AD for SSO to SAP r/3

Similar Messages

• SSO to SAP EP6 (for Employee Self Service) using WebSEAL

  Hi SDN friends,
  We are about to embark on a SSO implementation using IBM WebSEAL for SAP EP6 ESS (Employee Self Service) connecting through to an SAP R/3 4.7 server.  Since the ESS solution for 4.7 still uses ITS services, this means that we have ITS iViews in the EP6 portal.
  We have managed to look through the whitepaper 'IBM Tivoli Access Manager - Single Sign On for SAP NetWeaver - September 2005' described at https://www.sdn.sap.com/irj/sdn/developerareas/ibm
  We have the following queries, if anybody has a simple answer to these:
  -  Is it absolutely necessary to configure an SNC connection between ITS/EP6 and R/3 server to achieve SSO for the portal?
  -  Given that SAP EP6 references ITS IAC iviews, is it necessary for us to configure both ITS and EP6 for SSO, or can we simply configure EP6 for SSO?  If so, is it also necessary to configure both for SSL?
  -  Otherwise, how easy is it to set up SSO in this scenario without SSL (for demo purposes)?
  Any thoughts would be greatly appreciated.
  Cheers
  John Moy

  Hello John,
  regarding your questions:
  ad 1) no. SNC is only mandatory if you use X.509-based SSO to R/3. You can also use SAP logon ticket-based SSO from EP to R/3 or usermapping that do both not require SNC.
  ad 2) yes, you have to configure both EP and ITS at WebSeal.
  ad 3) you can always omit SSL. However for production use, it is recommended.
  Regards
  Michael

• R/3 Secure Store and Forward, while using SAP portal for SSO

  Hello,
  We are using SAP Portal UME for authentication, then SAP SSO tickets to log into the SAP R/3 system.  Initially we decided that the end users would have a "disabled password" so that they must use the portal authentication mechanism to get into R/3 and therefore could not log in straight to R/3 system via SAP GUI.
  All was working fine until during integration testing when someone tried to use the electronic signature function on a QM t-code (QA11) that prompted for an e-sig.  Since local passwords have been disabled, the user could not execute the e-sig. 
  We do not want to activate local R/3 passwords for the users.  Can anyone give some advice or a best practice regarding how to set up electronic sigs in R/3 while using an external authentication source? FYI, we are also trying to avoid using the LDAP connector from R/3 to our LDAP.
  Please comment for any clarity needed or comments,
  Thanks in advance,
  Ryan

  Good point - but I'm afraid of not knowning an instant answer.
  Well, theoretically one could make use of the fact that an NWAS ABAP can act as http client (submitting http requests to the NWAS Java to validate logon data); but that's just a rough idea.
  Regards, Wolfgang

• SAP Best Practices for SSO Configuration

  Hello There,
  Are there any SAP Best Practices available for SSO Configuration. If so, Kindly help me with those..
  And also any Third party tools available in the market for SSO Configuration..
  Appriciate your Help on this.. Thanks in advance.
  Regards,
  Pranay S
  Edited by: Pranay Subedari on Apr 29, 2011 9:12 AM

  Hello,
  Types on the SSO are classified with the systems involved in configuration (i.e.) SSO between ABAP Stack and Java stack or LDAP, OS
  Refer the link for more details [Document Deleted]
  Regards,
  Anand
  Message was edited by: Jason Lax

• Integrate SAP Netweaver 7 with SharePoint 2013 for SSO

  We are planning to Integrate SAP Netweaver 7.0 with SharePoint 2013 for SSO using SAML 2.0
  Would like to know what 3rd Party IDM tools are supported by SharePoint 2013  apart from ADFS
  Regards
  Mirza
  FBM

  This should help you Faheem
  http://scn.sap.com/community/interoperability-microsoft/blog/2011/01/31/installing-duet-enterprise-the-sap-side--a-video-guide
  Please remember to click 'Mark as Answer' on the answer if it helps you

• SSO to SAP using workstation password (GUI/Web)

  Hello All - I am very new to this area and I am analyzing a SSO solution to implement in our company where in the User's workstation password will be the only authentication to logon to SAP.  We are looking into SSO using Kerberos but we are still not clear on the solution. Below are some of the questions that I can think of from the top of my head.
  1) What is the pre requisite to logon to SAP without password? AD/etc...
  2) Can logon via. SAP Logon GUI be passwordless? If yes, what is the solution/technology? Also if passwordless GUI log on is possible, what will be situation where a system has more than one client? Will it prompt to enter the client number?
  3) WIll SSO work across multiple landscapes like 4.7, MySAP, BW, Netweaver, etc?
  I apologise ahead if I my questions are very vague. Kindly bear with me and point me to the right information, so that I can have the analysis of SSO ready for my company.

  >
  Kishore Karuppan wrote:
  > Hi Guys -  Iam back again. I am not sure if  I need to open a new thread since  I marked that my question was answerd. I had a chance to discuss the possibilties of enabling single sign on to GUI and my web with the experts in our company and we have the below questions. Since we already have Kerberos enabled in our workstations, we like the idea of installing SNC libraries.
  Good choice Yes, you could have opened another thread, but I am happy to help you using this thread.
  > 1) Will SSO via. GUI using SNC libraries will work for all versions of SAP including 4.5, 4.6, mySAP, etc.. (I just want to ensure that I covered 4.5, 4.6, mySAP as well, as I didnot mention this in my previous post)?
  Yes, SNC is supported on versions of SAP ABAP AS since 3.1I through to NetWeaver 2004s and beyond. So, you can use same solution for all versions of SAP in your landscape, and on all platforms as long as the vendor product you use has libraries for the operating system.
  > 2) Will installing SAPNEGO module enable single signon for web for all versions of SAP?
  Yes, this is one option as it uses Kerberos capability already included in IE browser and also in Firefox browser - there is therefore no client software required and you can utilise Kerberos credentials already on workstation.
  > 3) Is there a whitepaper or a source where we can verify the above so that can get approval to get help from the SAP or SAP partners to devise a SSO plan for our complex SAP landscape?
  As I explained before - some of this functionality is provided by SAP Partners so you need to contact one of them to ask for such papers. If you contact me I can give you a demonstration of this technology via a web meeting and answer any detailed questions you might have when you have seen it working. You might want to invite other people from your company as well.
  > For some reason, our Security Architect believes that SSO via. GUI is not possible using SNC libraries. I need some data from a trusted source. I did lookup by searching for SSO in thge forums and hwite papers but I am unable to find a source that validates the information.
  I can show it to him working, or you can point him to http://www.cybersafe.com/d2 so he can see the products being installed and demonstrated.
  > I will have one more follow up question to clarify but I will wait for the response to above. If I have to create a new thread, please let me know and i am happy to do so.
  Since you have started on this thread you might as well continue. No need to confuse matters by opening new thread, but in future when a thread is closed it is better to open a new one if you have additional questions.

• SSO to SAP works but no OLAP Connection per SSO Auth

  Hi experts,
  we have setup an SSO for the Authentication of SAP BW and SAP BO and used the portal integration. We are using SAP BO 4.1 SP4 and SAP BW 7.4.
  We use the Login via Netweaver Portal go then to the SAP BO where the reports are stored.
  The SSO login works fine, but the OLAP connection to the SAP BW system does not fly. I have tried to create a connection via IDT. This works.
  After that I created a WebI report in the Applet and chose BEx Connection and retreived the error:
  error.openSapBwBrowsingSessionFailed
  Then i tried the WebI Rhich Client and recieved the message: Unknown Error in SL Service and Even do not recieve the list of possible Bex connections.
  We are using SNC for the user authentication in SAP BW.
  An now it is getting very unnormal:
  When i go the IDT tool and create the connection again and republish this to the repository and try to connect again via WebI Applet, i do not get the error message again.
  Can you please assist, as our Business user can not publish their OLAP connection.
  Regards,
  Markus

  The new Business Objects version (BI 4.0) comes with a new authentication
  technology to create a trust relationship between a non-SAP user and the SAP
  data source. How to determine the correct method to be used?
  When using legacy .unv universes (XI 3.1 technology) = SNC
  When using .unx environments (BI 4.0 new semantic layer) = STS
  when you try to connet BICS connection or IDT it is important to use the STS methodology.
  check the below link to have configurations.
  Follows a Wiki link with a "How to setup SSO against SAP  BW in SBO BI4.0 for LDAP users".  and follow the raunak kumar suggestion when you configire SNC and STS.
  http://wiki.sdn.sap.com/wiki/display/BOBJ/How+to+setup+SSO+against+SAP+BW+in+SBO+BI4.0+for+LDAP+users

• SSO to SAP R3 thru ITS 6.20 with Logon tickets

  Hi All,
  I am trying to configure SSO to R3 thru ITS with the Logon Tickets.
  I have configured R3 to accept the tickets using STRUSTSSO2.
  Downloaded the verify.der file from Portal and imported to R3
  And tried to test the System connection.
  If I use <b>SAP GUI for Windows</b>,the logon ticket is passed and SSO happens
  with out any problem.
  But If I use <b>SAP GUI for html</b>,then ITS Logon screen appears and once I
  enter the user id and password it logs in.
  In ITS global.srvc file I have added the following parameter
  <b>~mysapcomusesso2cookie 1</b>
  I also have the following parameters in the global.srvc file
  <b>~login <space>
  ~password  <space></b>
  Do I need to configure any thing more in ITS.
  Where am I going wrong.
  I have read regarding <b>Pluggable Authentication Service(PAS)</b>.Is this mandatory for SSO thru ITS
  Please let me know
  I am working on EP6 SP14
  Any help is really appreciated
  Thanks in advance
  Regards,
  Santhosh

  Hi,
  IWithin System definition of R/3 System, you've to give the FQDN of ITS just same as Portal system. For example if your Portal system's FQDN is below:
  http://portal.hedehode.com:50000/irj
  then the ITS Server definition (parameter ITS Hostname) must be:
  itsserver.hedehode.com:port
  for portal to resolve itsserver.hedehode.com host, you may need to enter its IP address into hosts (c:\windows\system32\drivers\etc\hosts) file of portal system.
  <ip>   itsserver.hedehode.com

• SSO with SAP logon tickets to non-SAP web app

  I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work.  I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal.  Anyone tried similar?
  Cindy

  Hi Cindy,
  If it is EP6 SP2 probably you can checkout the following document.
  http://service.sap.com/ep60
  Go to Documentation Help>How-To-Guides>Current How To Guides section.
  checkout the following how to guide.
  Perform Cross Domain SSO with SAP Logon tickets zip file.
  If you want the zip file please send an e-mail to
  [email protected]
  Regards
  -Venkat Malempati

• SSO Between SAP EP 7.0u2013 BOXIR2 SP1 u2013 BW3.5 Is SNC required?

  We are trying to enable SSO between SAP EP, BO and BI so that users will be able to access Crystal reports (which have got backend as BW) from Enterprise Portal which are scheduled in BO enterprise server
  Below are the details on our landscape.
  1) SAP EP 7.0 Integrated with AD and SP Nego configured(if it fails users will use AD user id and pwd)
  2) BO u2013 AD authentication is available as well as SAP Authentication got enabled using SAP BO Integration Kit. In BO reports are there which got backend as BW and scheduled successfully.
  3) BW 3.5 is using SAP authentication(Not AD authentication)
  4) SSO has been established between SAP EP and BW (user ids will be same in AD and BW)
  5) BO has two servers bo1.yy.comp.com and bo2.yy.comp.com
  6) SAP EP and BW has domain names as EP.xx.yy.comp.com and BW.xx.yy.comp.com u2013 additional u201Cxxu201D is there in the domain trail. So we have created a dns entry bo.xx.yy.comp.com which will resolve to bo2.yy.comp.com (CMS is running in this server) so that we meet the prerequisite for SSO with EP u2013 BO - BW.
  7) BW is not configured with SNC.
  Question 1- As per point 3 u2013 SAP Authentication is available in BO u2013
  So in that BO server can we use ASPX page to read MYSAPSSO2 cookie generated by SAP EP and use that cookie to access report which got BW as backend?
  Question 2
  Do we need any more configuration for the SSO from EP - BO u2013 BW? (do we need to go for SNC?)
  Even after reading many threads I couldn't understand the flow of SSO. Any advice will really help us overcome the hurdles.
  Thanks in Advance
  JayCeeDee

  Question 1- As per point 3 u2013 SAP Authentication is available in BO u2013
  So in that BO server can we use ASPX page to read MYSAPSSO2 cookie generated by SAP EP and use that cookie to access report which got BW as backend?
  >>> Assuming you are getting SSO tickets from the portal that happens automatically when the SAP authentication is configured.
  Question 2
  Do we need any more configuration for the SSO from EP - BO u2013 BW? (do we need to go for SNC?)
  >> You mention on the one hand SSO tickets, on the other hand Windows AD. Which one is it ? What is the authentication that the user will leverage to connect to the BusinessObjects Server ?
  Ingo

• SSO between SAP Portal 7.3 and Ruby on Rails

  Hello Everyone,
  We are planning to integrate SAP Portal 7.3 and a RoR application and I am wondering If someone can share some experience (If you have any of course) on how to establish SSO between SAP Portal and RoR.
  The SAP Portal will act as service provided and RoR as a consumer, we don't have LDAP, so the Portal UME is in ABAP and RoR uses an own UME database. We have SSO between our Portal and SAP Backend systems.
  In RoR customers will have access to their own information (Invoices, etc..) that will be provided by the backend system.
  URL transaction and iFrames is not an option for us.
  The second option is to call Web Services, directly or through the SAP Portal (we are using a central sr).
  I am a NetWeaver consultant who heard about RoR but have no experience in this field.
  All help and tips are greatly appreciated!.
  Regards,
  Ridouan

  We used Client certificates. Still working on the PoC.

• SSO between SAP EP and JAVA app on WebSphere Application Server 5.1

  Hi.  I have 2 questions.
  I am implementing SAP EP6 and need to display content from a WebSphere JAVA application inside the portal.  The application is currently running on WAS 5.1.
  1. Does anyone have any sample code or documentation regarding how to pass the SAP logon ticket to WebSphere JAVA application to accomplish SSO when inside the portal?
  2. Does anyone have any sample code or documentation regarding how to pass the SAP logon ticket to WebSphere JAVA application to accomplish SSO when outside the SAP EP, but still within the same IE browser window where the SAP logon ticket exists?
  Thanks for any feedback you could provide.

  Hello Kevin,
  please look here: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/ibm/how to set up sso between sap enterprise portal and ibm websphere portal using tai.pdf
  Regarding your second questions: as long as you did not log off from SAP EP your browser hosts the SAP Logon Ticket cookie (within its timeframe of validity which is typically a couple of hours). So if you access a non SAP application that accepts SAP logon ticket with your browser, you're authenticated.
  Please note that the cookie based authentication only works withing the same DNS domain. So if your SAP EP is configured to issues the SAP logon ticket to "company.com" then your browser sends it only to servers in that domain.
  Regards
  Michael

• My experience of SSO between SAP Portal6.0 and non-Sap Application

  Firstly I announce that I am not a Sap developer or a Sap Consultant.  I am a Cognos Consultant. I need do SSO between Sap Portal and Cognos Portal in my project, So I have to make SSO between two portals.
  I  tested  SSO between the two products on IIS5 of Windows XP and IIS6 of Windows 2003 and passed.
  Step 1:  Copy sapsecin.exe and sapsecu.dll on any directory where you want, such as “C:PortalSecurity”
  Then add this  directory  to your Environment variable PATH. You can find the two files on sapserv<x> under general/misc/security/SAPSECU/<platform>;
  Step 2: Copy your Filter ISAPI Files IIS_SSO.dll or IIS6_SSO.dll in any directory where you want, such as “C:PortalFilter”. You can find this two files on SAP note 442401.
  Step 3:  Get you ‘verify.pse’  which is located in
  <irj>
  ootWEB-INFpluginsportalservicesusermanagementdata  and put it on the same directory with your ISAPI Files ,such as C:PortalFilter
  (According Sap Support articles , IIS_SSO.dll should be used on IIS 5 and IIS6_SSO should be used on IIS 6,but I can not load IIS_SSO.dll on IIS 5 of Windows XP, I use IIS6_SSO.dll );
  Step 4:  Create a new file named ‘verify.properties’ , the content of this file see the appendix A;
  Step 5:  Load the IIS6_SSO.dll on your IIS. On IIS5, Select  Website Properties—ISAPI Filter—Add IIS6_SSO.dll and name it ‘wp’ . On IIS6,do as such and Create a Web Extensions  named  ‘wp’ and allocate file IIS6_SSO.dll. Finally restart the www service.
  I
  If you can load the filter successfully, you will see the  filter color is  green.
  On IIS6,Maybe you find that you can’t load your ISAPI file IIS6_SSO.dll, Its state is unloaded and its color is red. I am confused by this question long time. I finally found you must install some R3 dll files on your system! The .dll files which I mentioned can be found in SAP note 684106, put it in a same directory with your security files, such as C:PortalSecurity and restart your web server.
  (The steps above I reference Chris beck ‘s topic)
  Step 6: I write an  ASP file named ‘headerdumper.asp’ on my website and create a i-view to show my asp file in SAP Portal. If you succeed, you can see the http header variable<your logon name> in ASP page. If you application can receive http header variables, then Congratulations! You have apply SSO successfully.
  If your log file show ‘Can't find MYSAPSSO2 ticket cookie for URI "" on host "", don’t worry about it. I am confused by this question long time though.  I found the key cause the errors are cross domain or different DNS suffix.
  I tested 3 scenarios :
  1 if your Sap Portal URL is http://sap-server:50000/irj/protal ,and your asp file is located in http://sap-server:80/headerdumper.asp, You can’t access this asp page from i-view . I am sorry that I have no idea about this.
  2 if your Sap Portal URL is http://sap-server:50000/irj/protal ,and your asp file is located in http://your-server:80/headerdumper.asp, Your log will show ‘Can't find MYSAPSSO2 ticket cookie for URI "" on host "". because they have  no domain name, which is seemed that they meant different  domain.
  3 you must deploy your asp file and sap portal like below ,So you can apply SSO correctly:
  you must access SAP Portal like : http://sap-server.domain.com:50000/irj/portal
  you must access your asp file like http://yourserver.domain.com:80/headerdumper.asp
  then add your asp file as  i-view to your SAP Portal which URL is like  above , you can get Http header variable correctly.
  I am not an native English speaker, I hope you can understand what I said.
  Appendix A The Content of Verfy.properties
  remote_user_alias=REMOTE_USER
  pse_file=C:PortalFilterverify.pse
  application=portal
  log_file=C:PortalFilterverfy.log
  log_level=3
  cache_size= 1000
  Appendix B The Code of headerdumper.asp

  I'd recommend to cross-post your inquiry to the Security

• SSO All SAP solution with windows Active directory

  Dear Experts,
  We have multiple sap solution like
  SAP ERP EHP7
  SAP BW
  SAPBO
  SAP EES/MMS
  SAP Solution Manager
  And all solutions based on Operating system AIX and database is DB2
  We want to configure SSO ( using windows 2012 active directory users ) with all above systems and it's clients.
  Kindly guide me how to achieve SSO using Windows 2013 active directory users.
  DO we need LDAP between Active directory and all servers ?
  we need additional SAP license
  please guide me
  Regards

  Hello
  You can use SAP Single Sign-on 2.0 solution by SAP to integrate all your systems with SSO. The solution contains all what is required for configuring SSO in SAP ABAP and Java Systems. To know more, you may refer:
  1. SAP NetWeaver Single Sign-On 2.0 – SAP Help Portal Page
  2. Implementing SAP NetWeaver Single Sign-On 2.0 Based on Kerberos Tokens 1/4 - YouTube
  3.Implementing SAP NetWeaver Single Sign-On 2.0 Based on Kerberos Tokens 2/4 - YouTube
  4.  Implementing SAP NetWeaver Single Sign-On 2.0 Based on Kerberos Tokens 3/4 - YouTube
  5. Implementing SAP NetWeaver Single Sign-On 2.0 Based on Kerberos Tokens 4/4 - YouTube
  You will have to buy license for SAP Single Sign-on 2.0.
  Regards,
  Tapan

• How I can configure 2 EP 7.0 server for SSO with ECC 6.0?

  Hi,
  How I can configure 2 EP 7.0 server for SSO by using SAP Logon ticket with same ECC 6.0 back end?
  Developement EP 7.0 SP14 is already configure with ECC 6.0 back end now I want to configure my local EP 7.0 SP9 (Sneak Preview) server with same ECC 6.0 Development.
  How I can acheive this?
  I really appreciate if some one guide me.
  Thanks.
  Ashish.

  Hi,
  You have to follow the SSO steps.
  1.Create RFC Destination in SM59
  2.Create RFC Destination in Visual admin
  3.Export verify.der certificate from portal
  4.Import verify.der certificate to R/3
  5.Create system alias
  6.Export R/3 certificate from R/3
  7.Import R/3 certificate to portal
  8.Maintain the SSO parameters in RZ10
  Please check the below link also.
  http://help.sap.com/erp2005_ehp_03/helpdata/EN/4d/dd9b9ce80311d5995500508b6b8b11/frameset.htm
  Regards,
  Bala.