNC between SAPGUI --> AS ABAP.
Same like to configure SNC between .NET application --> AS ABAP we are using additional connection parameters SNC_MODE, SNC_QOP, SNC_PARTNERNAME, SNC_LIBRARY.
but getting below issue while connecting from .net application.
**** Trace file opened at 2016-04-25 18:51:01 (UTC+05:30 India Standard Time)
SAP .NET Connector 3.0 with file version 3.0.5.0 running on 64-bit .NET Framework 4.0.30319.42000
Program: C:\Users\kginnela\Desktop\NCO test\NCO test\bin\Debug\NCO test.vshost.exe
Working dirctory: C:\Users\kginnela\Desktop\NCO test\NCO test\bin\Debug
Operating system: Windows 7 Enterprise 64-bit Service Pack 1
Processor: 4x AMD64 (or x64)
SAP release: 720, Kernel release: 720, Kernel patch level: 111
Hostname: INPUNKGINNELA1, IP address: 10.82.23.21, IP_v6 address:
Default trace level: None
>> Error entry 2016-04-25 18:51:01.936
Failure to create pool for destination 6be87c8c-4a9a-4450-ba85-00181306983d [NAME=6be87c8c-4a9a-4450-ba85-00181306983d USER=kginnela CLIENT=501 LANG= ABAP_DEBUG=NONE TRACE=NONE ASHOST=USALVWSSC703D SYSNR=00 SNC_MODE=1 SNC_QOP=8 SNC_LIB=C:\Program Files\sap\FrontEnd\SecureLogin\lib\secgss.dll SNC_PARTNERNAME=p:CN=SAP/KerberosSC2@DOMAIN.COM]
SAP.Middleware.Connector.RfcCommunicationException:
LOCATION CPIC (TCP/IP) with Unicode
ERROR GSS-API(maj): Miscellaneous failure
GSS-API(min): A2210223:A2210223
target="p:CN=SAP/KerberosSC2@DOMAIN.COM"
TIME Mon Apr 25 18:51:01 2016
RELEASE 720
COMPONENT SNC (Secure Network Communication)
VERSION 5
RC -4
MODULE sncxxall.c
LINE 3345
DETAIL SncPEstablishContext
SYSTEM CALL gss_init_sec_context
COUNTER 3
at SAP.Middleware.Connector.CpicConnection.CpicReceive(Int32 timeout)
at SAP.Middleware.Connector.CpicConnection.Read(Byte* buffer, Int32 offset, Int32 count)
at SAP.Middleware.Connector.RfcConnection.ReadBytes(Byte* buffer, Int32 count)
at SAP.Middleware.Connector.RfcConnection.ReadRfcIDBegin(Int32& length)
at SAP.Middleware.Connector.RfcConnection.ReadUpTo(RFCGET readState, RfcFunction function, RFCID toRid)
at SAP.Middleware.Connector.RfcConnection.RfcReceive(RfcFunction function)
at SAP.Middleware.Connector.RfcConnection.ConnectAsClient(RfcConfigParameters options)
at SAP.Middleware.Connector.RfcConnectionPool..ctor(RfcDestination destination, Boolean forRepositoryCalls)
>> Error entry 2016-04-25 18:51:02.128
NAME=6be87c8c-4a9a-4450-ba85-00181306983d USER=kginnela CLIENT=501 LANG= ABAP_DEBUG=NONE TRACE=NONE ASHOST=USALVWSSC703D SYSNR=00 SNC_MODE=1 SNC_QOP=8 SNC_LIB=C:\Program Files\sap\FrontEnd\SecureLogin\lib\secgss.dll SNC_PARTNERNAME=p:CN=SAP/KerberosSC2@DOMAIN.COM
SAP.Middleware.Connector.RfcCommunicationException:
LOCATION CPIC (TCP/IP) with Unicode
ERROR GSS-API(maj): Miscellaneous failure
GSS-API(min): A2210223:A2210223
target="p:CN=SAP/KerberosSC2@DOMAIN.COM"
TIME Mon Apr 25 18:51:01 2016
RELEASE 720
COMPONENT SNC (Secure Network Communication)
VERSION 5
RC -4
MODULE sncxxall.c
LINE 3345
DETAIL SncPEstablishContext
SYSTEM CALL gss_init_sec_context
COUNTER 3
at SAP.Middleware.Connector.CpicConnection.CpicReceive(Int32 timeout)
at SAP.Middleware.Connector.CpicConnection.Read(Byte* buffer, Int32 offset, Int32 count)
at SAP.Middleware.Connector.RfcConnection.ReadBytes(Byte* buffer, Int32 count)
at SAP.Middleware.Connector.RfcConnection.ReadRfcIDBegin(Int32& length)
at SAP.Middleware.Connector.RfcConnection.ReadUpTo(RFCGET readState, RfcFunction function, RFCID toRid)
at SAP.Middleware.Connector.RfcConnection.RfcReceive(RfcFunction function)
at SAP.Middleware.Connector.RfcConnection.ConnectAsClient(RfcConfigParameters options)
at SAP.Middleware.Connector.RfcConnectionPool..ctor(RfcDestination destination, Boolean forRepositoryCalls)
at SAP.Middleware.Connector.RfcConnectionPool.GetPool(RfcDestination destination, Boolean forRepository, Boolean create)
at SAP.Middleware.Connector.RfcDestination.GetClient(Boolean forRepository)
at SAP.Middleware.Connector.RfcDestination.Ping()
Please help what is wrong with the connection and how it can be resolved.
Thanks,
krishna
Hi DONKA,
Does secure login client 1.0 supports kerberos protocol to enable secure communication between .NET application and AS ABAP?
Thanks,
Krishna
Hello,
Can you please explain what exactly and where exactly you have done the changes
Amar
Hello,
We have a environment to provide connectivity to our remote users. They can join the local environment using RDP or VDI to connect to our systems when VPN access is not possible. Everything works well but when we activate the time-zone redirection feature SSO stops working if time-zone of the remote user is equal to or greater than 10 hours (as this is the lifetime of the Kerberos tickets).
Error we get is SNCERR_CONTEXT_EXPIRED.
I have already tried all the standard available solutions and a incident is already opened with SAP but so far no solution there.
I hope to get some help here.
Thanks.
Anand
Hello All,
Could you please help me in configuring SSO between LDAP and GRC for End user logon funtionality.I do not see a post which talks clearly talks about this
I have configured the LDAP server in GRC and created a LDAP Connector which is working fine and our security team is able to sync all the LDAP Users into GRC system.
As part of GRC ARM End user Logon now I need to configure SSO between LDAP and GRC
user should be able to access GRC system with his LDAP authentication for requesting SAP access in the landscape.
We don’t create a ID for the User in SAP GRC but he will be able to access GRC system with his LDAP authentication.
if this can be achieved by exchanging the certificates between LDAP and GRC.
What kind of certificate should i ask our LDAP team to provde to add in strust of GRC.
i have gone through sap notes 1733442 which only talks about approaches to follow but ,there is no detailed process availabe for it.
im trying to acheieve SSO by the below approach as explained in the note
SSO via Browser with Certificate Auth (As we do in SAP)
1 Sync all AD users into GRC ABAP without password. -
2 Setup Certificate issuer to Authenticate against AD.
3 Setup GRC ABAP to trust that Certificate Authority/issuer
4 Login into Certificate Generator App on computer get the certificate in browser, access GRC 10 application URL
Please let me know.
Regards,
Shakeel Samdani
Hello Experts,
We are implementing SSO for SAP GUI using NWSSO2.0 X.509 certificates based solution.
Is anybody aware which authorizations should be assigned to the service user we create in MS-AD server.
Hello Rahul,
Just create a user with below properties. No any other authorisation is needed.
User Cannot Change Password
Password nnever expires
servicePrincipleName = HTTP/myhost.mydomain.com
Regards,
Yuksel AKCINAr
