Quantcast
Channel: SCN : Discussion List - SAP Single Sign-On
Viewing all 862 articles
Browse latest View live

Single Sign-On in SAP Fiori using SAP NetWeaver AS ABAP

$
0
0

Hi colleagues,

 

 

I have already installed my Fiori Apps in production Server, and I also have installed my SAP Fiori Client in my Ipad.

After using the SAP Fiori Client, I need the SSO login into my Fiori, so I explored my current system.

Currently, my system only using SAP NetWeaver AS ABAP, not with the AS JAVA.

How can I run my SSO in my SAP Fiori Client in my Ipad so I don't need input any user and password everytime when I want to use it.

 

I cannot found the configuration for SAML 2.0 in SAP NetWeaver AS ABAP. The possible used is using the Kerberos. But Kerberos only used when I access the Fiori in the same network as the server, and I can not use my Ipad using mobile network to access Fiori.

 

Do someone have some idea(s) for this logon issue??

 

Regards,

Kris.


Can SAP IdM be used as an identity provider to 3rd party apps?

$
0
0

With SAP IdM, we can SSO into any SAP service viz SCN, support.sap, service.sap etc.

Suppose I have an app (not an SAP one in any way) that's meant for partners and I wish to use SAP IdM to authenticate them to my app - is this possible? Does SAP allow this to happen? For starters they would have to share the FederationMetadata

SSO not working for custom SAP Webdynpro ABAP applications that runs in the SAP Portal.

$
0
0

Hi All,

 

  I have one SAP Portal issue related to SSO. Issue details are provided below and hope, somebody can help me to resolve the issue.

 

  We have a SAP Portal system(Java stack, NW04s) that has iViews of type Webdynpro ABAP. The custom Webdynpro ABAP applications reside on another system (ABAP stack, running ECC6).  We have configured the trust relationship between SAP Portal and SAP ECC system. However, for the custom WebDynpro ABAP applications, when calling it for the first time, a logon screen shows up.

 

  How can we get rid of it?  What are we missing to have SSO work for the custom WebDynpro ABAP applications?


  Any ideas or suggestions! Thanks in advance.



Regards,

Sandip

SSO configuration from BOE to HANA

$
0
0

Looking to set up SSO from BOE to HANA using SAML and coming up short on what is hopefully just some missing configuration. If anyone has experience getting this running, I'd be grateful for feedback or links to more comprehensive documentation.

 

We are running BOE 4.1 SP5 and HANA rev 92 (on a multiple node installation). The plan is to 1) enable SSL logins on HANA, 2) set up BOE as the IdP, 3) create the SAML provider in HANA and establish trust between the two systems.

 

  1. HANA is accepting Open SSL connections thanks to this very helpful document. Confirmed via HANA Studio login.
  2. On the BOE side, an IdP Base64 certificate was generated in the CMC via the HANA Authenitcation dialog.
  3. The IdP cert was appended to the trust.pem file (on the master node) as per this blog post. The SAML provider has been created in HANA with the Subject/Issuer set to match the BOE cert. We also used sapgenpse to add the cert to saplogon.pse and sapsrv.pse in $SECUDIR (again on the master node).

 

Everything has been restarted after the last configuration change.

 

A test user has been set up in HANA with the SAML provider enabled, user name matching a BOE enterprise account. When testing from the CMC, we see the following error message: Connection Failed: The test of the HANA SSO ticket used to log onto the HANA DB has failed due to: [10]: invalid username or password. (FWM 02133)

 

The HANA tracelog, set to debug, shows some errors in SAMLAuthenticator (ERROR in libxmlsec) before it culminates in this block:

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882796 i Authentication   SAMLAuthenticator.cpp(00400) : Unable to verify XML signature

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882934 d Authentication   ManagerAcceptor.cpp(00273) : Injecting logon name into method:

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882986 d Authentication   SAPLogonManager.cpp(00360) : Store chosen for assertion ticket validation: saplogon.pse

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883114 w Authentication   SAPLogonManager.cpp(00504) : The base64 decode of the received ticket failed. SSO_RC return value: 1281

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883121 d Authentication   SAPLogonManager.cpp(00513) : Use SSO Validation PSE >>>saplogon.pse<<<

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883123 d Authentication   SAPLogonManager.cpp(00514) : Received Base64 Ticket >>>SAML 2.0 assertion ticket...<<<

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883167 i Authentication   MethodSAPLogon.cpp(00275) : unsuccessful login attempt with SAPLogon/SAPAssertion ticket!

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883181 d Authentication   ManagerAcceptor.cpp(00273) : Injecting logon name into method:

[22277]{-1}[63/-1] 2015-02-02 20:10:23.884313 d Authentication   Connection.cc(03617) : [PRE AUTHENTICATION] logon name:

[22277]{-1}[63/-1] 2015-02-02 20:10:23.884359 d Authentication   Connection.cc(03684) : [POST AUTHENTICATION] logon name:

 

It looks like the ticket is received but not being parsed. It's not clear to me if this is related to the certificate or some other configuration element, or exactly what the missing piece is.

Secure Login Administration Console

$
0
0

Hi,

I did the secure login server[2.0] installation. When i try to access the url

http://<host>:<port>/slac , iam getting the below errror

 

Access denied
 

The system has detected a new or incomplete initialization. You cannot access the system insecurely and remotely at this stage.

This is a security measure to ensure the integrity of your system.A newly or incompletely configured server cannot establish a secure connection with the client, that is, your web browser; thus all communication is vulnerable to eavesdropping and other forms of attacks.
To prevent this, we require a secure remote connection or localhost connection to an uninitialized or partially initialized server.

This means that to start or finish a new initialization, you need to either use HTTPS to access Secure Login Server remotely, or locate the computer on which the Secure Login Server is running.
Access the server setup using a browser on that computer with, for example, the URL: https://demo.local:50001/slac
or
http://localhost:50000/slac
You will be directed to the setup wizard to complete the server initialization

 

 

Please advice.

 

Regards,

Sam

 

SAP Single Sign makes Internet explorer sluggish and slow

$
0
0

Hi Everyone,

 

We have been trying to roll out SAP Single Sign on 2.0 for non-SAP web sites, unfortunately when we tried a small pilot the user feedback was that they would rather not have the SSO functionality.

 

The poor user experience all came down to one problem: performance.

 

After adding SSO 2.0 this adds the IE plugins to handle entering the credentials, unfortunately the speed and responsiveness of IE 10 was unusable, it can add an extra 2-5 seconds depending on the web-sites visited.

 

I have tried this first hand and can replicate the issues, we are running very up to date software and hardware: Win 7 X64, IE10, i7, 8GB RAM, SSD HDD etc, as soon as you disable the SSO add on then web-sites start reacting normally again.

 

A support ticket is open at SAP and we have updated to SP2 however the problem is not going away.

 

Has anybody successfully deployed this aspect of SSO 2.0 and if so please can you share your experiences?

Is there anybody out there how has/is experiencing this slow down after enabling the SSO 2.0 IE add-on, what have/are you doing to address this?

 

many thanks

 

Rob

 


NW Single Sign-On implementations queries

$
0
0

Dear Team,

 

We are in the process to implement the NW Single Sign-On for our SAP and non-sap systems.

We have done the implementations as follows :

Implementing Single Sign-On with X.509 Certificates

I) Secure Login Server

  1. We installed NW 7.4 and Secure Login Server 2.0 SP5
  2. Imported Root CA to client
  3. Secure Login Library
  4. Extract Secure Login Library on target SAP system .
  5. SNC configuration
  6. Create AS ABAP SNC X.509 Certificate and Import
  7. Configured UME for MS AD
  8. Initialized the Secure Login Server
  9. Activated SSL
  10. Configure SPNEGO (keyTab)
  11. Activated SPNEGO

II) Secure Login Client 

  1. Applied Policy Registry files (ProfileDownloadPolicy_xxx.reg)
  2. Installed SL Client

 

III) Configure SNC User Mapping for SAP AS ABAP

 

Now SSO has been successfully tested on SAP ABAP system using below link and it’s working without any issue.

http://scn.sap.com/community/sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-with-certificates-out-of-the-box

 

But we have some queries on below points :

  1. How to implement the SSO for Java portal ( SAP NW 7.0 EHP 1 ) with AD authentication and using IDP?( FYI already Java portal UME data source is ABAP system and user ID of Java portal and AD are not same)
  2. How Sales force SSO can be added in same AD authentication NW SSO using SAML ?
  3. Is it possible to activate the AD password reset capability through SAP NW SSO 2.0?
  • Could you please guide and provide me any step wise procedure documents other than SAP hep link on all above points  ?

Thank you all in advance !

 

Regards,

Niu

ssl/client_ciphersuite not working on my Java stack

$
0
0

I am testing SSL on my Netweaver dual stack lab system with 742 Kernel and CommonCrypto 8.4.37.

 

I set the following client_cipherssuite in the DEFAULT.PFL profile

 

ssl/client_ciphersuites = 151:HIGH

 

Which basically should use the latest TLS version first.

 

After setting I tested it to make sure SAP is calling (client) another Sap server.

 

For ABAP stack, via RFC (type G), the results was successful and I am able to see TLSv1.2 being negotiated.

 

For Java Stack, via Java Destination, the results was not successful. I am getting TLSv1.0 instead of 1.2 as what I've configured.

 

So am I setting it correctly or am I missing a setup in the Java stack or is there a bug on the code?

 

I would assume DEFAULT profile would take care of both the ABAP and Java Stack. Or am I wrong?


Kerberos vs. SAML

$
0
0

Hi experts,

 

I have a question regarding SSO solution design and would like to hear the experts opinion from you. At my current customer we are planning to implement SSO for their internal users. All users are domain users so we decide to use Kerberos for SAP GUI based SSO. Additionally the customer has an IDP in order to SSO to SuccessFactor using SAML 2.0. So far so good. My question is on browser based access. Based on the existing infrastructure both Kerberos and SAML 2.0 would be supported for the Web browser based accesses. I am struggling at choosing one from them. Kerberos looks more straightforward. But SAML 2.0 sounds more suitable for Web SSO. Would someone share me your opinion which is better and why?

Note that all accesses are from intranet. Internet access is not considered here.

 

Much appreciated in advance and best regards

 

Xuan

SSO to MS Office365 Outlook Web Access using SAP as IdP

$
0
0

Is it possible with SAP SSO 2 to set up an scenario where a SAP Portal user can access his MS Office365 Outlook Web Access with SSO?

 

In this case SAP is the IdP and MS Office365 is the SP. Reading the documentation SAP SSO can be federated to ADFS based on SAML 2.0, but I can not see SAP in the list of third-party identity providers that can be used to implement single sign-on (https://msdn.microsoft.com/en-us/library/azure/jj679342.aspx )

 

 

Currently we have a kiosk scenario where SAP Portal users can access to their  MS OWA 2010 with SSO using an ISAPI filter, but now we are planning to go to MS Office365 and we wonder if SAP SSO 2 could help.

Maintaining SNC Information for Mass users

$
0
0

Dear Team,

 

We have implemented the SSO for ABAP system using AD authentication now i have to update the SNC for 1000+ users.

I got the information to update the SNC for mass users using SNC1 tcode but this is applicable only if the AD and SAP users ID are same.

 

below are the format of users

 

SAP user ID : <First later of First name ><Last name max 8 charterer >

AD user ID : Firstname.lastname

 

and SNC format is

 

p:CN=FIRSTNAME.LASTNAME

 

Could you please guide me on this ? i didn't fine any related information on scn.

 

Thanks,

Niu

SSO 2.0 secury login client is showing message internal serval error

$
0
0

Hi

 

 

I've configured the secure login sever and downloaded the root CA certificated and group policy for the client machine, however when I try to connect the secure login client show the message internal server error

I have already restart the local machine and the sso server

the service user on AD is created with the serviceprincipalname

 

anyidea?

 

 

Arivind

SSO 2.0 java and nwbc still prompt authentication

$
0
0

Hi all,

 

 

I have confgured the NW SSO 2.0 with certificate X.509, and the abap authentication is already working, however the Java portal and abap system that calls NWBC does not loggon automatic, looks like that the certificate is not called

 

The cookies are allowed, the coomem criptolib is installed, and tickcet authentication is setup on nwa

 

 

Any idea?

 

 

Arivind

error while creating the SSO

$
0
0

Hi Experts,

 

I am getting an error shown in the attachment.

 

Please let me know a solution as this is very urgent.

 

 

Thanks & Regards,

Jyothirmayi

SSO from IE to ABAP system

$
0
0

We have a requirement for users who are on our network to launch a web client from their PCs, like IE, and go to a URL (ssl) which is a web dynpro application on our HCM ABAP system to view paystubs.  They want to have this configured to use SSO. 

 

So which of the SSO options would be easiest configuration for this?  Would SSO using Logon tokens work?

 

Thank you in advance...I'm not an SSO expert and this all very confusing! 


SAP Secure Login Client on MAC with x.509

$
0
0

Has anyone installed the SAP Secure Login Client on a MAC and used x.509 certificates instead of Kerberos?  According to the SAP help documentation this is possible as follows.  Are there any work arounds that need to be implemented when using the SAP GUI Java Client for MAC with SAP Secure Login Client?

 

Configuring Secure Login Client on a Mac Client

 

By default, Secure Login Client uses Kerberos to authentication at an SAP GUI with an SNC connection. Nevertheless you can also configure your Mac client to use X.509 certificates.

Context

 

  • Kerberos is the default authentication mode of your Mac client for logging on to an SAP GUI. You need not do anything because Kerberos is already available after the installation. Since your Mac client belongs to Microsoft Active Directory, Kerberos-based authentication mode is supported (see the related link).
  • If you want to use X.509 certificates as authentication mode for the SAP GUI with SNC, you must configure it in the OS X System Preference Pane.

Procedure

  1. Open the Secure Login Client in your Applications folder or in the System Preferences window.
  2. In the parameter Select your SSO method of the Single Sign-On section, switch to Use your selected certificate.
  3. Go to the parameter Select your certificate and choose the certificate you want to use for certificate-based authentication to SAP GUI with an SNC connection.

     

    Note
    Another option is configuring authentication with X.509 certificates in the Keychain view of OS X. You find the preferred certificate as a Secure Login identity preference.
    CautionDo not switch certificates in the Secure Login preference pane while changing the settings in the Secure Login Identity Preference of the OS X Keychain. You risk getting an inconsistent configuration.

     

Related Information

 

Secure Login Client for OS X

SSO with multiple domains

$
0
0

Hi All,

 

We have 2 (ldap directories for each domains) domains connected to our SAP SSO systems.Recently we changed

the password for one of the domain and updated the password in congif tool in


ume.ldap.access.additional_password1 for -We changed the password and

updated.

 

ume.ldap.access.additional_password2 for other domain users we did not

change the password and not updated.

 

When password2 domain user tried to login they are getting below error:


Caused by: com.sap.security.api.NoSuchUserAccountException:

USER_AUTH_FAILED: User account for logonid "saptest" not found.



Please let us know how to fix the issue Urgent.


Thanks In Advance.


Regards

Santhosh

SSO 2.0 in NWBC html

$
0
0

Hi experts,

 

I have configured the SSO 2.0 based on X.509 and with the secure login client now on the abap and java its sign on automaticcly, however I want that the user can use NWBC without asking the password, when the user open the html weblink on the browser such as its done on java application, or even on nwbc for desktop that even change the nwbcoptions.xml

 

Arivind

FATAL SNCERROR - GSS-API(maj): No credentials were supplied

$
0
0

Hi, I am configuring an SAP Single Sign-On 2.0 Based on Kerberos Tokens. I have already done every step mainly based on the videos that SAP provides to implement a SSO with Kerberos and following as well the implementation guide. However when I turn the parameter snc/enable from 0 to 1 and restart the server it gives me an error which I traced from the file dev_w0.

 

The error is the following:

N  SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="SAPServiceDG1"  NetWkstaUser="SAPServiceDG1"

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll

N    File "E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

N    SECUDIR="E:\usr\sap\DG1\DVEBMGS00\sec" (from $SECUDIR)

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.1) to SAPCRYPTOLIB 5.x

N    Product Version = SAPCRYPTOLIB  5.5.5C pl35  (Mar 21 2013) MT-safe

N  SncInit():   found snc/identity/as=p:CN=SL-ABAP-DG1@<DOMAIN>.COM

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [D:/depot/bas/74 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N      name="p:CN=SL-ABAP-DG1@<DOMAIN>.COM"

N      FATAL SNCERROR -- Accepting Credentials not available!

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [D:/depot/bas/74 1445]

N        GSS-API(maj): No credentials were supplied

N Thu Oct 15 12:05:51 2015

N      Could't acquire DEFAULT ACCEPTING credentials

N  *** ERROR =>     (debug hint: no default acceptor cred available)

N   [D:/depot/b 737]

N  <<- SncInit()==SNCERR_GSSAPI

N           sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    272]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    274]

M  in_ThErrHandle: 1

M  *** ERROR => SncInitU (step TH_INIT, thRc ERROR-SNC-OTHER ERROR IN SNC LAYER, action STOP_WP, level 1) [thxxhead.c   2422]

 

NOTE:Where is <DOMAIN> I replaced for the correct domain.

 

The parameters that I used are these:

snc/enable = 1

snc/gssapi_lib = E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll

snc/identity/as = p:CN=SL-ABAP-DG1

snc/data_protection/min = 2

snc/data_protection/max = 3

snc/data_protection/use = 3

snc/accept_insecure_gu = 1

snc/accept_insecure_rfc = 1

snc/accept_insecure_cpic = 1

snc/permit_insecure_start = 1

snc/r3int_rfc_qop = 8

snc/r3int_rfc_secure = 0

snc/force_login_screen = 0

 

Anyone have a clue about how to solve this error? I thought that it was due to the command to create file cred_v2 "sapgenpse seclogin -p SAPSNCSKERB.pse -O SAPServiceDG1" which SAP warning us about a possible conflict in Windows environment. However I tried to solve that by adding -N in the end of the command as SAP told us to do, but my Command Prompt says that the command with -N is unknown.

Navigation to application from email content

$
0
0

Hi Everyone,

 

We have created a UI application with the following application URL and hosted it an Extranet portal used within the organization.

 

https://xxx.xxx.xxx.org:8050/sap/bc/ui5_ui5/sap/zui_tool/index.html#/

 

 

We used ng-route (Angular JS routing) such that users will be able to access

 

https://xxx.xxx.xxx.org:8050/sap/bc/ui5_ui5/sap/zui_tool/index.html#/create

 

to go in create mode and,

 

https://xxx.xxx.xxx.org:8050/sap/bc/ui5_ui5/sap/zui_tool/index.html#/view

 

to go in view mode.

 

The tool is integrated with the backend system and triggers a workflow. The workflow will send out an email to certain agents with the 'view' link embedded in the email content.

 

However, when the user clicks on the link (in SAML enabled environment), then the user goes to the site,

 

https://xxx.xxx.xxx.org:8050/sap/bc/ui5_ui5/sap/zui_tool/index.html#/

 

instead of going to the 'view' page. The weird part is, when they click on the same link again(without closing the first instance of the application), the page opens correctly in 'view' mode.

 

We also tried another scenario wherein we opened the Intranet irj/portal link and then clicked on our application view link from the email content. The page opens correctly in the 'view' mode at the first instance of clicking the link.

 

 

It looks like some issue with authentication. However, we are not able to ascertain why the tool opens correctly when the same link is clicked only twice and not once.

 

Request your advise.

 

Thanks.

Viewing all 862 articles
Browse latest View live


Latest Images

<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>