many thanks for your help Samuli.
at the end, we are going to implement the Secure Login with X.509. We have been investigating and for bsp and NWBC is the best way we can follow.
best regards
↧
Re: SSO between SUS and SRM
↧
Re: Consiguring SAML for https
Dear Abhitab,
There is a very good document about how to setup SAML 2.0 Service Provider:
In this document you will be able to find some important ruls you have to follow, like for example "When you would like to download service provider metadata, access SAML 2.0 configuration UI using the same host and port as end users will use for SAML 2.0 authentication".
I hope this document will help you to understand the process.
You can find the other valuable documents about SAML 2.0 implementation here:
http://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0
Best regards,
Donka Dimitrova
↧
↧
Re: SSO between SUS and SRM
dear Samuli,
i have another chance.
right now, we need to perform the SSO for external users. I mean, the external users will access to the srmsus service through internet and they can jump to the SRM NWBC without credentials.
Do you have any idea, we have never implemented this scenario.
a lot of thanks
bets regards
david
↧
Re: SSO between SUS and SRM
As I wrote before you will have enable SSO separately for both. In case of external users it comes down to security requirements and the number of external users. It might make sense to solve external users separately. In case of NWBC, do you mean NWBC for Desktop (the native Windows client) or NWBC for HTML, the browser version? With NWBC for Desktop your choices are somewhat restricted, with NWBC for HTML you have more options.
↧
Re: SSO between SUS and SRM
dear Samuli,
the external users will access/logon to sus (through the webservice srmsus, is a bsp in sus) and then the external users jump to the NWBC SRM HTML
this jump will be able through a link from the srmsus bsp to nwbc html in srm
thanks a million
best regards
david
↧
↧
Re: SSO between SUS and SRM
I assume the external users aren't maintained in your AD? That rules out Kerberos. You are left with SAML and X.509 since you don't have a portal to issue the SAP Logon Tickets. How many external users are there? Do you have a PKI in your IT infrastructure that you could use to issue X.509 certificates for external users? I myself would use SAML since you could use the same implementation for internal and external users, no need for two parallel solutions. If SAP GUI for Windows or NWBC for Desktop is in the picture (for internal users) and SSO is a requirement, SAML isn't the recommended option so you will end up with two parallel solutions. It believe NWSSO can be used as PKI to also issue long term certificates so you could have a global solution based on X.509 certificates. The external users would authenticate against the Secure Login Server to receive their X.509 certificate.
↧
Re: SSO between SUS and SRM
ok, so the external users logon to the server who has the Secure Login Server installed (through the srmsus url) but how these users recieve the x.509 certificate. Because if the server does not have the external users mapped on the AD, how the server generates the X.509 to validate and send it to the external users?
a lot of thanks
david
↧
Re: SSO between SUS and SRM
As long as the SLS is able to authenticate the external users with any of the supported methods, it will issue the X.509 certificate.
↧
Re: SSO between SUS and SRM
do you know which methods can we implement or are supported by the Secure Login Server?
many thanks
best regards
david
↧
↧
Re: SSO between SUS and SRM
For the list of supported authentication methods, see the NWSSO SLS implementation guide chapter 1.1.2.1.
↧
Re: Consiguring SAML for https
Thanks Donka, this has helped. We were able to resolve our issue.
We had to disable few probe checks on load Balancer side.
Thanks again
Regards
Abhi
↧
SPNego for Incident Management
Hello.
I adjusted new SPNego for use SSO with Kerberos protocol on Solution Manager 7.1 SP8.
And now successfully open via spnego some urls: NWA, sld, spnego config, sso2 on Solman.
But I can't open link to Incident Management with spnego, still logon prompting window opens.
Link to Incident Management is the external alias in sicf.
Pls see attachment.
What settings I should to adjust to solve this problem?
--
thanks and regards,
Yessen
↧
Re: SPNego for Incident Management
Does SSO work, when starting the CRM UI directly?
Regards,
Patrick
↧
↧
Re: SPNego for Incident Management
Hi Patrick.
1. No, directly also still open logon prompting window.
The logon settings in sicf of crm_ui_start service is the same as '/servicedesk' alias.
2. In guide 'SPNegoDocumentation.pdf' (in Note 1488409 - New SPNego Implementation) on page 14, chapter 10 'ADJUST THE AUTHENTICATION STACK' I see this info:
'
You can modify any policy configuration in the same manner, depending on the specific applications you want
to have configured to work with SPNego.
'
May be it's the reason of my problem?
But I can't see in Visual Admin what of policy configuration I should to use.
--
regards,
Yessen
↧
Re: SPNego for Incident Management
Hi Yessen,
the next thing to check is the logon procedure set for the service crm_ui_start. Please make sure it is set the same way, as the services that do work. You can find the relevant information in the documentation.
BTW: the reference you cited is regarding the JAVA server and therefor may not help you.
Regards,
Patrick
↧
Re: SPNego for Incident Management
Hi Patrick.
Thanks for your advice.
I adjusted logon procedure to '/servicedesk' alias (I think this is same) to 'Alternative procedure' and select 'All Logon Procedure' flag' also.
Now I see in webdiagtrace new info about logon procedure (for example, I see in traces what my Windows domain account is resolved) but I still see only logon prompting window to CRM_UI.
But in 'Alternative procedure' system can't have 'SPNego procedure' because our client not have purchased SAP NetWeaver Single Sign-On product.
Client just would like to use SPNego integrated in Netweaver 7.02.
I can send trace file to your email if you would like to see.
P.S. I just think may be citation about JAVA server is helpful, because it mentioned in native SPNego guide..
--
regards,
Yessen
↧
Re: NW SSO support for windows 8.1
HI Christain,
I see the post above and we are planing same in our environment ie Version 2.0 on Windows 8.1. i see there is not lot of evidence as such that SSO 2.0 is compatable , can you please confirm the results of ur test if its successful thanks.
Thanks in advance,
Shravan.
↧
↧
SSO secure login client is compatable for Windows 8.1?
HI Guru's
I want to know if check if secure login client is compatible with windows8.1? please let know if its yes and also share some link for confiduration.
Thanks in advance,
↧
Re: SSO secure login client is compatable for Windows 8.1?
Hi
Are you using the IE version?
BR
SS
↧
Re: SSO secure login client is compatable for Windows 8.1?
Yes we are on IE 7 now , want to move to 8.1 but forst need to know if its complatable.
Thanks.
↧