Hi,
Can you please explain the issue in more details.
Like what kind of SSO spnego or SAML....
ume is linked to .....
what happens and what does the error looks like?
What version you are at?
did you check the error log in the default trace of the portal or if you can run the diagtool and record the log?
Thanks
Rishi Abrol
This space isn't meant for these kind of questions, it is only for the NWSSO product. The correct space for your question is either SAP NetWeaver Portal: Application Integration or Web Dynpro ABAP depending on what the focus of your question is.
Anyway, no you can't do it with WDA since the existing WDA portal integration API doesn't provide access to the portal system landscape. With OBN navigation you have to know the system object.
Unless you are using the NWSSO product, you have used the wrong space to post your question. Before anyone can help you, you need to provide additional technical details of your system landscape (which SAP versions, how is UME configured, how is SSO configured, what back-ends are accessed, etc).
Hi all,
we are implementing a Single Sign-On 1.0 using kerberos token from Microsoft AD, it work fine by saplogon (AS ABAP- ECC, Solman, GRC NF-e and AC ) and by browser NW CE 7.2 ( AS JAVA- IdM7.2 and SSO 1.0) .
During logon by NWBC or other called ICF services by browser, the SSO doesn't work requiring a logon screen . We expected that a SSO working fine and login without require user and password on this cases .
If we are enter a user and password on this problem case, the https is working fine, but we need an automatic login by SSO using kerberos as we set by spnego, SU01 tab SNC and EXTID_DN .
Are there any parameter that we have to set on icf services or RZ10 to provide SSO login to solve this issue ?
Thanks in advance,
Rodrigo
Hi Rodrigo,
You might find the solution to your problem here.
Regards,
Hugo
Either upgrade to NWSSO 2.0 or enable X.509 certificates on your AS ABAP.
Hi Team,
We have recently deployed SAP NW SSO v1.0 on AS JAVA system and configured SSO for SAP applications( ABAP instance as well as JAVA instance) and it is working fine. I found the Best practice document is very useful for configuring SSO - SAP applications.
Similarly do we have any document which explains about SSO configuration for Non-SAP applications( Ticketing tools, HPQC etc).
What is the difference between configuring SSO for SAP applications and Non-SAP applications?
Thanks,
Gopi L
Dear Gopi,
All NW SSO related official documents are available at
For Non-SAP applications, SAP will not release any documentation officially.
Best regards,
Adrian
Hello,
I have implemented SSO to AS Java (SAP Portal) using X.509 Client Certificate.
When I try to logon without passing through the Web Dispatcher (direct call to the SAP Portal in Intranet) my SSO works properly and I'm able to logon without writing any user and password, thanks to my X.509 Client Certificate.
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.engine.services.security.server.jaas.ClientCertLoginModule SUFFICIENT ok true true
\#1 Rule1.AttributeName = CN
\#2 Rule1.getUserFrom = subjectName
2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true
Central Checks true #
My problem arises when I try to call my SAP Portal from the Internet passing through my SAP Web Dispatcher, so I've got the following error:
LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.engine.services.security.server.jaas.ClientCertLoginModule SUFFICIENT ok exception true Authentication did not succeed.
\#1 Rule1.AttributeName = CN
\#2 Rule1.getUserFrom = subjectName
2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false #
How could I manage my X.509 Client Certicate when I have to pass through my Web Dispatcher?
Thanks!
Fabrizio
SAP Web Dispatcher is capable of forwarding the client X.509 certificate to the AS JAVA using header variables. If you are terminating SSL on the WD, you will have to set a instance profile parameter so HTTP can be used to forward the certificate although it is not the recommended approach. See the attached link for details.
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/9ab5d73e6d062be10000000a42189d/frameset.htm
Hi Samuli,
I'm trying to set the 4. scenario according to this SAP help link:
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/98e6a84be0062fe10000000a42189d/content.htm
In my scenario SAP Web Dispatcher encrypts the request again with SSL before forwarding it, but I've got the reported error (certificate not forwarded??). I need to configure the Web Dispatcher in order to be able to forward the X.509 client certificate, could you help me?
Thanks a lot
Fabrizio
Try with the instance profile parameters
icm/HTTPS/trust_client_with_issuer = *
icm/HTTPS/trust_client_with_subject = *
If it works, set the correct values (of the Web Dispatcher certificate). Follow the instructions given in the application help.
Hi ,
I have configured SSO between SAP EP 7.3 and ADFS 2.0 by enabling SAML2.0 Authentication in SAP EP 7.3.
Its working fine. I need to customize the error message that is displayed during SSO on SAP EP 7.3. How Can I do this?
Regards,
Eben Joyson
I already set the parameters that you suggested in the right way, the problem remains the same.
How could I check the 'SSL_CLIENT_CERT' http header value? Here I think that I would find the X.509 Client Certificate that the Web Dispatcher sends to the AS Java.
Did you set the parameters on AS JAVA? Did you restart the AS JAVA ICM after setting the parameters? Increase temporarily the ICM trace value on both WD and AS JAVA ICM to maximum, reproduce, decrease the trace level to the default value and analyze.
I already unsuccessfully tried restarting and trace level increasing.
Relevant parameters are actually set in this way:
WEB DISPATCHER
ssl/server_pse = /usr/sap/WDT/W00/sec/SAPSSLS.pse
ssl/client_pse = /usr/sap/WDT/W00/sec/SAPSSLC.pse
wdisp/ssl_encrypt=1
wdisp/ssl_auth=2
wdisp/ssl_cred = /usr/sap/WDT/W00/sec/SAPSSLC.pse
icm/HTTPS/forward_ccert_as_header = true
icm/HTTPS/verify_client = 1
wdisp/add_client_protocol_header = true
wdisp/ssl_ignore_host_mismatch = 1
AS JAVA
icm/accept_forwarded_cert_via_http = false
icm/HTTPS/trust_client_with_subject = *
icm/HTTPS/trust_client_with_issuer = *
icm/server_port_0 = PROT=P4, PORT=50104
icm/server_port_1 = PROT=IIOP, PORT=50107
icm/server_port_2 = HOST=localhost, PROT=TELNET, PORT=50108
icm/server_port_3 = VCLIENT=1, PROT=HTTPS, PORT=50001
icm/server_port_4 = PROT=HTTP, TIMEOUT=60, PROCTIMEOUT=600, PORT=50100
Thanks a lot
Fabrizio
What are the exact versions of ICM in use, on WD and AS JAVA? You can also switch on request and response logging on AS JAVA.
I'm using 720 ICM Release in WD and AS Java.
When I successfully logon via direct call to AS Java without passing through the WD I see the following log on the AS Java:
#2.#2013 08 30 16:05:34:147#+0200#Info#/System/Security/Authentication#
#BC-JAS-SEC#security#C000AC1403770077000000000000CB63#14851850000000004#sap.com/tc~lm~itsam~ui~mainframe~wd#com.sap.engine.services.security.authentication.logincontext.table#IT359#9##3CC7D812117D11E3B99A000000E29F0A#0a934995117d11e3bb61000000e29f0a#0a934995117d11e3bb61000000e29f0a#0#Thread[HTTP Worker [@1781184091],5,Dedicated_Application_Thread]#Plain##
LOGIN.OK
User: IT359
IP Address: 172.26.1.26
Authentication Stack: sap.com/tc~lm~itsam~ui~mainframe~wd*webdynpro_resources_sap.com_tc~lm~itsam~ui~mainframe~wd
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.engine.services.security.server.jaas.ClientCertLoginModule SUFFICIENT ok true true
\#1 Rule1.AttributeName = CN
\#2 Rule1.getUserFrom = subjectName
2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true
Central Checks true #
When I try to pass through WD I don't see anything on this security log, only this error on another log:
Logon failed | LOGIN.ERROR | null | | Login Method=[default], IP Address=[194.105.50.198], UserID=[null], Reason=[Login failed.]#
Thanks
Fabrizio
I asked for the exact version, the patch level is important here. There are known issues in different patch levels of ICM. Yes, cert login should succeed for both cases. It is clear it doesn't when WD is used, now you have to find out why. Apparently the client X.509 certificate is not passed from the WD to the AS JAVA.
Hi SSO and SAML2 experts,
We have several SAP Enterprise Portal systems. The SSO configuration is setup using SAML2, with the Portal as SAML2 service provider
and Touchstone as identity provider. When users click on link https://<server>:port#/irj/portal, they will see the SAP Netweaver Login screen with an Identity Provider box (which is Touchstone in our case). Once the user click on "continue" button at the signup screen, he/she will be redirected to the Identify Provider (Touchstone) , which is another screen. At that point (the touchstone screen), the user has options either to use a certificate or a Kerberos id, before signing up into the portal.
My question is this: Is it possible to bypass the initial SAP Netweaver Sign-up screen? In other words, can some thing be done(configurations/custom codes/other creative methods) so users would not be presented with the SAP logon screen, instead go directly to IdP Touchtone screen? The issue here is "user experience". Users need to click on "continue" on the SAP Netweaver login, then being redirected to IdP Touch stone screen, click again, finally land into portal.
Any feedbacks would be greatly appreciated!
Best regards,
Qian Kang