Opendocument SAP SSO in BO 4.0

Similar Messages

• Generate CSR in SAP SSO 2.0

  Hi,
  We are working on a POC for SAP SSO 2.0
  I need to know whether the Secure Login Server can generate Certificate SIgning Request. (.CSR)
  I am aware of its capability to sign certificates.
  I am looking at options for SAP SSO 2.0 to generate Certificate Signing Request (.CSRs)
  Please note : - I am aware that the Secure Login Client is capable of Connecting to Secure Login Server and generate an X.509 Certificate.
  I am looking at options , where I am not going to Install the Client.
  Consider it some what similar to SAP Passports used at https://service.sap.com
  Regards,
  Ashish .A. Poojary

  Hi Stephan,
  We are basically looking at authenticating on SAP Systems (AS Java and AS ABAP ) using X.509 Certificates.
  Out first target is to acheive X.509 Authentication on SAP AS Java Systems. (NetWeaver 7.31 SPS09)
  We were able to achive this target.
  The next step was to decide a process for generation of X.509 Certificates for Users.
  That's when we came across SAP SSO 2.0
  With Installing Secure Login Client 2.0 SP03 Patch 1 , the client was able to provide the X.509 Certificate ( Short Lived Certificate)
  But as I said , I do not want to bring in the dependency of Client Installations.
  I was hoping if there could be any API / Interface which would help the User themselves to Create the X.509 Certificate just like the one in the Image I have posted below.
  Something which SAP Service Marketplace has in place today for generating SAP Passports (X.509 Cert)
  The image relates to a similar interface , but with Microsoft Active Directory
  Let me check the Web Client. Shall let you know after testing it tonight.
  Thanks and Regards,
  Ashish .A. Poojary

• List of systems that can / cannot be configured to accept SAP SSO

  Hi All,
  this may sound like a strange request, but I'm in search of a list that shows examples of common systems that cannot(!) be configured to use SAP SSO tickets.
  The reason is that we are evaluating various SSO infrastructures for a client. IBM WebSeal is already in use there but connecting new systems is expensive. We are trying to avoid problems that may arise in the future should we decide for SAP-SSO only.
  Thanks a lot,
  Jens

  Hi Jens,
  as far as I know there is no such list. However, I will share a thought or two on the topic. Basically, he SAP Logon Ticket is a HTTP cookie. The backend system has to able to receive and understand the ticket issued by the portal. By default most SAP systems are able to receive and accept SAP Logon Tickets. No suprise here. Most non-SAP systems do not process the SAP Logon Ticket by default. But there are ways to "upgrade" non-SAP systems to receive and accept the SAP Logon Ticket (see SAP Library section <a href="http://help.sap.com/saphelp_nw70/helpdata/en/12/9f244183bb8639e10000000a1550b0/frameset.htm">Single Sign-On to Non-SAP Systems and Applications</a>. In most cases you need to modify the native authentication process. You surely won't be able to do this for every single application.
  Also keep in mind that the SAP Logon Ticket requires that the user ids of the issuing system are the same as in the receiving system. Or at least the user must have the same user id in all receiving systems.
  Best regards,
  Martin

• BO XI 3.1 OpenDocument direct SSO with secWinAD in web.config

  Hi, fellows,
  The need has emerged to provide users with direct links to InfoView documents using the OpenDocument URL syntax and perform primary authentication of request automatically without showing the InfoView welcome screen. We have BO XI 3.1 ASP.NET application installed on Windows 2008 Server's IIS 7 with Kerberos already configured.
  Usually, the OpenDocument links work nicely but only after the user has visited the /InfoViewApp page. The OpenDocument virtual directory by default has only the anonymous authentication enabled.
  I've skimmed and searched for the keywords included in the topic subject in Google, help.sap.com and specifically in the BO Enterprise Admin Guide and the paper by Miles Escow on configuring XI 3.1 InfoView with Active Directory using Kerberos.
  Unfortunately, the sources I've already encountered do not provide sufficient details on configuring the OpenDocument section of the Web application.
  To solve the problem I disabled anonymous access to OpenDocument directory and enabled ASP.NET impersonation and Windows authentication (this would force IIS to attempt authenticating the user originating the request before serving the page) and mirrored the authentication.default and cookie-related settings ("opendoc.authentication.default" value="secWinAD") to the OpenDocument/web.config from InfoViewApp/web.config and turned the "opendoc.sso.enabled" to "true" (this is crucial, otherwise you will still receive the logon screen for primary authentication in BO although already authenticated by IIS).
  Hope this helps others.

  Hi Aleley
  To solve the problem I disabled anonymous access to OpenDocument directory and enabled ASP.NET impersonation and Windows authentication (this would force IIS to attempt authenticating the user originating the request before serving the page) and mirrored the authentication.default and cookie-related settings ("opendoc.authentication.default" value="secWinAD") to the OpenDocument/web.config from InfoViewApp/web.config and turned the "opendoc.sso.enabled" to "true" (this is crucial, otherwise you will still receive the logon screen for primary authentication in BO although already authenticated by IIS)
  Can you pls tell how I can achieve this in Tomcat environment?
  Thanks

• Need help on SAP SSO with SAML & SSO2

  Dear expert,
  We met an SSO issue on launchpad.
  Here is our scenario and SSO structure. We use fiori launchpad to display all SAP apps.
  1. When  an user visit launchpad URL, URL will redirect user to identity provider (IDP) for SAML authentication.
  2. Then IDP authenticate with SAML2.0 token back to gateway.
  3. Gateway accept the SAML2.0 token and issue SSO2 logon ticket.
  4. Use logon ticket to backend ABAP ERP system for transaction apps.
  5. Use logon ticket to HANA system for factsheet.
  Now the first step above is OK as SAML token can be authenticated back to gateway. But after that, the basic form authentication pop-up for user credential on both backend system and HANA, which should not. We found out that launchpad was stucked with error message "/sap/es/ina/GetServerInfo HTTP/1.1 401 Unauthorized" at ERP backend service "GetServerInfo". By checking the cookies, we found out that after SAML token accepted by gateway, gateway did not issue any MYSAPSSO2 ticket.
  However, when we disabled SAML and use form authentication for launchpad, SSO2 logon ticket works perfectly among GW, ERP and HANA.  So, there should be no issue configuration regarding SSO2 logon ticket in SAP GUI.
  here is the system information:
  GW: NW740 SP5
  ERP: ECC6 on NW740 SP5
  HANA: v70
  Please kindly help us out on this issue. Please ask if other information is needed. thanks.
  Best regards,
  Xian' an

  This discussion thread belongs to the SAP Gateway space. For generic SSO related queries where portal is not involved the correct space is SAP NetWeaver Application Server. This space is for NetWeaver Single Sign-On (NWSSO, the separately purchasable product) topics only.

• SAP SSO between Microsoft AD and SAP R/3 GUI&WebGui

  Hello Everybody,
  We are looking in to implementing SSO between Mircosoft AD and our SAP CRM ABAP 7.0.
  We have users both logging in through SAP Gui and also the web gui.
  Found there a multiple options for achieving SSO:
  1) SNC
  2) X.509 cerfificate
  3) Kerberos
  I would like to go with X.509 certificate , and have already implemented the SAPCRYPTOLIB 5.5.5. Now am trying to download the "SAP NW Single Sign on 2.0" for installing the Secure Login Library SSL. And when i looked at PAM the required product versions are only:
  1. SAP EHP1 for SAP NW 7.3
  2. SAP NW 7.3
  3. SAP NW 7.4
  4. SAP NW CE 7.2
  So I went back and looked at PAM for SAP NW SINGLE SIGN ON 1.0 required product versions and I only see the below:
  1. SAP EHP1 FOR SAP NETWEAVER 7.3
  2. SAP NETWEAVER 7.3
  3. SAP NETWEAVER CE 7.2
  Our version of SAP is CRM ABAP 7.0, so I am not sure how/which version of Single Sign on I have to use.
  Can someone please advise.
  Thanks!

  Thank you Donka for the information!
  Looks like NW SSO 2.0 is supported for AIX 7.1 SAP ABAP CRM 7.0.
  But we also have users logging in to ABAP CRM 7.0 via HTTP Web dispatcher.
  And the PAM does not mention if NWSSO 2.0 is supported for X.509 method for web gui users logging in via HTTP.
  Also if we decide to go with SSO 2.0 and I manually Install the COMMONCRYPTOLIB 8 instead of the SAPCRYPTOLIB 5.5.5, I should be able to use the Secure Login Library files that come with the SSO 2.0 right?
  Here's our current Kernel version:
  kernel make variant           720_REL, 64 BIT AIX, UNICODE , Patch number 500
  Thanks!

• SAP SSO using CUA for Transport Express implementation

  I am implementing Transport Express application as part of a larger project on a Dual Track environment. The business want TE to be integrated into the SSO landscape. This is where I am having difficulties. I need advice from anyone having implemented BTI's Transport Express into SAP requiring SSO with CUA as part of the business landscape? Our Domain Controller is Solution Manager. The TE settings in SolMan allow for a Web UI email notification, this contains a hyperlink to a user Dashboard. The expectation with SSO is that clicking on the hyperlink will automatically connect us to the Web UI Dashboard. Currently this does not work. Any suggestions?
  I have also been given three options to concider; 1. Our Portal manages ABAP and Java SSO, 2. SPNego is for ABAP systems, 3. A system to system config might work.

  Hi,
  Now SPNego is working on ABAP stack as well as Java stack.
  If you want to use this solution, the following videos may help.
  Single Sign-On with Kerberos
  Best regards,
  Shuai

• The SAP SSO authentication will fail because the current user doesn't...

  Hi Experts!
  I am facing an issue and I have tried to do all the tips on answers of topics under same subject.
  Once I enter on my report and refresh, it prompts me a message that I don't have acess on one or more data providers, asking me if I want to proceed ( ID : WIS_30286) then I click yes and run the refresh and it prompts me another message: The SAP SSP authentication will fail because the current user doesn't have an alias that matches system BIDCLNT100..
  I checked the connection and tested, but the server not answers (SBO0001), on details I see the same message above.
  This on PRD, because on DEV it works fine.
  Thanks in advance!

  Hi,
  for the first part where you don't access I would suggest you do an authorization trace to ensure that the user has all the necessary authorizations.
  and on the second part - yes the user needs to have credentials for the system that you trying to access
  Ingo

• Language selection with SAP SSO

  Today I was asked by a user how will they select the system language with single sign on. Currently as people authenticate to the system, the system is in English by default.
  Is there a way to allow users to select the system language they want to use with Single sign on ? How ?
  Thanks and regards, Fabio

  Hello Fabio,
  From the NWSSO perspective, customer's can configure their Secure Login Client to login in other languages too by setting the windows registry:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common]
  The STRING Locale will set then the language. Possible values are:
  en_US (English)
  de_DE (German)
  fr_FR (French)
  it_IT (Italian)
  ja_JP (Japanese)
  pt_BR (Portuguese)
  ru_RU (Russian)
  zh_CN (Chinese)
  -> This is described in section 4.3 From the Secure Login Client (NWSSO1.0 release) or section 5.1.1.1 from Master Guide (NWSSO2.0 release).
  I hope this clarifies.
  Best Regards,
  Guilherme de Oliveira.

• Configure sso to non sap

  dear all,
  i would like implement sso from ep to other web application ( non SAP )
  the legacy system is using " PHP and Web Server APACHE "
  there any want can help me how to configure the sso and how to create iview for my legacy system ( using URL iView  or application integrator )
  thanks for your help
  echo

  Hi Echo,
  Single Sign On to non-SAP applications normally can't be done by configuration.
  How SSO can be done depends on your application.
  Maybe these few hints may help you:
  You need the same usernames in portal and in your external application
  You may integrate your app using an application integration iView
  If your external application can be run in some kind of 'trusted' mode (this means, no password, just the username is required to log on as long as the request comes from certain IP adresses / your portal server) you can just pass the userid using the app integrator iView mechanism
  SAP provides a library (currently written in C, but there is at least a java wrapper available) to decode the SAP SSO Ticket
  You may extend your external applications logon mechanism to use the mentioned SSO ticket and do the login without password. Application Integrator is able to send the SSO ticket to your external app.
  In less words: you need to do some coding on your external application
  Hope this helps (or come back for more),
  Carsten

• SSO for SAP and Non-SAP applications without Enterprise Portal

  Dear all,
  Is it possible to implement SSO for both SAP and non-SAP applications without involvement of EP at all?
  I have gone through this link.
  <a href="http://help.sap.com/saphelp_nw04s/helpdata/en/e5/4344b6d24a05408ca4faa94554e851/frameset.htm">http://help.sap.com/saphelp_nw04s/helpdata/en/e5/4344b6d24a05408ca4faa94554e851/frameset.htm</a>
  But I still i am not able to get the precise answer on how to enable SSO for both  SAP and non-SAP applications without EP.
  We have decided not to implement EP in first phase of SAP implementation. But we need to enable SSO for other SAP and Non-SAP applications.
  A detailed description on how to deal this kind of scenarios will be helpful.
  Thanks.

  A client of our's uses <b>SAP Enterprise Portal</b>, and is using the SAP SSO, which is implemented with tickets, and requires the use of SAPSECULIB.  My company provides an application for this client, and our application in hosted in our data center for the client, as a Software as a Service application, obviously across the internet.  Our client, which owns a SAP license, has asked that we support the SAP SSO as a non-SAP SSO application.  The client user's SSO ticket will be created from SAP EP, and then passed across the internet to our application, and we are to use that SSO ticket as an authentication ticket to our application.  I beleive I know how to do this work technically, having reviewed the SAP document named: "Dynamic Library for Verifying SSO Tickets in Third-Party Software"   Specification   Version 2.00  December 2005.
  My question is, does my company have the right to use the SAPSECULIB?  Where is the official download and <b>license</b> download, that indicates we can download this library, and use it to support a SAP customer?  We do not own a SAP license.  Thank you for your help.  I have searched many places in SAP support.<b></b>

• R/3 Secure Store and Forward, while using SAP portal for SSO

  Hello,
  We are using SAP Portal UME for authentication, then SAP SSO tickets to log into the SAP R/3 system.  Initially we decided that the end users would have a "disabled password" so that they must use the portal authentication mechanism to get into R/3 and therefore could not log in straight to R/3 system via SAP GUI.
  All was working fine until during integration testing when someone tried to use the electronic signature function on a QM t-code (QA11) that prompted for an e-sig.  Since local passwords have been disabled, the user could not execute the e-sig. 
  We do not want to activate local R/3 passwords for the users.  Can anyone give some advice or a best practice regarding how to set up electronic sigs in R/3 while using an external authentication source? FYI, we are also trying to avoid using the LDAP connector from R/3 to our LDAP.
  Please comment for any clarity needed or comments,
  Thanks in advance,
  Ryan

  Good point - but I'm afraid of not knowning an instant answer.
  Well, theoretically one could make use of the fact that an NWAS ABAP can act as http client (submitting http requests to the NWAS Java to validate logon data); but that's just a rough idea.
  Regards, Wolfgang

• [XI 3.1] SSO for InfoView and OpenDocument URL

  Hi,
  We have a question with regard to SSO for OpenDocument URL.
  Can both be configured seperately?
  For example:
  - OpenDocument URL with SSO
  - InfoView without SSO
  Or does InfoView SSO needs to be configured before going to OpenDocument URL SSO?
  Thanks!
  Raf

  Hello,
  So apparently it should be possible to configure SSO only for Open document (while infoview still uses logon).
  We followed the configuration guide <Configuring Vintela SSO in Distributed Environments u2013 Complete Guide> (dec 2008).
  At this point the configuration is not functioning.
  BEFORE the SSO configuration setup : standard situation where open document url > Infoview logon screen (no error message) > authenticate manually > run the reports.
  AFTER SSO configuration.
  - When we try to access the open document url from any workstation, we get the error message "The requested resource (/ull) is not available".
  - When we try to access the open document url from the BO Server, SSO does not work but at least the open document url >  Infoview logon screen with Error message :  "Account information not recognized: Active Directory Authentication failed to log you on. Etc."  Still possible to log on manually at this stage.
  I don't find any posts / documentation concerning the "The requested resource (/ull) is not available", which seems to be the first issue to be solved.
  Any help would be appreciated, thx.

• SSO to IIS

  Hello,
  we tried to setup SSO between portal and an web application that runs in an IIS. I found several threads about this topic but non of them wer really specific. Like:
  /message/78763#78763 [original link is broken]
  I'm looking for a real easy solution, that verifies the SAP SSO Ticket and lets the user log in to the IIS pages. Could anybody give me some information about that. I would prefer a faster solution than the SSO2KerbMap.
  Thanks and regards
  Markus Armbruster

  Hi,
  try these link
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/47d0cd90-0201-0010-4c86-f81b1c812e50
  http://help.sap.com/saphelp_nw04/helpdata/en/4f/bd2c3a11f3bf31e10000000a11402f/frameset.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/4f/bd2c3a11f3bf31e10000000a11402f/frameset.htm
  Regards,
  Padman

• SSO to ABAP BSP without client

  Dear colleagues.
  In our scenario not-domain user need to reach ABAP BSP (ITS) application without entering password for ABAP WAS.
  Is there any option to use SAP Netweaver Single singon-on 2 server to create redirection URL?
  Regards
  Vladimir

  Hi Vladimir,
  SAP SSO issues certificates and deliver it automatically to the PC of the user (short living certificates -> 24 h standard), so it can be used for SSO. It is not a traditional CA. In a traditional CA you have to take care about the certificate lifecylcle which can be very costly but you can use the certificate for a longer timer. SAP SSO works with short living certificates, so you do not have to take care about the lifecylcle of the certificate.
  So if you really want to have a "password free" solution, you have to use long lived certificates but take a care about the lifecycle (maintain certificates which are not valid anymore and distribute this information to all related systems, ..... ). Otherwise you have a security problem.
  So it is really all about the use case (deployment, security requirements, ...), but you know now the options and you can decide dependig on the use case.
  Another option is of course SAP Logon Tickets or SAML. But both also reguire an initial authentication without an AD.
  Regards
  Matthias