Hey all,

We're testing the SAP Password Manager 2.0 SP3 (latest version out there).

It works OK....but now it seems we have a conflict/problem if the SAP Password Manager is running BEFORE our users start the SAP BCM CDT (now known as SAP Contact Center ) (that's the "softphone" software our reps use to connect to our IVR to answer calls / screen pops with SAP CRM).

So IF the SAP Password Manager is running first...and then the CSRs start the BCM CDT....SOMETIMES their BCM queues are grey'd out (not selectable).  Sometimes it works fine.

But the funny thing is that if I stop the SAP Password Manager, then start the BCM CDT, things work fine.  So it's easy to prove this is related to the SAP Password Manager, since we never had this problem before I started demo'ing the NW SSO software.

I can toggle back and forth (for the most part) to prove it is something to do with the SAP Password Manager.

Anyway, I did notice that SAP hasn't released any updates to the SAP Password Manager for about a year now, and there just are not that many notes at all regarding this software.

I'm sure this will turn into a SAP message but I was wondering if there are any folks out there that have run into this.

The most interesting thing to me is that we're not even using the NW SSO2.0 suite for SSO to BCM CDT.  it uses X.509 between our MS AD certs in the browser, and a config setting in the CDT.

Am also concerned that SAP hasn't released any updates to the SAP Password Manager in a while, so I wonder if this is even a product they plan on keeping up.  I will say that it does work fairly well for NON-SAP stuff, like external URLs and other applications.  it's helped fill in the blank for stuff I can't do via SNC / SPNEGO / X.509.

NICK

SCN pals,

We have SPnego / SNC setup on both our NW7.31SP07 and NW7.40SP07 systems.

We used the basic steps outlined in the videos:

http://scn.sap.com/docs/DOC-40178

But one thing that I have noticed, is that once I have established a connection into SAPGUI via SNC or WEBGUI via SPNEGO, my ticket in "klist" looks like this:

C:\Users\nwells>klist

Current LogonId is 0:0x5b639

Cached Tickets: (2)

#0>     Client: MY-ID @ MY-DOMAIN.COM
        Server: krbtgt/MY-DOMAIN.COM @ MY-DOMAIN.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x60a00000 -> forwardable forwarded renewable initial pre_authent
        Start Time: 5/20/2015 15:26:53 (local)
        End Time:   5/21/2015 1:26:53 (local)
        Renew Time: 5/27/2015 15:26:53 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96

#1>     Client: MY-ID @ MY-DOMAIN.COM

        Server: krbtgt/MY-DOMAIN.COM @ MY-DOMAIN.COM

        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96

        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent

        Start Time: 5/20/2015 15:26:53 (local)

        End Time:   5/21/2015 1:26:53 (local)

        Renew Time: 5/27/2015 15:26:53 (local)

        Session Key Type: AES-256-CTS-HMAC-SHA1-96

#2>     Client: MY-ID @ MY-DOMAIN.COM
        Server: SAP/SA-AGC-ABAP-SID@ MY-DOMAIN.COM
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 5/20/2015 15:26:53 (local)
        End Time:   5/21/2015 1:26:53 (local)
        Renew Time: 5/27/2015 15:26:53 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)

#3>     Client: MY-ID @ MY-DOMAIN.COM

        Server: HTTP/my-hostname.my-domain.com@ MY-DOMAIN.COM

        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)

        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent

        Start Time: 5/20/2015 15:26:53 (local)

        End Time:   5/21/2015 1:26:53 (local)

        Renew Time: 5/27/2015 15:26:53 (local)

        Session Key Type: RSADSI RC4-HMAC(NT)

Does anyone know why my SAP Kerberos tokens come over as RSADSI RC4-HMAC(NT) ?

When I created the keytab at the OS level, I got this as part of the output:

keytab: KeyTab content stored:

    Version  Time stamp                 KeyType   Kerberos name

          1  Thu May  7 15:42:25 2015   DES       SA-AGC-ABAP-SID@MY-DOMAIN.COM
          1  Thu May  7 15:42:25 2015   AES128    SA-AGC-ABAP-SID@MY-DOMAIN.COM
          1  Thu May  7 15:42:25 2015   AES256    SA-AGC-ABAP-SID@MY-DOMAIN.COM
          1  Thu May  7 15:42:25 2015   RC4       SA-AGC-ABAP-SID@MY-DOMAIN.COM

and in the SPNEGO transaction, I have these listed:

DES-CBC-CRC

DES-CBC-MD5

AES128_CTS_HMAC_SHA1_96

AES256_CTS_HMAC_SHA1_96

RC4-HMAC-MD5

RC4-HMAC-MD5-56

So I would think that I'm covered.

I read this note and applied it in my NW7.31 but it was N/A on 7.40.  I meet the kernel requirements too for both.

1832706 - SPNego ABAP: Fixes for Algorithms AES128, AES256, DES

If I get my AD administrator to click the button for my user SA-AGC-ABAP-SID@MY-DOMAIN.COM that says "This account support Kerberos AES 256 bit encryption" in the account options....NOTHING works!  SPnego just goes back to username/pass, and SNC pops up a message when you try  to login that says "GSS-API(min): A2210217:the verification of the Kerberos ticket failed

target="p:CN=SA-AGC-ABAP-SID"

I also read this note:

1677641 - Kerberos authentication problem (SNG/GSS error a2210217)

but we already have the latest NWSSO2.0 SP05 login library and note 1832706.  I'm certain my user/pass for AD is correct.

Anyway..I know I said a lot....ANY thoughts?

thanks,

NICK

Hi Team!

We want to use SSO on NW java 7.4 to connect to other systems, i've followed the guide http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/70412b93-c972-3010-6a94-da49f9ba5192?QuickLink=index&…

We have two problems, this guide explain the use to connect ABAP and JAVA application servers. We want just to use just AS java to connect non SAP systems.Second, tried to install at least the secure login server (part 5). but could not make the /slac (local nor remote) link to work. We have the SSL activated.

In this case what is the recommended setting? What guide we can follow?

Regards,

Luis

Hi together,

we are trying to integrate the SAP ID Service in some of our web applications to provide SSO for the users of our SAP internal Service Desk. Unfortunately I wasn't able to get this working so far and also there were several people involved in the SSO setup, so maybe I´m not yet familiar with all details.

We did the basic setup and meta data exchange and we have the identity provider configured. I´m not sure if the SAML Setup is correct, so I will just describe the problem I see at the moment.

We have created a test application which has an index.html. This resource will request other resurces (js, css etc.). When accessing the index.html I see an certificate prompt for access.sap.com, so the redirect to the SAP ID Service works. In the request I can see encoded form for the SAML Request. The index.html is then correctly delivered in the response and there´s also an encoded form with the SAML Response and a RelayState attribute, which I consider as the token. I can also see that in the response there is a cooke which is set for path '/'. The problem now seems to happen on all further requests, which are made in the index.html. for example when requesting another javascript resource the initially received cookie isn't sent along with the request. Maybe this has to do with the path for which the cookie is set, because our application doesn't come from the path '/', but from a deeper path. In the end all of our requested resources won't be delivered. Instead they return some html code. When I put this into a html file and run it with the browser, it tells my (for every resource) that I´m now authenticated. So I think it has to do with the request, which does not sent the token properly, which came from the index.html response initially.

Has anyone configured SSO/SAML2 for an NetWeaver ABAP and can help me with the setup?

Best Regards

Alexander

Dear All,

We have a requirement to do SSO for Portal 7.4 and ECC system.

Our Portal and ECC systems are on different domain. Kindly help on implementing SSO

Portal can be accessible by :   sap.portal.com

ECC ITS can be accessable  by :  sap.ecc.com

Kindly help on how to implement sso between Portal and ECC which are on different domains.

Thanks & Regards,

Rajeev Bikkani

I've got a NW 7.4 ABAP Stack for Fiori.  I wanted to see if I could enable SAML 2.0 to authenticate against Active Directory Federation Services as an Identity Provider.

1. Successfully setup SSL (Note 510007) on this server with Certificates signed by our CA here at my company.
2. Followed the SAML 2.0 for Fiori to configure SAML with our ADFS.

I modified the webgui service in sicf to use an Alternate Logon Method with SAML Logon as the second in the list behind HTTP, as the docs say to do.  But I haven't been able to get it to work.  It never redirects to ADFS to identify credentials.  It just logs on to the local ABAP Datasource.

So it has me trying to confirm that this is a viable option for authentication.  In the Thread below, there was a suggestion that JAVA is needed to produce the logon tickets.  But the SAML 2.0 for Fiori document doesn't suggest that anywhere.

http://scn.sap.com/thread/3231649

The Wiki for SSO with SAML 2.0 lists three SAML 2.0 Identity Providers:

1. Netweaver Single Sign-On
2. Netweaver Identity Management
3. Netweaver AS Java

Does this mean that Microsoft ADFS is not a valid Identity Provider?

Dear Guru's,

I am trying to configure the spnego with NW7.4 with AD2008 and abap as a datasource. Currently I am getting the checksum error , tocken cannot be validated. I would really appreciate if anyone can help in this regard.

Thanks a lot in advance.

I used to go to https://websmp205.sap-ag.de/~sapidp/011000358700002939642002E in order to request a single sign on password to use for all SAP sites requesting the S username and password.

This link is not working anymore.

Can anyone assist me to get my SAP site certificate updated, in order not to have to keep entering my S user and password?

Thanking you in advance.

Jaco de Villiers

Hello,

I am currently configuring SAP SSO for ABAP in a Windows environment. (2012)

I downloaded all the latest files.

Created user SLLServiceSAP on the AD server

.

I set my profile parameters:

### SSO

snc/enable = 1

snc/gssapi_lib = C:\usr\sap\DEV\SLL\secgss.dll

snc/identity/as = p:CN=SLLServiceSAP@bowieresources.com

snc/data_protection/max = 3

snc/data_protection/min = 2

snc/data_protection/use = 3

snc/r3int_rfc_secure = 0

snc/r3int_rfc_qop = 8

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/permit_insecure_start = 1

snc/force_login_screen = 0

snc/accept_insecure_r3int_rfc = 1

snc/extid_login_diag = 1

snc/extid_login_rfc = 1

I set my environment variables:

SECUDIR C:\usr\sap\DEV\DVEBMGS00\sec

SNC_LIB C:\usr\sap\DEV\SLL\secgss.dll

I installed the Secure Library on my SAP server, Ran all setup/config commands successfully with no errors.

/sec contains:

I ran the Secure Client install on my workstation:

My SAPLogon 'Network' Tab reads: p:CN=SLLServiceSAP@bowieresources.com

My 'SNC' Tab reads:

When I execute a logon, I receive:

Any insight/help would be much appreciated.

Thanks,

Diana

I am planning on using client certificates to implement SSO with BPC 10.  Has anyone out there taken this approach?  Which document/video provieds the best guidance on how to do this?

Thanks in advance for any assistance

dennisb

Friends,

.net is the client will consume SAP WebService using certificate based authentication.

I have setup SAP Web Service settings as shown in attached image.

Our AD  infrastructure setup that when the user logon to PC they get their certificate on their user profile , and I verified it under certmgr.msc , Personal--> Certificates.

I am thinking to ask the .net guy to read the certificate from this location and send it to sap. Now the question is when I create certrule in SAP , what certificate I have to import on to SAP for mapping? is this certificate from the .net server certified by CA or user personal certificate?

User certificate from the user machine: has the below details:

E = johns@test.org

CN = John smith

OU = Users

OU = USA

OU = HQ

DC = org name

DC = org

Root Certificate from the server has the belwo details:

CN = Orgname Root Certificate Authority

DC = orgname

DC = org

Thanks

Krishiv

Hi all,           

I hope someone can help me. I am trying to implement SSO for SAP ABAP systems using our own PKI server along with NW SSO 2.0 client. Figured out all the steps and got it working in most of the systems. But in some of the systems where we have activated VMC(Virtual Machine Container) SSO via SAP GUI would not work. Webgui using SSL protocol works just fine. Only when I try to log on using SAP GUI(SNC enabled), it throws a message   "SAP System Message" without any details. On server level the Work Process restarts itself with  following in the system log:

Signal 4 received by operating system Stop Workp. 12,PID 14090342

Signal 6 received by operating system

Error handling canceled

Signal 11 received by operating system Error handling canceled

Start Workp. 12, 8 times since system startup. PID 14090344

Delete session 001 after error 023

As soon as I disable (vmcj/enable=off), SSO via GUI/SNC starts working fine. Please help.

Hello,

We have recently deployed several HCM fiori Applications ( Approve Leave requests, Team Calendar, ...)

We are now looking at implementing a SSO solution allowing our mobile users to access those Fiori Applications from the public internet.

Our company is already using several CA Technologies products : CA API Gateway, ...

We are looking at implementing a SAML 2.0 integration scneario though those products.

I started to read CA technologies docuemntation and I am quite confused :

Does anyones have any experience in integrating SAML CA Technologies with SAP ?

Is is sufficent to install CA SAML Service Token Service

Where to install the CA Auth Toolkit ?

https://communities.ca.com/docs/DOC-231149402

http://www.ca.com/gb/~/media/Files/DataSheets/simplify-oauth-deployments-with-ca-oauth-toolkit.PDF

thank you

Hi,

    I'm new with SNC.

Is there a document out there that show what is the difference between NW SSO SNC vs ABAP platform SNC?

What benefit does NW SSO SNC provide? Both uses the same CommonCryptoLib for crypto algorithm, so does NW SSO SNC have more function vs the one in ABAP platform?

Thanks in advance.

regards,

Laurence...

Dear All,

We have configured SSO 2.0 product for our Fiori environment. Following the video link Single Sign-On with Kerberos, we have defined a SAPSNCKERB.pse file which only had the keytab entry for our company e.g. SL-USER@ABC.COM ... This entry was also added in SPNEGO in the Fiori ABAP system.

Now we want to enable SSO for our joint venture company XYZ. This company exists in our forest but under a separate domain XYZ.COM. For this, I added the keytab SL-USER@XYZ.COM in the SAPSNCKERB.pse file. I also added the same entry in SPNEGO. The canonical name is also being determined correctly for both.

To test the SSO functionality, we had our company user (who is also seconded to the JV company) log in via our company domain ABC.COM and launch the Fiori launchpad. SSO worked perfectly. Then to test the SSO functionality for the JV company, the same user logged in to the JV domain XYZ.COM and launched the Fiori page. In this case, the Fiori launchpad prompted for the password for JV company XYZ.

How can I get SSO working for the JV company? I did notice that in tcode STRUST, the SNC Cryptolib only has the entry SL-USER@ABC.COM. This has been configured following the above video link. Can this be the reason that SSO does not work for JV Company? If yes, how do I overcome this block?

Looking forward to your valuable assistance.

Kind regards,

Amer.

Dear All,

We have a requirement to do SSO for Portal 7.4 and ECC system.

Our Portal and ECC systems are on different domain. Kindly help on implementing SSO

Portal can be accessible by :   sap.portal.com

ECC ITS can be accessable  by :  sap.ecc.com

Kindly help on how to implement sso between Portal and ECC which are on different domains.

Thanks & Regards,

Rajeev Bikkani

Hi friends,

I am new to SAP Enterprise Portal,I don't know how to do user mapping for yahoo mail to access from my portal.please anybody can help me...?

Thanks,

Rajesh.S

Hi!

I´ve a Problem with the Umlaut in Single Sign on.

If the Pay Statement will be printed, the Umlaute will be written with a  #

Do anyone know this Problem?

Hey all,

We're testing the SAP Password Manager 2.0 SP3 (latest version out there).

It works OK....but now it seems we have a conflict/problem if the SAP Password Manager is running BEFORE our users start the SAP BCM CDT (now known as SAP Contact Center ) (that's the "softphone" software our reps use to connect to our IVR to answer calls / screen pops with SAP CRM).

So IF the SAP Password Manager is running first...and then the CSRs start the BCM CDT....SOMETIMES their BCM queues are grey'd out (not selectable).  Sometimes it works fine.

But the funny thing is that if I stop the SAP Password Manager, then start the BCM CDT, things work fine.  So it's easy to prove this is related to the SAP Password Manager, since we never had this problem before I started demo'ing the NW SSO software.

I can toggle back and forth (for the most part) to prove it is something to do with the SAP Password Manager.

Anyway, I did notice that SAP hasn't released any updates to the SAP Password Manager for about a year now, and there just are not that many notes at all regarding this software.

I'm sure this will turn into a SAP message but I was wondering if there are any folks out there that have run into this.

The most interesting thing to me is that we're not even using the NW SSO2.0 suite for SSO to BCM CDT.  it uses X.509 between our MS AD certs in the browser, and a config setting in the CDT.

Am also concerned that SAP hasn't released any updates to the SAP Password Manager in a while, so I wonder if this is even a product they plan on keeping up.  I will say that it does work fairly well for NON-SAP stuff, like external URLs and other applications.  it's helped fill in the blank for stuff I can't do via SNC / SPNEGO / X.509.

NICK

Hi,

I have configured SP initiated SSO with Siteminder IDP for SAP FIORI Launchpad. The setup works well. We have 60mins ideal timeout for SAML sessions and SAP HTTP Sessions.

Everything works well but issue only occurs if anyone keep the Launchpad ideal for more than 60mins ( break for Lunch as usual the culprit).

How do we handle this timeout and request user to logon again?

Here is the Sec_diag logs.

SAML20 <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

SAML20

SAML20 <ns2:SubjectConfirmationData NotOnOrAfter="2015-06-26T16:01:57Z"

SAML20 Recipient="https://mysap.avaya.com:443/sap/saml2/sp/acs/110" />

SAML20 </ns2:SubjectConfirmation>

SAML20 </ns2:Subject>

SAML20 <ns2:Conditions NotBefore="2015-06-26T15:59:57Z"

SAML20 NotOnOrAfter="2015-06-26T16:01:57Z">

SAML20 <ns2:AudienceRestriction>

SAML20 <ns2:Audience>GWP-SP</ns2:Audience>

SAML20 </ns2:AudienceRestriction>

SAML20 <ns2:AudienceRestriction>

SAML20 <ns2:Audience>https://mysap.avaya.com</ns2:Audience>

SAML20 </ns2:AudienceRestriction>

SAML20 </ns2:Conditions>

SAML20 <ns2:AuthnStatement AuthnInstant="2015-06-26T16:00:26Z"

SAML20 SessionIndex="czjOI2bdNDR+NbqsraJGAsfLRV0=j+KycA=="

SAML20 SessionNotOnOrAfter="2015-06-26T16:01:57Z">

After 60mins, when user trying to use same sessions.. they get below error

SAML20 CX_SAML20_CORE: The validation of message 'Response' failed. Long text: The validation of message 'Response' failed.

SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 57)

SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 60)

SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)

SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)

SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)

SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2517)

SAML20 Caused by: CX_SAML20_ASSERTION: All 'SubjectConfirmation' elements are invalid. Long text: All 'SubjectConfirmation' elements are invalid.

SAML20     at CL_SAML20_ASSERTION->VALIDATE_SUBJECT_SSO(Line 116)

SAML20     at CL_SAML20_ASSERTION->VALIDATE_ASSERTION(Line 27)

SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 50)

SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 60)

SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)

SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)

SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)

SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2517)

SAML20 Caused by: CX_SAML20_ASSERTION: Attribute 'NotOnOrAfter' of element 'SubjectConfirmationData' is invalid. Long text: Attribute 'NotOnOrAfter' of element 'SubjectConfirmationData' is invalid.

SAML20     at CL_SAML20_ASSERTION->VALIDATE_SUBJECT_SSO(Line 92)

SAML20     at CL_SAML20_ASSERTION->VALIDATE_ASSERTION(Line 27)

SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 50)

SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 60)

SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 87)

SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)

SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)

SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2517)

<ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

SAML20

SAML20 <ns2:SubjectConfirmationData NotOnOrAfter="2015-06-26T16:01:57Z"

SAML20 Recipient="https://mysap.avaya.com:443/sap/saml2/sp/acs/110" />

SAML20 </ns2:SubjectConfirmation>

SAML20 </ns2:Subject>

SAML20 <ns2:Conditions NotBefore="2015-06-26T15:59:57Z"

SAML20 NotOnOrAfter="2015-06-26T16:01:57Z">

SAML20 <ns2:AudienceRestriction>

SAML20 <ns2:Audience>GWP-SP</ns2:Audience>

SAML20 </ns2:AudienceRestriction>

SAML20 <ns2:AudienceRestriction>

SAML20 <ns2:Audience>https://mysap.avaya.com</ns2:Audience>

SAML20 </ns2:AudienceRestriction>

SAML20 </ns2:Conditions>

SAML20 <ns2:AuthnStatement AuthnInstant="2015-06-26T16:00:26Z"

SAML20 SessionIndex="czjOI2bdNDR+NbqsraJGAsfLRV0=j+KycA=="

SAML20 SessionNotOnOrAfter="2015-06-26T16:01:57Z">

SAML20 <ns2:AuthnContext>

SAML20 <ns2:AuthnContextClassRef>

SAML20 urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>

SAML20 </ns2:AuthnContext>

SAML20 </ns2:AuthnStatement>

SAML20 <ns2:AttributeStatement>

SAML20 <ns2:Attribute Name="uid"

SAML20 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

SAML20

SAML20 <ns2:AttributeValue>sAMAccountName</ns2:AttributeValue>

SAML20 </ns2:Attribute>

SAML20 </ns2:AttributeStatement>

Thanks in advance.

Santosh Lad