Dear All
We would like to deploy SSO for SAP Cloud For Customers but we can have ADFV V3.0 and not V2.0
Would you have some technical documents or Specifications to provide ? Are there differences between v2.0 and V3.0 ?
Thank you very much
Jérémie Waltman
Lagardère Sports & Entertainment
Hi,
We want to implement SAML 2.0 so that users can use their AD credentials to login to SAP Fiori.
We have the documentation:
However The AD team has concerns on this configuration as they want to introduce TOTP on the ADFS.
Is there a documentation available which talks about this type of a scenario?
Specifically without SAP Authenticator or custom app.
regards
Keo
Hello Team,
I need some guidance over here.
refer below scenario.
1. I have NW SSO 2.0 server and IDM 8.
2. We DONT have any other other user source for authentication (Ex. AD, LDAP etc..)
3. Hence we are planning to use IDM 8 as user authentication source.
So, the system architecture will be that IDM will be treated as user source and connected to SSO 2.0.
Once the user is authenticated they will be allowed to use SAP ECC.
So based on this, we were planning to use SAML 2.0 method.
However. I would like to know if I can use this method, if not which other configuration method is applicable over here?
Regards,
Yatin Phad
Hi everyone,
I have configured SAP NW SSO 2.0 SP06 server for POC. I have further configured couple of ABAP servers for SNC and multiple users can logon fine into all the ABAP server with SSO. Only on one of the ABAP server 3 users can successfully logon whereas one user get following error while trying to logon with SSO. I am troubleshooting with user by having him logon on a different working machine and also by having a working user logon via machine where the issue started originally. But while we get all the troubleshooting results wanted to ask if anyone has seen this ? Already tried reloading SSO client on the effected users machine but no luck.
Dear All,
We are currently working on Single sign on for Easy DMS in our 32 Bit Windows machines and it works perfectly by getting the password via Kerberos token. The same is not working on 64 bit windows machines. Please suggest us how to proceed, below is the error message triggered in Easy DMS logon screen. Thanks in advance,
Hi, I am trying to configure Single Sign-On based on Kerberos/SPNEGO. I have sucessfully already configured in other servers however in this one I am not able to success.
The error I am getting in dev_w0 is the following:
N SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/64/64)
N GetUserName()="SAPServiceSH1" NetWkstaUser="SAPServiceSH1"
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll
N File "F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
N SECUDIR="C:\Users\sapservicesh1.SNL\AppData\Local\sec" (from APPDATA)
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.1) to CommonCryptoLib
N Product Version = CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.42 pl40 (Sep 24 2015) MT-safe
N SncInit(): found snc/identity/as=p:CN=SL-ABAP-SH1@<DOMAIN>
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [D:/depot/bas/74 1445]
N GSS-API(maj): No credentials were supplied
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=SL-ABAP-SH1@<DOMAIN>"
N FATAL SNCERROR -- Accepting Credentials not available!
N (debug hint: default acceptor = "p:CN=DummyCredential")
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 271]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 273]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step TH_INIT, thRc ERROR-SNC-OTHER ERROR IN SNC LAYER, action STOP_WP, level 1) [thxxhead.c 2393]
Note: Where is <DOMAIN> I replaced with the correct domain.
Possible solution:
How can i set permanetly the SECUDIR to F:\usr\sap\SH1\DVEBMGS01\sec instead of C:\Users\sapservicesh1.SNL\AppData\Local\sec
I have executed the following commands:
1. set SECUDIR=F:\usr\sap\SH1\DVEBMGS01\sec
2. sapgenpse keytab -p SAPSNCSKERB.pse -a SL-ABAP-SH1@<DOMAIN>
3. sapgenpse seclogin -p SAPSNCSKERB.pse -O snl\SAPServiceSH1 -N
Profile Parameters:
snc/enable=1
snc/gssapi_lib=F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll
snc/identity/as= p:CN=SL-ABAP-SH1@<DOMAIN>
snc/data_protection/min=2
snc/data_protection/max=3
snc/data_protection/use=3
snc/accept_insecure_gui=1
snc/accept_insecure_rfc=1
snc/accept_insecure_cpic=1
snc/permit_insecure_start=1
snc/r3int_rfc_qop=8
snc/r3int_rfc_secure=0
snc/force_login_screen=0
spnego/enable=1
spnego/krbspnego_lib= F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll
SAPCRYPTOLIB= F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll
Information:
Command sapgenpse:
Command sapgenpse seclogin -l
Checked the RSBDCOS0 (t-code SE38) and executed the command sapgenpse seclogin -l 2>&1
Command setspn -L SL-ABAP-SH1
Command klist
Hi,
We use SAML in our NW Gateway 7.4 system.Our adress is https://testerp.abc.com/saml/idp.
We use HTTP Redirect in SSO Endpoints. If we don't use HTTP redirect SAML does not work.But i have a problem here. If i call sicf service from http it is redirecting to https://testerp.abc.com/saml/idp. How can i prevent this redirection? If i call a sicf service from HTTP i don't want it to redirect HTTPS.
Thank you,
Fatih
Hi,
I have a scenario where the functional have configured SAP Success Factors Employee Central (EC) to communicate with ECC backend for payroll data. EC is a cloud based solution while the ECC backend is on premise.
While the users try to launch some sections in EC e.g superannuation, they are redirected to a link on the ECC backend (https://servername:port/nwbc/~canvas;window=app/nwbc/~canvas;window=app/wda/hrpao_paom_masterdata?OTYPE=EMPLOYEE_CENTRAL&SINGLE_ACTION=X&WDCONFIGURATIONID=HRPAO_PAOM_MASTERDATA&NO_COLLABORATION=X&sap-client=300&sap-language=en&CFG_ID=IT0220&OBJID=2%2C322%2C9001&WDTHEMEROOT=sap_corbu)
Now this is an embedded window in EC and when I've tried to enter the username and password, it prompts the error "Logon with URL parameter not possible; logon cookie is missing".
What I'm trying to achieve here is to have an SSO between EC calling the ECC backend for data without the need of setting up an Java stack as IDP using SAML2. Is that possible?
Thanks and BR,
Philip
Hi guys,
I have a situation where user is not able to login using SSO and whenever he tries to login, it asks for the user credentials. We have checked the SNC and it is correct and there are no issues with the SNC because SSO is working fine for all the users.
Anyone have any idea? Any comments will be appreciated.
Hi Experts,
We are in configuring ABAP SSO through Active directory, Could you please help me with best way to achieve this functionality.
Regards,
Saravanan R
I asked this already under Cloud Identity, but did not get any reply till now. As a customer needs an answer on this : Is there a possibility to achieve user provisioning with Cloud Identity via a corporate user store? Many companies have already LDAP-solutions like MS ADS in place where users and their organisational affiliation, roles and further rights are stored. Till now I found only ID federation. But many customers usually have a large number of users in their corporate user store with different kinds of attributes attached.
In SAP Cloud Identity roadmap user provisioning is alsoonly listed as a "planned feature". Are there any other solutions ?
Thanks in advance
Regards, Michael
Hello,
We are getting the following error when opening a weblink via SAP SSO.
I am not an SAML expert hence appreciate your inputs in fixing this issue.
The following document was followed to set SSO --> Use SAML to enable SSO for your SAP HANA XS App
We are using a HANA XS system and using Java script.
The following 400 Bad Request error details are as below.
Hi Team,
I have made some changes on SSO Portal.Now i have to revert those changes.So,how can i do this?
Is revert is possible in SAP single sign on Portal.
I am using SAP Netweaver 7.3.
Thanks
Hello All,
I am working on NWSSO 2.0 where i am configuring X.509 certificate login module method.
Here my SSO ume is used as user authentication source (no AD, alternate data source).
In this case, If i am using basic login module method then how do i map the UME logon ID with ABAP system ID which needs to be connected to use SSO.
Regards,
Yatin Phad
All,
Please help
I am able to login manually but I am having issues with SSO. I keep getting the following error
Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)
Environment details:
SAP BO XI 3.1 SP5
2008 Server R2
Apache Tomcat
Hi experts,
I have the Single Sign-On fine for SAP GUI and Web GUI, however when I try to enter in NWBC application to Portal or NWBC it says that the Certificate is not trusted.
Anyone knows which could be the problem?
Question:
In SPNEGO we need more configurations besides only enter in t-code SPNEGO and add there the user I created to generate the Keytab, for example SL-ABAP-ERD@<DOMAIN>?
All,
Please help
Environment: BO XI 3.1 SP5
OS: Windows Server 2008 R2
Manual login works fine (Windows AD) however SSO does not work. I keep getting the following error.
Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)
Also, STD.Out log file shows the following error
Pre-authentication information was invalid (24)
Please let me know if you need more information. Thanks
Dear All,
We are now implementing SSO for our NW java portal. we configured SPNEGO for kerberos authentication.
in SPNEGO settings, when i select Mapping mode as principle only and source as login id, SSO is working fine. but we need both SAP and windows account must in same name. but in our environment, Windows Domain account and SAP login account is different.
so i select mapping mode as principal@realm and source as email, sso is not working. but mail id is maintained in windows domain as well as SAP.
i am not able to find any solution for my situation. please help me on this issue.
also suggest other methods for our environment.
Thanks & Regards
Balaji
Hello Experts,
We have installed PERSONAS add-on in our SAP ECC 6.0 EhP7 AS ABAP system.
Single Sign On via SAP GUI for Windows is configured w.r.t. Active Directory & works properly.
We have enabled the SICF service for webgui, & the system is accessible via browser as well.
Now the requirement is to enable single sign-on for webgui, something where it can accept a certificate from Active Directory & authenticate the login.
Could you please suggest how we can achieve this?
Best Regards,
Tanmeya
Hi SAP PM,
i have a customer who likes to setup SAP SSO for his older SAP landscape. Can you please let me know, if the following ECC versions are supported by the SAP CommonCryptoLib/SecureLoginLibrary:
The SAP SSO PAM says 4.6c, 6.20, 6.40 and 7.x+. Just want to make sure, if this was ever tested or is anyhow supported by SAP.
Thanks for your answer.
Regards,
Carsten