It is apparent that the implementation in SAP note 1862737 works only for classic dynpros in SAP GUI so web applications such as Web Dynpros (eg. PLM Web UI) aren't supported. Feel free to correct me if my assumption is incorrect.
↧
Re: NWSSO and Digital Signatures
↧
Re: Do I need NW SSO licenses to accept SAML 2 from another IdP?
I don't work for SAP and I'm not an expert on NWSSO licensing but my understanding is that you do not need NWSSO licenses in order to use SAML in AS ABAP.
↧
↧
Re: Supplied credentials not accepted by the server and Could not validate SPNEGO token
Hello Yogesh,
With regards to the 2nd error "Could not validate SPNEGO Token"
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.SPNegoLoginModule SUFFICIENT ok exception true Could not validate SPNEGO token. Reason: No user with account attributes [[namespace=com.sap.security.core.authentication, name=principal, value=sap.helpdesk1, isCaseSensitive=false], [namespace=com.sap.security.core.authentication, name=realm, value=HZL01.VEDANTARESOURCE.LOCAL, isCaseSensitive=false]] found
No logon policy was applied
It means that the user "sap.helpdesk1" was decrypted from the kerberos
token but there is no user with this name in the AS Java. The reason for that is a misconfiguration in the SPNEGO user mapping.
Therefore, please open the SPNEGO wizard in the NWA and configure
how AS Java should choose a user from the UME based on the received
SPNEGO token. Here is some documentation about configuring the user
mapping:
http://help.sap.com/saphelp_nw73/helpdata/en/f4/1978c3a37a441b87a89d61c1a08689/frameset.htm
Regards,
David
↧
Re: Windows AD password synchronization with SAP
Hi,
As a start, Please have a look at the following documentation on security policies
SAP Library - Identity Management
UME Properties for the Security Policy (SAP Library - Using Java)
All information that you need for this is given there.
Regards,
David
↧
Re: Is SSO with multiple AD auuthentication possible?
Hi,
Configuring SSO where more than one Active Directory exist is possible. There are a number of prerequisities that you need to consider
One prerequisite for Multi domains is that logon IDs must be unique across mutliple LDAP datasources.
Please see the following KBA and notes for more information on this:
http://help.sap.com/saphelp_nw73/helpdata/en/1d/0609407448c442e10000000a1550b0/frameset.htm
1618342 - Multiple LDAP Datasources - Active Directories where logon IDs are not unique
762419 - Multi-Domain Logon Using Microsoft Active Directory
Please have a look at the above notes which document this and also tells you what to do in these situations.
You should be able to configure this from there.
Regards,
David
↧
↧
Re: Windows AD password synchronization with SAP
Generally speaking, no it's not possible unless you provision the password to SAP at the time it is set. See this discussion thread for details, this has been discussed before. For other similar threads, search for "password synchronization". The solution is to implement SSO.
↧
Re: Do I need NW SSO licenses to accept SAML 2 from another IdP?
Hi,
as Samuli already correctly stated, the SAML2 SP implementation used by the AS ABAP is part of the NW base license.
Regards,
Patrick
↧
SSO between SUS and SRM
dear experts,
i need your help because we are trying to configure the following scenario:
we have in the same system, two clients. One client is SUS and one client is SRM. Our need is to logon on the SUS web part (service srmsus) and once we are logged on SUS jump to MWBC on SRM without specify the user and pass, and the user that we use to logon on SUS is diferent that the user mapped on the SRM.
is this possible? do you have any information about this?
we only have this system, we have no portal anywhere.
thanks a million in advance
best regards
david
↧
Re: SSO between SUS and SRM
Yes it's possible if you configure SSO so that it works independently in both clients. I don't think you can use the assertion ticket or security session from one client in another client, especially since the user account names are different. For example SPNEGO for ABAP (part of NWSSO), SAML or X.509 would work.
↧
↧
Re: SSO between SUS and SRM
dear Samuli,
i have checked the netweaver SSO on the PAM side, and it only works for windows. Is it right? in afirmative case, do you know another tool for linux?
thanks a million
best regards
david
↧
Re: SSO between SUS and SRM
i mean, that the Secue Server Login and the Secure Client Login only work on Windows (tha tools to generate and configure the x.509 certificates)
thanks Samuli
david
↧
Re: SSO between SUS and SRM
Hi David,
Secure Login Server is available for all Netweaver platforms, so also linux.
Secure Login Client is only available for Windows and MAC OSX (2.0 SP03, release date 12.5.2014).
For Linux there is currently no client SSO solution available, sorry.
best regards
Alex
↧
Re: SSO between SUS and SRM
dear Alexander,
i have checked the requirements, if i am not wrong the Secure Login Server is installed on the JAVA application server and the Secure Login Client is installed on the ABAP application server. Is it right?
in my case, both application servers are linux, do you know any solution for my case???
a lot of thanks
best regards
david
↧
↧
Re: SSO between SUS and SRM
SLS is installed on AS JAVA and SLC is installed on the client meaning the Windows PC. You could use SPNEGO for ABAP assuming you purchase NWSSO licenses and make sure your system meets the requirements (SP, kernel) for using SPNEGO for ABAP. SPNEGO for ABAP doesn't require anything on the client assuming the browser can handle the Kerberos authentication. Another option is to use SAML or even X.509 certificates.
↧
Re: SSO between SUS and SRM
dear Samuli,
as i understood on the link bellow (on the 3th video):
Single Sign-On with Certificates
the SLC have to be installed on the application server ABAP. In my case, this is a linux server, so i can't use the SLC.
are you suggesting me that i can use SPNEGO instead of SLC?
forgive me, but i have no idea about this
a lot of thanks
best regards
david
↧
Re: SSO between SUS and SRM
i mean if i have to install the SLC on every users PC or i have to install the SLC on the ABAP application server?
thanks Samuli
↧
Re: SSO between SUS and SRM
SLC is installed on every PC. Yes, I'm suggesting SPNEGO for ABAP, SAML or X.509 certificates. You can have X.509 certificates with or without NWSSO.
↧
↧
Re: SSO between SUS and SRM
ahhhhh, ok. So if I understood properly, i can follow the link i provided you above to configure the SSO with Secure Login, and of course, supposing that we have already a Active Directory server.
do you think i am right???
↧
Consiguring SAML for https
Hi All,
We have recently upgraded portal to version 7.31 and have implemenedt SAML 2.0 authenticaion. Basically here the SAP portal is a service provider and identity provider is a third party system. There is a Load balancer with VIP for the portal, where SSL traffic terminates and then uses http to reach portal.
The portal has host name http:// sap<sid>00.com, while the load balancer VIP has url (https://sap<SID>.com).
We have configured the SAML, however the endpoints show the http url, and the identity provider is unable to reach the endpoints.
Do we need to modify the endpoints to reflect Load Balancer url, and how can that be acheived.
Appreciate any guidance on this.
Thanks
Abhi
↧
Single Sign on Copy and Paste into Excel then causes Pop up Login
Hi All,
Have you come across when you are in a web client UI, ie CRM Portal, you copy (CTRL C) HTML formatted text then paste (CNTRL V) into MS Excel, there is a prompt to reauthenticate even after single sign on has already been authenticated.
It seems that this is standard behaviour or as expected, have any of you by passed this through any MS settings?
Environment
SAP ECC 6.0 / SAP CRM ABAP 7.0
Single Sign-on 2 NW7.31 SP10
SSO2 certificate using X.509 and SPNEGO
Steps:
- Open CRM Website (CRM_UI) which using HTTPS
- Copy contents from Website
- Paste to MS Excel or MS Word
Issue: MS Excel prompts to select certificate
Solutions tried
- Registry changes – Not possible to change because of company policy
Value tried : BasicAuthLevel to 0
- IE 10 or higher can’t be used to fix because of compatibility with SAP
- Trusted option in MS office did not work.
Updated all Root CA and server SSL certifications to <Trusted publishers>
but still prompt to select credentials.
Solutions expected
- Users want to use <ctl+C> <ctl+V> command
- Certificate must not show when user copy and paste data from Website to MS excel
- When paste to MS Word, doesn’t show any data. Must paste data
- Formatting doesn’t matter. ‘Keep text Only’ option is ok
Thanks all!
Andrew
↧