Re: SAP AD Integration with Net weaver 7.5

June 20, 2016, 10:53 pm

≫ Next: Re: Stuck on implementing Kerberos based SNC/SSO with SLL 2.0 SP2 on AIX 6.1

≪ Previous: Re: SSO solutions for SAP Fiori for multiple scenarios

Dear Donka,

Thanks a lot for your quick response.

I could manage to fix the trusted certificate issue. and JAVA UME also configured in IDP. Now, it started taking the AD credentials itself.

Now, while accessing Fiori launchpad link, its asking to select a IDP ( made automatic later ).

Then redirecting to below message.

SAML2 service not accessible

What has happened?

Calling of URL http://<hostname><port>/sap/saml2/sp/acs/900 was terminated during SAML2 processing

Note

No RelayState mapping found for RelayState value oucqqvqvwzyodzrroreewoydeeottzwcvducezy

HTTP 404 Not Found

As per the Mobile single-sign-on fiori guide

29. Go to the tab “Service provider

Settings” > RelayState Mapping

and choose “Add” for a new

RelayState.

30. Provide the name for the

RelayState and provide the Path

to the RelayState. (In our case,

this is the path to the “SAP Fiori

Launchpad”.

Fiori launchpad link is same as per the document for us.

Default application path was empty and we dont know what to be entered there, its not mentioned anywhere in the document.

Please advice on this.

Regards,

Abu Sandeep

↧

Re: Stuck on implementing Kerberos based SNC/SSO with SLL 2.0 SP2 on AIX 6.1

June 21, 2016, 1:28 am

Latest and popular articles on SAP ERP

≫ Next: Re: SNCAX.DLL issue

≪ Previous: Re: SAP AD Integration with Net weaver 7.5

Hi All, I couldn't figured out how to delete the keytab entries. Anyone may shed me some lights? thanks Sarah

btw, I'm using the latest Secure Login Library SP04. The central command is "snc", there is no sapgenpse anywhere.

we are on AIX6.1, trying to use Win AD for SSO for AS ABAP only,

↧

Re: SNCAX.DLL issue

July 14, 2016, 7:15 am

Latest and popular articles on SAP ERP

≫ Next: Re: Single Signon between Portal and Solman NWA/SLD

≪ Previous: Re: Stuck on implementing Kerberos based SNC/SSO with SLL 2.0 SP2 on AIX 6.1

Thanks Filipe, that note was the answer. Thanks again.

↧

Re: Single Signon between Portal and Solman NWA/SLD

July 14, 2016, 8:07 am

Latest and popular articles on SAP ERP

≫ Next: Re: Enabling AES256 for SNC with SAPGUI (no SSO)

≪ Previous: Re: SNCAX.DLL issue

Hi Amy,

Thanks for your help.

Issue is resolved.

Root Cause: Ticket login modules are not properly updated in Solman VA.

Regards

V. Suresh Kumar

↧

Re: Enabling AES256 for SNC with SAPGUI (no SSO)

July 14, 2016, 9:24 am

Latest and popular articles on SAP ERP

≫ Next: Re: Error when trying to configure trusted IdP on AS ABAP (TA SAML2)

≪ Previous: Re: Single Signon between Portal and Solman NWA/SLD

Thanks, Lutz. Yes, you summarized my question perfectly: in effect, how can I tell whether I'm getting my desired result (AES256)? The trace is indeed ambiguous and hints at both RC4 and AES256.

Filipe, yes, I followed Nick Wells' thread backwards and forwards for days looking for clues. I don't have any problems with service user passwords or capitalization -- if I did, SNC wouldn't work at all. I did struggle mightily with my AD team to get a service user correctly created -- it seemed impossible to get them to use consistent casing in SPN, UPN, and SamAccountName, etc, and they would report to me that they had "fixed" the case when I could clearly see in ADSI Edit and AD Computers & Users that this wasn't the case (heh, see what I did there?). In the end I gave up and had them use my existing service user that runs the ECC application (SAPService<SID>). I'm aware that this isn't considered best practice, but that user was correctly configured for case (mixed, of course), and only needed the SPN to be added.

So, bottom line, I'm past the point that Nick was struggling with (I did struggle with it earlier, but that's resolved now), and now I'm just trying to learn whether my task is complete.

Also, tcode SPNEGO doesn't work for me, as we aren't using SPNEGO, only SNC. We also are not using SLL (Secure Login Client), as we are not licensed for NWSSO (I think it's absolutely silly of SAP to charge for this capability, and I think eventually it will go the way of Fiori and become "included" with the core product). So, all I'm going for now is SCE, or SNC Client Encryption.

I appreciate the quick responses!

Cheers,

Matt

↧

Re: Error when trying to configure trusted IdP on AS ABAP (TA SAML2)

July 14, 2016, 11:05 pm

Latest and popular articles on SAP ERP

≫ Next: Re: Configuring SSO with Windows Kerberos on HEC

≪ Previous: Re: Enabling AES256 for SNC with SAPGUI (no SSO)

Hi Filipe,

indeed a bug... a kernel update did the trick, thanks a lot.

It's a very old "playsystem" but i was able to update to a later kernel patch which fixed the parsing issues.

Cheers,
Carsten

↧

Re: Configuring SSO with Windows Kerberos on HEC

July 14, 2016, 11:28 pm

Latest and popular articles on SAP ERP

≫ Next: Re: SHA-1 -->SHA-2

≪ Previous: Re: Error when trying to configure trusted IdP on AS ABAP (TA SAML2)

Hi Robert,

some of the configuration settings only become available after a restart of the system. In particular, the Kerberos configuration is not visible if the profile parameter spnego/enable is 0 when you start SNCWIZARD. The transaktion will set the profile parameters as required, but these will only have an effect after the restart.

Best regards,

Christian

↧

Re: SHA-1 -->SHA-2

July 15, 2016, 8:23 am

Latest and popular articles on SAP ERP

≫ Next: Re: SHA-1 -->SHA-2

≪ Previous: Re: Configuring SSO with Windows Kerberos on HEC

2.04 is where this where this option appears. We upgraded to 2.06 and it works fine- can specify sha256 on server and see the new sha256 certs being accepted on client.

Follow-up question: do we need to update the back-end server certs that are signed sha-1?

We can SSO into ABAP and WAS, Java...with the back-ends still using sha-1 now. I'm a bit concerned that the Java and WAS with IE will be an issue in the future.

↧

Re: SHA-1 -->SHA-2

July 15, 2016, 11:08 am

Latest and popular articles on SAP ERP

≫ Next: Re: SHA-1 -->SHA-2

≪ Previous: Re: SHA-1 -->SHA-2

Hi Chris,

The encryption hash used in SHA-2 is significantly stronger and not subject to the same vulnerabilities as SHA-1.

All certificates that will be used to secure browser-based communications need to be replaced. Certificates used for other types of applications should be reviewed on a cases-by-case basis.

The SCN Blog post below will help you better understand how to update the certificates in the AS ABAP system and which PSEs currently support the usage of SHA-2 algorithm:

Use of SHA-2 algorithm family in SSL PSEs

Cheers,

Filipe Santos

↧

Re: SHA-1 -->SHA-2

July 15, 2016, 12:59 pm

Latest and popular articles on SAP ERP

≫ Next: spnego/snc and saml

≪ Previous: Re: SHA-1 -->SHA-2

Thanks Filipe. We're planning to migrate all the back-end certs to sha256 now.

↧

spnego/snc and saml

July 15, 2016, 2:04 pm

Latest and popular articles on SAP ERP

≫ Next: Re: spnego/snc and saml

≪ Previous: Re: SHA-1 -->SHA-2

Hii, Is there a relation between spnego/enable parameter and SAML? My iDP and SP configuration is done and working well. Soon as the spnego/enable parameter is enabled in the backend ABAP system, the SAML SSO breaks. Any help? Thanks

↧

Re: spnego/snc and saml

July 15, 2016, 2:19 pm

Latest and popular articles on SAP ERP

≪ Previous: spnego/snc and saml

Hi Jim,

Are you using Kerberos with SAML 2.0?

Directly there is no relation between SAML 2.0 authentication and Kerberos/SPNego, only if you are using both for single sign-on.

Make sure that the correct SAML 2.0 authentication context is configured. Are you performing a password based authentication with SAML 2.0 or single sign-on?

Cheers,

Filipe Santos

↧