Hey all,

I am trying to configure SSO with SAML2.0 for fiori apps, and have a NW JAVA instance where I have installed my federation service component.

But when I go to - Authentication and Single Sign-On: SAML2.0 --> (enable SAML 2.0 Support) Local Provider Configuration

I don't see the option for Operation Modes, so can't select the identity provider option. And by default its picking up as Service Provider Option (see screen shot).

Can someone please suggest what component or config am I missing, so the Identity Provider option shows up. As in the scenario I am planning I need to make this NW JAVA stack as a Identity Provider and my Gateway system as a Service Provider.

Please let me know if I can provide any other information.

Thanks

Ray

Dear Guru,

We have been trying to configure Secure Login Client (SSO 2.0 SP04).

Upon installation of the Secure Login Client, we were able to acquire Kerberos Tokens, but none for SPNEGO (X.509 Certificates). We have been getting errors like "Supplied credentials not accepted by server".

Installation Reference: scn.sap.com/docs/DOC-40179

Issue was encountered during phase 3 of the reference. We followed the instructions to a tee, and got lost due to some SP differences. Although, we did manage to extract the Root CA and Registry Entries.

Any thoughts or advise on where to check. Thank you.

Regards,

Tom

Hello,

I have succesfully configured the Secure Login Server to authenticate users via Windows Login / SPNEGO. Unfortunatelly the enrollment does NOT work for users in different domains, but only one domain AT A TIME. So the Secure Login Server SPN sits within the Kerberos Realm that allows users in exactly this Realm to login via SPNEGO. (Of course all users from all domains are visible in dthe Secure Login Servers UME)

But we have 4 domains in a forrest..So, according to note 994791 that states:

• Domain Forest
  • Create and configure a J2EE service user in one of the domains part of  the forest # it doesn#t matter if this domain will be the root domain or any of the child domains
  • Configure UME to use multiple ADS data sources (for each domain in the forest)
  • In the #Kerberos Realm# step of the wizard you should provide  information only for the domain where you have created the service user for the J2EE Engine

..I have configured SPNEGO only for the realm that hosts the SPN.

Unfortunatelly it doesn't work. Please help me if you have experience with cross domain SPNEGO authentication via Secure Login Server.

Thank You,

Philippe

Hi ,

I would like to configure SSO for fiori apps based on windows authentication , what things are required to do so .

like any changes on users settings , fiori launchpage .

Also i want to map several windows user id to single sap user id , it this possible ?

Regards

Yashpal

Hello,

We are in proces of implemeneting SAP NW SSO for SAP GUI with SAP ECC Systems.

As per the Secure Login Library Guide, we have extracted Secure Login Library file in desired locatoin and set the profile parameters as mentioned in Guide.

Now we are configuring the SNC X.509 Configuartion, and it says to import the SAP Sever Cerificate using Tx : STRUST.

Form where to get the SAP Server Certificate, we have created PSE suing Tx : STRUST which apprears in OS level in structure /usr/sap/SID/DVEBMGS<>/sec .

We are stuck in this step, we are not able to import the SAP Server Certifiacte.

After the completion of X.59 Certificate, we would be going ahead with SNC Kerberos Configuration.

Please provide suggestions an inputs.

Regards,
Deepak

I know SAP releases the SSO products but is it possible to achieve SSO via x.509/SAML certificates for free? Or are the SSO products absolutely required for this?

Would really appreciate some insight, thanks!

Joe

Dear All,

We are trying to set up SSO (Kerberos / SPNego) for our Fiori Development system. Reference to the URL http://scn.sap.com/docs/DOC-50394 and the Secure Login Implementation Guide, I am able to set up SSO for SAP GUI successfully but when I access the Fiori Launchpad (and any other html gui aka webgui service), the system still prompts me for a user name and password.

I also looked at the SPNego ABAP Troubleshooting note (Note 1732610 - point 3.2.12) but it seems irrelevant to our case as our ABAP system release is NW 7.4 SR1. Further, if I check alternate logon procedure for the ushell service, I can select the "SPNego Authentication" in the list but it does not work.

Can anyone please advise if there are any additional steps that have to be performed for SICF services to enable SSO?

Thanks a lot..

Kind regards,

Amer.

Login testing the service WebGUi

1. SICF->Default_Host->sap->bc->gui->sap->its->webgui –test the service

Getting this Prompt for first AD user ID and Password and then SAP user ID and Password.

2. Same thing happens with NWBC and BW-Portal Login- it Prompts for AD ID and then SAP ID and passowrd.

Where as ABAP SSO work perfect.

Here are my configuration steps.

• Our OS: Windows Server 2012
• DB: MSSQL 2012
• AD: Microsoft Active Directory
• SAP NW7.4 with SPS5
• SAP Installation – Central System
• SSO product- SAP NW SSO2.0 SP03
• SID – SB1, SE1 ….
• DOMAIN: MYCOMPANYNAME.COM ( Just an example, not the real name)

NWSSO Configuration Steps.

1.  Service User in the MSADfor AS-ABAP or AS-JAVA/Portal with following information

  • User ID: SAPService<SID>(existing individual<SID> Service user id)

  • Set the User cannot change the password

  • Set Password never expire

2.  Created SPN for this Service User

  • For ABAP -SAP/SAPService<SID>

  • Web (HTTP/ Hostname for ABAP apps server)

3.  Installed Secure Login Library on SAP Server

  •  Created a folder name (SLL)in /user/sap/<SID>/DVEBMGS00 ($(DIR_INSTANCE)\SLL)

   • Verified SLLibrary:(Version - 8.4.18.0)

(Starting NW7.4 sapcrypto library is coming and check the version is same at SLL directory and in the Kernel Dir.

4.  Define the following SNC parameters using RZ10

   snc/identity/as = p:CN=SAPServiceSB1@mycompany.com

   snc/enable  = 1

   snc/accept_insecure_cpic = 1

   snc/accept_insecure_rfc = 1

   snc/accept_insecure_gui = 1

   snc/data_protection/min = 3

   snc/data_protection/max = 3

   snc/data_protection/use = 3

   snc/permit_insecure_start = 1

   snc/r3int_rfc_qop = 8

   snc/r3int_rfc_secure = 0

   snc/force_login_screen = 0

   spnego/enable = 1

   spnego/krbspnego_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

   snc/gssapi_lib = $(DIR_INSTANCE)\SLL\sapcrypto.dll

5.  Kerberos KeyTab was generated successfully for SPNEGO/SNC and verified 

        #sapgenpse seclogin -l –v

6.  Configured Credential file and verified

7.  Install Secure Login Client and defined SNC name as p:CN=SAPServiceSB1@mycompany.com

8.  Configure User Mapping in SAP AS ABAP – SNC name – p:CN=<USERID>@MYCOMPANY.COM

9.  Restarted the SAP server and my ABAP SSO is working perfectly.

10.     SPNEGO Configuration:

     a.  Define Kerberos KeyTab for SPNEGO using tcode – SPNEGO

     b.  Created UPN - SAPServiceSB1@MYCOMPANY.COM with the password of this server ID.

For WebGui all the required Service are activate and published via SICF and also per http://scn.sap.com/docs/DOC-29485

Created SAP Message and SAP also confirmed all your setting looks and Kerbros being case sensitive but since my ABAP SSO is working so that possibility is also ruled out.

Are there any different steps or know issue with above setting for SPNEGO. I have not mention the steps for Portal because first lets get the Webgui or NWBC resolve which usages the SPNEGO configuration.

Looking to set up SSO from BOE to HANA using SAML and coming up short on what is hopefully just some missing configuration. If anyone has experience getting this running, I'd be grateful for feedback or links to more comprehensive documentation.

We are running BOE 4.1 SP5 and HANA rev 92 (on a multiple node installation). The plan is to 1) enable SSL logins on HANA, 2) set up BOE as the IdP, 3) create the SAML provider in HANA and establish trust between the two systems.

1. HANA is accepting Open SSL connections thanks to this very helpful document. Confirmed via HANA Studio login.
2. On the BOE side, an IdP Base64 certificate was generated in the CMC via the HANA Authenitcation dialog.
3. The IdP cert was appended to the trust.pem file (on the master node) as per this blog post. The SAML provider has been created in HANA with the Subject/Issuer set to match the BOE cert. We also used sapgenpse to add the cert to saplogon.pse and sapsrv.pse in $SECUDIR (again on the master node).

Everything has been restarted after the last configuration change.

A test user has been set up in HANA with the SAML provider enabled, user name matching a BOE enterprise account. When testing from the CMC, we see the following error message: Connection Failed: The test of the HANA SSO ticket used to log onto the HANA DB has failed due to: [10]: invalid username or password. (FWM 02133)

The HANA tracelog, set to debug, shows some errors in SAMLAuthenticator (ERROR in libxmlsec) before it culminates in this block:

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882796 i Authentication   SAMLAuthenticator.cpp(00400) : Unable to verify XML signature

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882934 d Authentication   ManagerAcceptor.cpp(00273) : Injecting logon name into method:

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.882986 d Authentication   SAPLogonManager.cpp(00360) : Store chosen for assertion ticket validation: saplogon.pse

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883114 w Authentication   SAPLogonManager.cpp(00504) : The base64 decode of the received ticket failed. SSO_RC return value: 1281

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883121 d Authentication   SAPLogonManager.cpp(00513) : Use SSO Validation PSE >>>saplogon.pse<<<

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883123 d Authentication   SAPLogonManager.cpp(00514) : Received Base64 Ticket >>>SAML 2.0 assertion ticket...<<<

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883167 i Authentication   MethodSAPLogon.cpp(00275) : unsuccessful login attempt with SAPLogon/SAPAssertion ticket!

[22277]{-1}[-1/-1] 2015-02-02 20:10:23.883181 d Authentication   ManagerAcceptor.cpp(00273) : Injecting logon name into method:

[22277]{-1}[63/-1] 2015-02-02 20:10:23.884313 d Authentication   Connection.cc(03617) : [PRE AUTHENTICATION] logon name:

[22277]{-1}[63/-1] 2015-02-02 20:10:23.884359 d Authentication   Connection.cc(03684) : [POST AUTHENTICATION] logon name:

It looks like the ticket is received but not being parsed. It's not clear to me if this is related to the certificate or some other configuration element, or exactly what the missing piece is.

Good day!

We are going to implement an authentication of users in kiosk by theirs contactless cards as described in note 1970286.

But we have a business requirement to make an additional check before login - user must enters some secret word, password, private information before he/she will be logged in.

So the scenario is:

1) User puts his card to the reader

2) As described in the note he gets a one-time certificate

3) The system shows a window to enter secret word

4) Log in

How can we achieve it? Thanks in advance.

ps Login to ABAP server through a browser

Hi,

We are implementing NW SSO 2.0 with X.509 based authentication. For now, I have successfully connected the Secure Login client to Secure login Server with my LDAP user account.

However I am not able to login via SNC through my SAP system. I am getting an SNC error mentioned below. I exported the SNC certificate from ABAP system and imported my certficate store but it doesnt get populated in my Secure login client.

*** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1439]

N        GSS-API(maj): No credentials were supplied

N        GSS-API(min): No credentials found for this name (not logged on) (USER=Unknown)

N      Could't acquire ACCEPTING credentials for

N

N      name="p:CN=DE1, OU=I0020095220, OU=SAP Web AS, O=SAP Trust Community, C=DE"

N  <<- SncProcessInput()==SNCERR_GSSAPI

M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    1034]

M  {root-id=53480D4658932260E1008000A045047E}_{conn-id=00000000000000000000000000000000}_0

M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    1039]

M  {root-id=53480D4658932260E1008000A045047E}_{conn-id=00000000000000000000000000000000}_0

M  in_ThErrHandle: 1

M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c   11329]

M  {root-id=53480D4658932260E1008000A045047E}_{conn-id=00000000000000000000000000000000}_0

Thanks

Thilip Kumar

Hello,

We are in proces of implemeneting SAP NW SSO for SAP GUI with SAP ECC Systems.

As per the Secure Login Library Guide, we have extracted Secure Login Library file in desired locatoin and set the profile parameters as mentioned in Guide.

Now we are configuring the SNC X.509 Configuartion, and it says to import the SAP Sever Cerificate using Tx : STRUST.

Form where to get the SAP Server Certificate, we have created PSE suing Tx : STRUST which apprears in OS level in structure /usr/sap/SID/DVEBMGS<>/sec .

We are stuck in this step, we are not able to import the SAP Server Certifiacte.

After the completion of X.59 Certificate, we would be going ahead with SNC Kerberos Configuration.

Please provide suggestions an inputs.

Regards,
Deepak

As I did not receive any reply on my earlier post, re-posting my question in simplified way.

Dear All,

I have to configure SSO for SAPGUI for html from client browser. I have read the blogs and notes but still have some questions.

First of all, our environment is ECC 6.0 on HP-UX 11.31 and client PCs are usually running windows 7. Ref to note 1257108, we have two options:

• SAP logon tickets
• X.509 client certificates

Questions: SSO between Web AS running on HP-UX 11.31 and Client PC on Win 7 using X.509 certificates would be possible without any third party product?

I will be following the SAP Help documentation
http://help.sap.com/saphelp_nwpi71/helpdata/en/b1/07dd3aeedb7445e10000000a114084/content.htm to configure SSO for SAPGUI for html, any other resource/blog that could help in this?

Thanks in advance for your help and support.

Regards,

Yasir.

Hi ,

I would like to configure SSO for fiori apps based on windows authentication , what things are required to do so .

like any changes on users settings , fiori launchpage .

Also i want to map several windows user id to single sap user id , it this possible ?

Regards

Yashpal

Wanted your expert opinion on something. We have using NWBC 4 and got Portal 7.3 in our landscape. We have established SPNego for IE single single on for Portal. We also have SNC entries with SAPGui to manage ECC SSO using SAPGui.

We want to extend NWBC to ECC SSO. But this been a massive hunt for right solution.

SAP Netweaver SSO is obvious solutions, but seems it involves some licence cost. Other option was to redirect NWBC to Portal and then back using redirect app as described in this note.

Question is, what is best way forward, and if we can achieve NWBC ECC SSO with this redirect method. With all the effort we put in we are able to see web page of /nwbc page instead of launching ECC on NWBC 4.0.

Thanks a lot for your time.

Note 1250795 - Redirect appliction.pdf

Regards,

Sudhir

Dear all,

we have implemented SSO where we have 30 BI licences and 10 BO licences.

i have set up authorizations in BI for all 30 users and tested successfuly.

when i am importing related Roles in BO i can able to see only 10 BI users is is because i have 10 BO licences or anything else.

i dont have much knowldge on Licencing part so requesting you all to please guide me on same.

Hi,

Trying to configure sso with kerberos[NW SSO 2.0], followed the steps 1. Create service user in ADS 2.Copy Secure login library files to ABAP System [Unix]3.Configure SNC Profile parameters.

After the profile parameter changes, we did the application restart, but the system is not coming up and we found the following error in the trace file

  *** ERROR => DlLoadLib()==DLENOACCESS - dlopen("sncgss.so") FAILED

  "Unable to find library 'sncgss.so'."  [dlux.c       445]

N  *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter #1 (sncgss.so) not loaded [sncxxdl.c  731]

Yes, the file is not available in the system, how to get the snc related files/libraries?

Regards,
Sam

Now that we have enabled SSO  we login to AS JAVA with the X509 certs , would anyone know how we can login as Administrator and to temporarily disable the x509 cert ?

Thank you

Jonu Joy 

Hello,

I have succesfully configured the Secure Login Server to authenticate users via Windows Login / SPNEGO. Unfortunatelly the enrollment does NOT work for users in different domains, but only one domain AT A TIME. So the Secure Login Server SPN sits within the Kerberos Realm that allows users in exactly this Realm to login via SPNEGO. (Of course all users from all domains are visible in dthe Secure Login Servers UME)

But we have 4 domains in a forrest..So, according to note 994791 that states:

• Domain Forest
  • Create and configure a J2EE service user in one of the domains part of  the forest # it doesn#t matter if this domain will be the root domain or any of the child domains
  • Configure UME to use multiple ADS data sources (for each domain in the forest)
  • In the #Kerberos Realm# step of the wizard you should provide  information only for the domain where you have created the service user for the J2EE Engine

..I have configured SPNEGO only for the realm that hosts the SPN.

Unfortunatelly it doesn't work. Please help me if you have experience with cross domain SPNEGO authentication via Secure Login Server.

Thank You,

Philippe

As I did not receive any reply on my earlier post, re-posting my question in simplified way.

Dear All,

I have to configure SSO for SAPGUI for html from client browser. I have read the blogs and notes but still have some questions.

First of all, our environment is ECC 6.0 on HP-UX 11.31 and client PCs are usually running windows 7. Ref to note 1257108, we have two options:

• SAP logon tickets
• X.509 client certificates

Questions: SSO between Web AS running on HP-UX 11.31 and Client PC on Win 7 using X.509 certificates would be possible without any third party product?

I will be following the SAP Help documentation
http://help.sap.com/saphelp_nwpi71/helpdata/en/b1/07dd3aeedb7445e10000000a114084/content.htm to configure SSO for SAPGUI for html, any other resource/blog that could help in this?

Thanks in advance for your help and support.

Regards,

Yasir.