Hello,

I'm facing the following problem.

A file is read by an ABAP-program, from an external system and the entries (user names, e-mail addresses, etc) are fed into our R/3 system (SU01).

Untill now this was sufficient. But now we're trying to implement Single Sign On, so we also need to fill the field krb5principalname, which is used in the Portal.

I've looked everywhere, but I have no idea how to accomplish this. The field krb5principalname is (as far as I can tell) only known in the JAVA stack.

Does anyone have an idea how I could fill this field from an ABAP-program ?

As a second solution I've tried the user import utility from the Portal, but somehow this doesn't let me import "customised information" fields.

Your help is much appreciated !

Hi,

We are looking at implementing SSO.

Current Environment:

• ERP 6.0 EHP7 - 3 SYSTEM LANDSCAPE with ABAP only
• Solution Manager Server 7.1 SP13

Planned Environment:

• FIORI & SCREEN PERSONAS
• PORTAL
• HR-RENEWAL

The question that needs answered:

1. How Long will it take to implement SSO 2.0 on CURRENT landscape?

2. Is it worth the effort and cost implementing SSO 2.0 at this point?

If you could please give some pointers or highlights on what you feel the best route would be?

Thank you

Regards,

Johann

Hello All,

We have a requirement to implement the SSO (single sign-on) for Personas 2 for NW 7.4 AS-ABAP ECC 6 EhP 7. (abap stack only)

The Personas will be embedded as a link in the Portal [oracle webcenter portal].

The end user firstly logs in to the oracle webcenter portal with user credentials which are maintained by Oracle IDAM (oracle identity and access manager) which provides user authentication. User ids will be same across Oracle Portal, Oracle IDAM, and SAP ECC ABAP.

i have gone through several threads in SCN forums, but could not able to get a sense of approach discussed anywhere.

Personas 2.0 by default tries to authenticate using X.509 certificates if present in the system.

Also we can set up web SSO using SAML .

What should be the ideal approach for my above problem statement....pls let me know.

Do we have any setup guide in SMP for this?

BR,

shyam

Hi All,

I have the following question regarding NW SSO with SAML and Active Directory Domain:

1. In the installation guide, I found that we need to perform SAP Application Server domain installation if we want to use Single Sign-On. As far as I understand, this requirement is true if we use Kerberos-based solution. But how about if SAML is used, is the SAP Application Server required to be in Windows domain?
2. In the case the SAP Application Server has to be in domain, in the case the domain of client computers are on the different domain from the domain of SAP server, do we have to establish the trust between the two domain in the case SAML is used? I found that with SAML, we can provide cross-domain SSO solution but it's not very clear to me how to enable this scenario.
3. I am looking for the configuration guide for SSO based on SAML with NW IDM Federation (the component of SAP SSO 2.0), especially about User Credentials Verification with Microsoft Active Directory. I think we need to do some configuration steps so that the Identity Provider on AS Java can contact Active Directory to get user credentials, could you please provides some hints about this?

Best regards,

Duy

Dear Support,

We are trying to configure SSO with SAML2 with multiple Service Provider however it is not working

SSO with SAML2 between SAP Java portal(NW7.4) as Identity Provider and SuccessFactor as Service Provider and It works fine for one companyID.

We have different companyID's all are hosting on SuccessFactor and We would like configure SSO with SAML2 between SAP java portal(Identity Provider) and SuccessFactor(Service Provider) for multiple companyID's hosting on same successfactor instance with different CompanyID's.

Any suggestion/advice how to configure  SSO with multiple service providers for same instance(successfactor) ?

Is it possible to configure multiple Identity Provider in SAP JAVA portal(NW7.40) ? so that we can configure 1:1 (Identity provider : SuccessFactor for each companyID).

Please help.

Thank you.

Attached is the screen shot

Regards

Sadanand Depala

Hi,

I'm trying to connect to a system using the Doe Net Connector 3.0 and use a X509 Client Certificate for Authentication.

But I'm struggling with the parameters for the destination. When using the Base64-encoded Client Certificate as the X509Certificate parameter and leave the User parameter empty, like described here, I get the error "No credentials were supplied".

So I tried to find out how the JCO connector connects, there I found that to connect you should use $X509CERT$ as user parameter and base64 encoded certificate as password.

How do I connect to a SNC secured server with the Dot Net Connector and a Client Certificate?

This is how I tried it so far:

parms.Add(RfcConfigParameters.MessageServerHost, "Servername");
parms.Add(RfcConfigParameters.SystemNumber, "00");
parms.Add(RfcConfigParameters.SystemID, "System Name");
parms.Add(RfcConfigParameters.LogonGroup, "PUBLIC");
parms.Add(RfcConfigParameters.Client, "001");
parms.Add(RfcConfigParameters.SncMode, "1");
parms.Add(RfcConfigParameters.SncPartnerName, "p:CN=xxx, O=YYY, C=DE");
parms.Add(RfcConfigParameters.SncMyName, "p:CN=ZZZ, O=YYY, C=DE");
parms.Add(RfcConfigParameters.SncQOP, "3");
parms.Add(RfcConfigParameters.SncLibraryPath, "C:\\Program Files\\SAP\\FrontEnd\\SecureLogin\\lib\\sapcrypto.dll");
X509Certificate Cert = new X509Certificate();
Cert = X509Certificate.CreateFromCertFile("N:\\ClientCertificate.cer");
byte[] certData = Cert.GetRawCertData();
string X509CertificateString = Convert.ToBase64String(certData);
parms.Add(RfcConfigParameters.X509Certificate, X509CertificateString);

Thanks,

Oliver

EDIT:

I got it working now on my local Machine where the Secure Login Client is installed, with the following settings:

parms.Add(RfcConfigParameters.MessageServerHost, "Servername");
parms.Add(RfcConfigParameters.SystemNumber, "00");
parms.Add(RfcConfigParameters.SystemID, "System Name");
parms.Add(RfcConfigParameters.LogonGroup, "PUBLIC");
parms.Add(RfcConfigParameters.Client, "001");
parms.Add(RfcConfigParameters.SncMode, "1");
parms.Add(RfcConfigParameters.SncMyName, "p:CN=ZZZ, O=YYY, C=DE");
parms.Add(RfcConfigParameters.SncLibraryPath, "C:\\Program Files\\SAP\\FrontEnd\\SecureLogin\\lib\\sapcrypto.dll");
X509Certificate Cert = new X509Certificate();
Cert = X509Certificate.CreateFromCertFile("N:\\ClientCertificate.cer");
byte[] certData = Cert.GetRawCertData();
string X509CertificateString = Convert.ToBase64String(certData);
parms.Add(RfcConfigParameters.Password, X509CertificateString);

When tracing is enabled in the sapcrypto.dll, this is what happens:

[  1332] Try get Kerberos ticket from SBUS (Kerberos-CN=xxx, O=YYY, C=DE)

[sbusps.dll  ][  1332] { PSEProxy::readApplObject

[sbusps.dll  ][  1332] }        1

[GSS         ][  1332] Cli-40000000: Searching key

[GSS         ][  1332]   Type   : EncOrSig

[GSS         ][  1332]   Name   : Not specified

[GSS         ][  1332]   Target : CN=xxx, O=YYY, C=DE

[GSS         ][  1332]   PeerCAs: Not specified

[sbusps.dll  ][  1332] { PSEProxy::getOwnCertificate

[sbusps.dll  ][  1332] }        0

[GSS         ][  1332] Cli-40000000: Own encryption key found

[GSS         ][  1332] Cli-40000000: Protocol2010: X.509 authentication used because only certificate available

[GSS         ][  1332] Cli-40000000: ClientHello:

[GSS         ][  1332]                Supported versions[1]: 1.0

[GSS         ][  1332]         MACs for application data[2]: HMAC-SHA256     HMAC-SHA1     

[GSS         ][  1332]      ciphers for application data[3]: AES256          AES128          RC4           

[GSS         ][  1332]         Hashes for handshake MACs[2]: SHA256          SHA512        

[GSS         ][  1332]           Pseudo random functions[2]: PHASH-SHA256    PHASH-SHA512  

[GSS         ][  1332]               Data encoding modes[2]: DataHeaderV1    NoDataHeader  

[GSS         ][  1332]                Key exchange modes[1]: cl-rsa        

[GSS         ][  1332] Cli-40000000: --> Msg ClientHello         create  successful

BUT: When I try this on a machine where the Secure Login Client is NOT installed, it does not work and this is what happens:

[GSS	][  8236] Try get Kerberos ticket from SBUS (Kerberos-CN=xxx, O=YYY, C=DE)

[sbusps.dll  ][  8236] { PSEProxy::readApplObject

[sbusps.dll  ][  8236] }	1
[GSS	][  8236] Cli-40000000: Searching key
[GSS	][  8236]   Type   : EncOrSig
[GSS	][  8236]   Name   : CN=ZZZ, O=SYYY, C=DE
[GSS	][  8236]   Target : CN=xxx, O=YYY, C=DE
[GSS	][  8236]   PeerCAs: Not specified

[sbusps.dll  ][  8236] { PSEProxy::getOwnCertificate

[sbusps.dll  ][  8236] }

0

[sbusps.dll  ][  8236] { PSEProxy::getOwnCertificate

[sbusps.dll  ][  8236] }	0
[GSS	][  8236] Cli-40000000: No own key found
[GSS	][  8236] Have no certificate and got no kerberos ticket
[GSS	][  8236] Cli-40000000: --> Msg ClientHello	create  failed : errval=70000, minor_status=0

Any help is welcome.

Thanks,

Oliver

Hi experts,

have anyone made a configuration with SAP NW SSO and a  legacy system based on Mainframe, that was developed on e.g Cobol?

Arivind

Trying to determine if it makes sense to have a test SSO environment (secure login server) to test patches, changes, etc..    Trying to contain cost, but want to do what should be done.     HA will most likely be deployed.    Thinking of this as a Solman setup where there are usually 2 environments, Prd and Test.

Thank You  

Dear All,

I am implemnting NW SSO 2.0 for a customer , where their Windows AD and SAP user are not same .

During Secure login server, under Client Management , I am enbling the User attribute mapping , i am facing an error which says

the custom sttribute i have used is employeeNumber

UPN : Edward.Wafula@kpc.co.ke

USERID : Edward.Wafula

"Cannot perform user logon ID mapping due to invalid mapping attributes or LADAP DEstination"

The test connection works fine without enabling user attribute mapping.

Kindly find the attached error document .

Kindly help .

Dear Experts,

We have SAP Fiori apps configured in our landscape. We have SAP Netweaver
7.4 as Front End Gateway server. And we have SAP ECC 6.0 EHP6 as backend server
for Fiori apps.

The Fiori URLs are exposed to Internet via SAP Web dispatcher on DMZ,
for our employees.

Now our need is to allow our employee to use their Domain ID ( Active
Directory user id)  to use the SAP Fiori application.

My questions are:

  1. Do i need to use SAP SSO for this scenario to be configured?

  2. If so, then do i need to add any AS JAVA between SAP Web dispatcher and
Gateway server?

Any documents related to this would be highly appreciable please...

Kind Regards,

Mohammad Anoarul Islam

Hi all,

Im trying to implement SSO for SAPgui and NWBC in our SAP ABAP 702 SP14 system with 721 ext UC 500 kernel.
Windows 2012 with SQL server 2012.
According to PAM the simplest way of implementing SSO for NWBC (Kerberos with SPNEGO and SAP NWSSO) is not supported for SAP 702.

So we decided to try and implement SSO with the use of x.509 certificates, issued by SAP NW SSO 1.0.
I followed the documentation, and got it working for the java stack that is also running on this server.

All the steps are implemented succesfully on the ABAP stack, but after restarting the system for the final time, so everything is activated, the system fails to start with the following error:

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.1) to SAP Netweaver Single Sign-On v1.xN    FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.6.6N  SncInit():   found:    snc/identity/as=p:CN=ABAP-KET, OU=SAP SecurityN  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1459]N        GSS-API(maj): No credentials were suppliedN      Could't acquire ACCEPTING credentials forNN      name="p:CN=ABAP-KET, OU=SAP Security"N    FATAL SNCERR -- Accepting Credentials:    "sapsso"  (0x0003) not available!N      (debug hint: default acceptor = "p:CN=DummyCredential")N  <N           sec_avail = "false"M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    238]M  *** ERROR => ThSncInit: SncInitU(SNCERR_GSSAPI) [thxxsnc.c    240]M  in_ThErrHandle: 1M  *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   11584]

Anybody can guide me into the right direction please?

Best regards,Menno

Hi All,

I am trying to figure out whether the SAP GUI for Windows version 730 supports RADIUS authentication using the SAP Secure Login/Single Sign-On v2.0 SP 4.

Thanks

HI Gurus,

I am wondering if there is a way to redirect all the Service URL's for example WEBGUI, UR, NWBC etc to be redirected automatically from HTTP to HTTPS. I know there is an option in SICF tcode where you can select service and modify the Configuration by selecting "Switch to HTTPS" but i dont want to take that option and i want to implement this redirect option to all URL's.

Additional information ,we have working SSO and Webgui/SSO (Spnego) in our environment

Thanks in advance,

Hi All,

we have set up WEBGUI/SSO ( SPnego)  ie when user clicks on URL it does log in automatically using SSO which works fine but

When user logs off the screen it gives a information pop up saying " Logged off Successfully" which we dont want and it also gives any option to close the pop up but gives only restart application option.

Please can any one let us know how to disable this pop up after login of from the link.

Thanks in advance.

Hi,

we are trying to implement SSO for SAP via Novell edirectory

I would like to know if anyone have solved this problem and how it was resolved?

Any suggestion on how to implement this would be appreciated.

Thanks

We want to implement single sign on.

We have windows environment,with a domain having AD server.

Our requirement is that user should login with windows login, and then with logon pad, he should just double click on the required server, and he should not ask any user id and password.

We have ECC ERP 6.0 and SOLUTION MANAGER.

Please suggest, how should implement, as we have very less time.

Thanks in advance.

HI All,

I'm relatively new to SAP space.

We use SAP SSO, to access all client SAP systems. As part of SAP security activities, it is required for us to delete users from SSO when they move out of the company. My question, Is there any way in which we delete a number of users at once, rather than doing it manually?

Hello!

I must configure the SAP SSO performing authentication with the Azure Active Directory.

Someone has gone through this setting? I am unable to find a specific documentation.

I promise to set up a blog with the final solution!

If you can help me, I would greatly appreciate it.

Att;

Hi SSO Experts,

I have some fundamental questions about the mobile SSO. I am aware of the functionality of the SAP authenticator and know that we can configure SAP authenticator together with SAML IDP to achieve IDP initiated SSO. In this case end user can store the SP urls as favorite in SAP authenticator. By click the favorite, the user gets automatically authenticated to IDP and redirect to SP page. It works all fine. But (in my opinion) the limitation here is that one has to start everything from the SAP authenticator. My questions are:

1. How does it work in a SP initiated Mobile SSO scenario?

- For example, the user opens browser and enter the url directly in the mobile device.

- Or another example, in SP A some operations might need to access SP B. While performing those operations the user need to authenticate to SP B.

On a desktop PC once the user is authenticated to IDP, the user will receive a IDP cookie (if configured). Next time if the user calls another SP, the user does not has to login to IDP again. How does it look like in the mobile device? Assume that the user has previously logged in to IDP with SAP authenticator (TOTP login module). Does it work in the same way as in desktop PC, meaning the cookie is cached somewhere in mobile device, and user does not need to login to IDP again? If not, how can we achieve SSO in this scenario?

2. How does it look like if using mobile apps instead of typing url in browser? Will it make any difference comparing to the scenario 1? We assume in both scenarios we are visiting the same SP.

The questions are coming from my current project where the customer has a internet facing portal for their agent users and the functions in portal might need to access backed ERP, HANA XS servers. And the customer also has plenty of enterprise mobile apps, which they don't know how to integrate them into SAP authenticator.

Thanks a million in advance and best regards

Xuan

Hi ,

We have different SAP ABAP instances running in AIX environment and each instance have their own user store. Our objective is to integrate with Windows active directory so when SAP instance is invoked from SAP GUI, it should login automatically .  Also we have users accessing from multiple regions whose AD domains are different. 

We don't want to use SAP NW SSO product for Single sign on . Is it possible to achieve SSO with Multiple AD domains  for SAP instances running in AIX environment. If so How to achieve  the same?.

Thanks in advance ,

Vasu