CWMS 2.0 SSO using Shibboleth

Similar Messages

• Implementing SSO using Microsoft IIS with OBIEE 10.1.3.3.2

  We are running OBIEE 10.1.3.3.2 on Windows 2003 server and want to impement Single-Sign-On (SSO) using Microsoft IIS. We set up the SSO according to chapter #8 of the deployment guide but it doesn't work :when opening the web login pages of the OBI application it still ask the user for authentication.
  Also, according to the installation guide the SSO feature is deployed when chosing "Advanced installation type" during the installation. This advanced installation type requires the Oracle Application server. We have not installed Oracle Application server in our environment, and we chose "Basic" installation.
  Is the SSO functionality available without Oracle Application server? What are the steps to setup SSO in our environment?

  Hi,
  I'm experiencing the same issue with IIS. Did you find any resolution in the meanwhile?
  Please let me know...
  Thanks a lot,
  GL

• SSO using Windows Active Directory but without EP or Java stack

  Good morning and thank you in advance for your help.
  The question is:
  our environment includes windows domain with Active Directory, ECC 6.0 ABAP (DEV, QAS, PROD), BW 7.0 (DEV, QAS, PROD) only ABAP stack.
  I would like to know if we can enable SSO using only this configuration without introducing EP or Java stack.
  Best regards
  Max

  Hi Willi,
  It won't be that easy to understand each other... as my english is not that good either
  Most of the points introduced in the SAP help link are automatically performed by sapinst.
  Almost all my customers running on MS are not using an AV, and neither get into troubles...
  but no user ever connect on the SAP server, only admin, for maintenance purpose or SAP admin when needed...
  Internet explorer should not be used on a sever, MS itself says it should be uninstalled...
  Best regards
  SAP on SQL General Update for Customers & Partners April 2014
  10. Do Not Install SAPGUI on SAP Servers
  Windows Servers have the ability to run many desktop PC applications such as SAPGUI and Internet Explorer however it is strongly recommended not to install this software on SAP servers, particularly production servers.
  To improve reliability of an operating system it is recommended to install as few software packages as possible.  This will not only improve reliability and performance, but will also make debugging any issues considerably simpler
  “A server is a server, a PC is a PC”.  Customers are encouraged to restrict access to production servers by implementing Server Hardening Procedure. 
  SAP Servers should not be used as administration consoles and there should be no need to directly connect to a server. Almost all administration can be done remotely
  SAP on SQL General Update for Customers & Partners September 2013
  Internet Explorer (and any other non-essential software) should always be removed from every SAP DB or Application server. 
  The following command line removes IE from Windows 2008 R2, Windows 2012 and Windows 2012 R2:
  Open command prompt as an Administrator ->  dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64

• Problem with Open document SSO using websphere.

  Hi All,
  I have a issue,
  We configured AD SSO using websphere and its working fine but when we try to login to the open document SSO using websphere it prompting for login credentials.
  Is there any steps needed for configure open document SSO using websphere.
  We made all the changes in web.xml file for the Open Document ,same as in Infoview web.xml file.
  When we launch the Open Document, it prompts for the login screen, we get username and passwd fields we do not get the authentication drop down,if we give the AD credentials , we get "Enterprise Authentication error" .We feel the default authentication mode is taken as "Enterprise".
  We have made changes in the web.xml for open document to have authentication.dafault as "secWinAD", also ,for test purpose we made the authentication. visible as "true" but the changes were not taken, we have redeployed the war files.
  Any one please help on this.
  Environment Details-
  BOBJ XI R3.1 SP2
  Web Sphere 6.1.0.25  .
  Thank you in advance.
  Thanks & Regards,
  Bill.

  The same settings in the infoviewapp web.xml must be applied on the opendocument web.xml. Also you must be on XI 3.1 FP1 or higher. There is currently an Edge issue being investigated.
  Regards,
  Tim

• Problem about SSO using logon ticket  with user mapping

  Hi everyone ,
  I had done SSO with Portal , BW and R/3 system.
  I use logon ticket with user mapping .
  When user name is same in Portal as in R/3 system, or user name is same in Portal as in BW , user can access R/3 transactions and BW report without logon.
  There are some Portal users name which are different with R/3 user and  BW user. And I done the user mapping for these  user.
  But some user mapping works fine,but most of them can't work,means that most of them need to enter mapped user ID and password.
  What's the reason?
  When SSO using logon ticket with user mapping, the Portal user which is different with R/3 user and BW user,  can they access R/3 transaction iview and BW report iview without logon?

  Hi Chen,
  What you have done is correct. But the problem lies here.
  Since you are using the same system object for accessing the iview, where the ticket method is set to SAPLOGONTICKET in the user Management property of the system object.
  To avoid this create another system object like the previous one but set the logon method to UIDPW and select admin, user from the drop down box. Also create a system alias for this system.
  Now create another iview like the previous one but link this iview to the new system. Now do the user mapping for the users which are different in portal compared with R/3. Now you should be able to login without any problems.
  Another important point is login to portal with Fully qualified domain name. In the ITS property of the system object also give the FQDN.
  Hope this helps
  Regards
  Arun

• Problem in configuring SSO using SAML for applications hosted on diff m/c

  Hi Techies,
  I am stuck in a weird problem for past month or so without any resolution. Not much help by googling. So I hope i get the answer from the mouth of the horses -
  I am trying to use SSO using the sample application appA and appB as stated in the tutorial of SSO by BEA.
  I am summarizing the problem below -
  Steps followed for Configuring SSO using SAML
  1. Created 2 domains on 2 seperate machines namely domainA and domainB
  2. Source appliction is deployed on domainA and the target application is deployed on domaninB
  The steps mentioned in the following tutorial has been followed-
  http://dev2dev.bea.com/pub/a/2006/12/sso-with-saml.html
  3. As mentioned in the tutorial the certificate is generated using keytool utility. The same certificate is copied
  to WEBLOGIC_HOME/server/lib of destination machine.
  4. The certificate was successfully registered on desitnation or host 2 but while activating the configuration
  changes(SSL client Ientity Alias and SSL Client Identity Pass Phrase) for Federation services the following error
  is thrown -
  " SAMLBeanUpdateListener: SAMLKeyManager.prepareUpdate() failed with exception:
  weblogic.descriptor.BeanUpdateRejectedException: SAML key Manage failed to validate key (SSL Client) configuration
  in the FederationServicesMBean, key alias: testalias "
  The interesting bit of the problem is that the same configuration works on 2 domains created on same machine. The
  problem only occurs when domains are created on seperate machines.
  Alterative to the problem: when the certificate is generated seperately for domainB and copied to
  WEBLOGIC_HOME/server/lib, it works. However, the certificate generated in domainA should have been copied.
  Note: I am using Weblogic portal 9.2.1
  Any quick replies will be much appreciated. Thanks.
  Edited by saurabh.agrawal at 02/06/2008 2:01 PM

  Hi François,
  You are right about the use of the NameID format. But the issue here is/was that OIF at SP is integrated with OAM, and the authenticated user at OIF-SP and OAM will be the Anonymous user rather than the user who was identified at the IdP even though the remaining attributes sent are for the IdP user. I think these attributes can be used by with OAM for authorization using custom authorization plug-ins but haven't tried that one out.
  As for the attribute sharing profile, it's this one - http://www.oasis-open.org/committees/download.php/18058/sstc-saml-x509-authn-attrib-profile-cd-02.pdf, although for the life of me, I cannot remember why I suggested this in the first place!
  -Vinod

• SSO using spnego set up but not working for an Enterprise Web Service

  Hello, I am looking for some guidance. I have a function module that is exposed as a web service. I am trying to be able to access the web service with sso so the user does not need to logon. Systems has set up SSO using spnego to issue sap login tickets on our dual stack and sso is working if I try to access a netweaver link such as http://mycompany:8001/nwa but it is not working when I try to access my service
  http://mycompany.com:8001/sap/bc/srt/rfc/sap/myservice/500/myservice/myservice. I am wondering why this would not work and if it is possible to use sso with enterprise services?
  Thanks for any help...we have been stuck for a while now.
  Edited by: Katie Doody on Jul 13, 2011 3:48 PM

  Hi, I have created the redirect app with a jsp page in it. So, would you be suggesting that I add another call within there? In the error pages section of my web service in sicf I have the redirect going to my redirect jsp which is then sent to my web service.
  http://myserver:50100/redirectApp/redirect.jsp?to=http://myserver:8001/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert
  Here is  part of the the log from SMICM. It looks like I am making a connection but I am not sure what to look for to determine if the tickets is being sent and received.
  Thr 4824] HttpSubHandlerClose: Call Handler: HttpSAPR3Handler (00000001404EABA0), task=TASK_CLOSE(3)
  [Thr 4824] HttpSubHandlerClose: Call Handler: HttpJ2EEHandler (00000001404EAA70), task=TASK_CLOSE(3)
  [Thr 4824] HttpJ2EEHandler called: task=3
  [Thr 4824] Handler 3: HttpAuthHandler matches url: /sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_ins
  [Thr 4824] Handler 4: HttpCacheHandler matches url: /sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_in
  [Thr 4824] Handler 2: HttpSAPR3Handler matches url: /sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_in
  [Thr 4824] Handler 0: HttpJ2EEHandler matches url: /sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_ins
  [Thr 4824] HttpSubHandlerCall: Call Handler: HttpAuthHandler, task=1, header_len=647
  [Thr 4824] >> start >> CsiGetInstance(0000000000E79950)
  [Thr 4824] << end   << CsiGetInstance(0000000000E79950) returned inst=00000000005A5030
  [Thr 4824] >> start >> CsiExecute(00000000005A5030,000000000CB19CE0,85,1,000000000CB19CD0,000000000CB1BE10,0)
  [Thr 4824] >> VsaScan(00000000005A72F0,000000000055D750,000000000055D790,00000000005B94F0,NULL) >>
  [Thr 4824] << VsaScan(00000000005A72F0,000000000055D750,000000000055D790,00000000005B94F0,NULL) = 0 <<
  [Thr 4824] << end   << CsiExecute(CSI_RC==VSI_OK)
  [Thr 4824] >> start >> CsiFreeInstance(00000000005A5030)
  [Thr 4824] << end   << CsiFreeInstance(CSI_RC==VSI_OK)
  [Thr 4824] HttpSubHandlerItDeactivate: handler 0: HttpAuthHandler
  [Thr 4824] HttpSubHandlerCall: Call Handler: HttpCacheHandler, task=1, header_len=647
  [Thr 4824] HttpCacheHandler: 1 647 00000001404EACD0 0000000000000000
  [Thr 4824] ISC: Cache Lookup. 1. try: browser independent.
  [Thr 4824] ISC: hashed querystr = 7e8c2651 'null&*&'
  [Thr 4824] HttpCacheMakeObjectKey() -> '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&
  [Thr 4824] MTX_LOCK 1635 0000000000E77AA0
  [Thr 4824] MTX_UNLOCK 1766 0000000000E77AA0
  [Thr 4824] IctCmOpen#3977 R '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&1562C8E7&'.
  [Thr 4824] MTX_LOCK 1635 0000000000E77950
  [Thr 4824] MTX_UNLOCK 1766 0000000000E77950
  [Thr 4824] IctCmOpen#11089 R '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&1562C8E7&'
  [Thr 4824] ISC: Cache Lookup. 2. try: browser specific key.
  [Thr 4824] ISC: hashed querystr = 83bd39d4 'null&Mozilla/4.0 (compatible; MSIE 8.0;&'
  [Thr 4824] HttpCacheMakeObjectKey() -> '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&
  [Thr 4824] MTX_LOCK 1635 0000000000E77AA0
  [Thr 4824] MTX_UNLOCK 1766 0000000000E77AA0
  [Thr 4824] IctCmOpen#3978 R '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&4D93DB38&'.
  [Thr 4824] MTX_LOCK 1635 0000000000E77950
  [Thr 4824] MTX_UNLOCK 1766 0000000000E77950
  [Thr 4824] IctCmOpen#11090 R '/sap/bc/srt/rfc/sap/zsd_hr_cats_insert/500/zsd_hr_cats_insert/zsd_hr_cats_insert&&&GZ=1&4D93DB38&'
  [Thr 4824] HttpCacheHandler: cache miss.
  [Thr 4824] HttpSubHandlerItDeactivate: handler 1: HttpCacheHandler
  [Thr 4824] HttpSubHandlerCall: Call Handler: HttpSAPR3Handler, task=1, header_len=647
  [Thr 4824] HttpSAPR3Handler: url_tab_init: 1, force_dest: 0
  [Thr 4824] ICT: IctLookupPathTable() -> 0
  Thank you,
     Katie
  Edited by: Katie Doody on Jul 22, 2011 3:25 PM

• SSO using SAML2 in WebLogic Server 10.3 not working

  Dear all,
  I have tried all possible configuration to configure SSO but with no hope :(
  My requirement is to configure SSO using SAML2, weblogic 10.3 and 1 domain.
  I followed the following links in my configuration:
  1- http://biemond.blogspot.com/2009/09/sso-with-weblogic-1031-and-saml2.html
  2- http://blogbypuneeth.wordpress.com/2011/01/15/steps-to-configure-saml-2-on-weblogic-server-10-3-0/
  Please if anyone can send me any other tutorial or working sample application as maybe i am configuring the web/weblogic xmls in a wrong way
  Appreciate any help

  Hi,
  This is how my web.xml looks like :
       <display-name>SAML Destination Site Application</display-name>
       <welcome-file-list>
            <welcome-file>index.jsp</welcome-file>
       </welcome-file-list>
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>SecurePages</web-resource-name>
                 <description>These pages are only accessible by authorized users.</description>
  <url-pattern>samldest01App/restricted01/*</url-pattern>
  <http-method>GET</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <description>These are the roles who have access.</description>
                 <role-name>SamlUser</role-name>
            </auth-constraint>
            <user-data-constraint>
                 <description>This is how the user data must be transmitted.</description>
                 <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
       <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>myrealm</realm-name>
       </login-config>
       <security-role>
            <description>These are the roles who have access.</description>
            <role-name>SamlUser</role-name>
       </security-role>
  </web-app>
  weblogic.xml :
  <?xml version='1.0' encoding='UTF-8'?>
  <weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       <security-role-assignment>
            <role-name>SamlUser</role-name>
            <principal-name>SAML_SSO_GRP</principal-name>          
       </security-role-assignment>
       <context-root>/samldest01App</context-root>
  </weblogic-web-app>

• SWs needed to implement SSO using AM

  Hi,
  I want to know what all SWs are needed to implement SSO using sun AM.
  I tried implementing SSO using AM along with Policy Agent. But somewhere I am missing something.
  Does anyone know of any simple doc which explains the steps in clearly with confusion?
  Thanks
  Rahul A Honrao

  Try these links, good start ups:
  http://www.sun.com/software/products/access_mgr/index.jsp
  http://developers.sun.com/identity/reference/techart/install.html
  http://docs.sun.com/app/docs/prod/sjs.policy.agt22~1322.1#hic

• How to Protect mod_plsql DAD with SSO using SSL

  Hi,
  I am not able to set up any DAD with SSO using SSL. I have processed all issues depending on the Note:273379.1 "How to Protect mod_plsql DAD with SSO".
  When I am not using ssl, my DAD with SSO will work properly.
  But when I am using ssl, my DAD (http://host_name/pls/testsso) will redirect any page to SSO login through http (not through https).
  Any ideas?
  AS 10.1.2.0.2

  Did you run ossoreg.jar to update your osso.conf with the SSL entry for SSO ?

• Need to know about SSO using LDAP

  Hi Everyone,
  Thank you very much to help me to come out from my all problems i faced in the past.. I really appreciate your efforts and valuable time you have given to me. and I'm sure that You all will always help all newbies and help seekers like me in future too.. Thanks for your kind efforts..
  I am very new to ADF securities, I was thinking to built an Enterprise application with Multiple small sub application using ADF in JDev... No big deal but the My problem is i want use SSO for user authentication using LDAP.. But i really have no idea that where to start and how to start.. Which Softwares do i need to Download?
  For my all past problem there must be a sample example for help i found.. and learned a lot from that.. and also i tried a lot to find a little example for this as i required.. but I failed to find any example for SSO using LDAP(Like Oracle SSO)...
  So i need your guidance to get my solution...and i hope that as usual i'll get the right solution..
  Thanks
  Fizzz...

  Fizzz,
  Oracle SSO is part of Oracle Identity Management. You can find the download link [url http://www.oracle.com/technology/software/products/ias/htdocs/101310.html]here. It's "bigger than a breadbox," however - installing enough bits to get to Oracle SSO will ensue creating a new repository (aka database) together with a middle-tier app server instance for the SSO server. I'm not sure if there are any OBE's (Oracle by Example), but I do know there is an identity management forum.
  Best,
  John

• Detailed steps  to make SSO using OAM 11g

  Can anyone provide me detailed steps to configure SSO using OAM 11g.
  thanks

  Hi,
  Install webgates in OHS
  First you deploy the web application in web/application server
  1. Create user Identity Store
  2. Create authentication scheme.....and use identity store create above
  3. Create Authentication module
  3. Create Application Domain
  4. In application Domain Create Create Authentication and authorization policies
  5. Add the resource which you want to protect in Authentication & Authorization Policies
  6. Testing
  Regards
  Kumar
  Edited by: Kumar.kummathi on Sep 17, 2012 11:55 AM

• SSO Using SAP GUI Logon

  Here's my question gurus...
  Is there a way to enable SSO so that, after a user authenticates themselves within the portal, go back to the standard Windows SAP GUI Logon(pad) select the system enter the desired client and logon with having to provide a username and password? The credentials would be passed from the portal to the connected backend system.
  We currently have a slew of systems and there corresponding clients it would be awesome to sync all systems with the portal and only have to administer passwords from and for the portal. Consequently the portal would handle the rest. The folks here have not fully embraced using the html version of the gui hence the reason for this posting.

  Hi Mike,
     If i understood your requirement, You want to use SAP functionality form portal.
    You Can do that, by creating a SAP System from your portal and you can call any Transactions from the portal it self, by using that System.
    How to create System and User mapping for that System you can find in the below link. It may helpful to you. Ping me back, if you have any doubts.
  http://help.sap.com/saphelp_nw04/helpdata/en/3d/b5f9c2ea65c242957ee504ca4a37a9/frameset.htm
  Transaction Iview with integrated ITS.
  Please correct me, if i am wrong.
  Regards,
  Sridhar

• SSO using Kerberos with SAP Logon Tickets

  Hi,
  I am creating a Repository Manager for the Portal Knowledge Management System and I want to use SSO to a backend IIS application and I have a few questions here. 
  I have a three tiered architecture. 
  A.  The presentation tier (SAP Portal which has my Repository Manager implementation)
  B.  ASP.NET web service data layer.
  C.  Backend document management system which runs on IIS. 
  I have installed the ISAPI filter on my ASP.NET application server and have enabled this HOST account for delegation in MSAD 2003.   Server B will use Kerberos constrained delegation to access Server C, which is an IIS backend server. 
  My question is how do I pass an SAP Logon Ticket to an ASP.NET web service request from my Repository Manager implementation?  Basically how do I just make an HTTP request to an ASP.NET application from some portal iView or WebDynPro code and pass along the SAP Logon Ticket in the request so it can be interpreted by the ISAPI filter on the IIS server.  Does anyone have any sample code or an application here that does this?
  Thanks,
  Scott

  Hi Scott
  Did you managed to find out anything regarding how to pass SAP Logon ticket to ASP.NET Webservice. Can you share it with me?
  regards
  ram

• Open document SSO using trusted authentication.

  Hi ,
  I have a issue,
  We configured trusted authentication with SSO and it is working fine.
  Now we want to configure open document SSO for trusted authentication.
  We are using Remote _ user method for trusted authentication.
  Any one please help me on this.
  Thanks for your help advance.
  Thanks & Regards,
  Collin.

  The same settings in the infoviewapp web.xml must be applied on the opendocument web.xml. Also you must be on XI 3.1 FP1 or higher. There is currently an Edge issue being investigated.
  Regards,
  Tim