Single Sign On Authentication on SAP EP 6.0 SP15+ base on Novell

Hi all,
I saw that starting from NW SP15, the kerberos authentication for SSO on the Enterprise Portal is suggested instead of NTLM authentication with IISproxy using Windows AD as user repository.
Now I have to investigate the possibility to achieve Enterprise Portal authentication in SSO against a Novell infrastructure.
On my network users authenticates themselves using UserID/password stored in Novell eDirectory repository. I wonder if SAP certifies the SSO kerberos authentication also on the Novell environment and what are the requirements in terms of needed software pieces on Novell side (ex NMAS) and network infrastructure (Windows, Netware, other).
Briefly I'd like to know:
- Is there the possibility to achieve SSO authentication for EP if using Novell eDirectory? Is it a SAP certified solution? Is it supported for production sites? Are there available papers on configuration activities to be done?
- Is the kerberos authentication the right way to achieve this?
I'd like to add another piece of complexity. In reality I have a complicated network where a group of users (belonging to a company division) authenticates on a Novell realm using eDirectory, and a second group of users (belonging to another company division) authenticates on a standard Windows AD. The new interesting question is:
- Can the EP SSO be configured with kerberos authentication using a multiple realms configurated in a priority list? I'd like to have to possibility to configure a list of KDC to be contacted on cascade one after the other to authenticate login requests.I gave a look to the WAS J2EE krb5.conf file and it seems that nothing prevent to configure the J2EE engine to configure multiple kerberos realm. I just wonder if it is supported.
If some SAP EP gurus could give an answer I would really appreciate VERY much.
Thank you,
Giampietro.

Hi Giampietro
We are about to have a look on the same issue: Providing Kerberos-based (SPNego) SSO to the SAP NW portal using eDirectory.
Reading the online help it seems that SAP only has testet this on Active Directory and I cannot see it as a certified solution nor find any configuration documents on this.
However in 3 or 4 weeks we will try to use the "standard configuration" (from the online help) against eDirectory and basically the directory (AD, eDirectory etc) just have to provide a keytab file, userstore and a service user - this must be possible for Novell eDirectory as well as for MS AD. Of cause we expect some challenges, but it should be possible!
If you gain any information or gain some experiences trying - please infor us.
I will update this when we get any new information.
BR
Tom Bo

Similar Messages

  • Configuring JCo3 Connection Pool with single sign on on non SAP Java server

    Hi Everyone,
    i have configured a connection pool on JBoss as per JCo3 Documentation and is working great.
    Now I need help to configure this connection pool with single sign on so that RFc on SAP ECC systems are executed using end users credential rather than using single user name password used to configure JCo connection pool.
    On SAP Java stack I am sure its possible within Java WebDynpro    and i assume using JCA resource adapter. But what if we don't want to use SAP Java App server.
    Any help will be appreciated.
    Thanks,
    Divyakumar Jain

    Eason, 你好!
    I have exactly the same problem.  Did you find a solution to this problem?  If so, please let me know!

  • Integrating AS 10.1.2 and AS 10.1.3 to use Single Sign-on for BI Publisher

    Hi Everyone
    I was trying to make the following demonstration scenario on the AS and the facilities that can afforded by Oracle to our company:
    Note: I have just one machine for demonstration with Win2003 Enterprise
    First of all, I need to build a portal for my company, this portal will be published to the web through port 80 opened by Microsoft ISA Firewall (ISA installed on different machine):
    1- Portal should be integrated with oracle forms and reports with single sign-on
    2- AS, should have single sign-on authentication to work on port 80 only.
    3- Portal should be integrated with BI Publisher 10.3
    For the objectives mentioned above i have done the following:
    1- install AS 10.1.2 (infra and mid-tier) on the same machine with default installation options (http port 7777 for infra and port 80 for MT). (objective 1 = done)
    2- to make sso works on port 80, i have used webcache as reverse proxy for sso, and it's done but i have error (WWC-41400), but it doesn't affect login on portal, and that is my first problem.
    3- To have BI Publisher to work and authenticate users using single sign-on on port 80 (from outside), I had to install AS 10.1.3 (http on port 7779) on the same machine mentioned above, and then deploy BI Publisher on it, and that was ok, but problem is how to make use of single sign-on to authenticate people listed in oracle internet directory of INFRA installation mentioned above to use BI Publisher on port 80 only.
    So, could anyone please guide me in problem 2 and 3.
    Thanks in advance.
    Anas

    a couple of parameters not configured inside the Tomcat files. Now the SSO is working.
    SNC is not required for sso in bi 4.0
    http://wiki.sdn.sap.com/wiki/display/BOBJ/BI4IntegrationintotheSAPEntreprisePortal+7.0.x
    http://wiki.sdn.sap.com/wiki/display/BOBJ/SetupofSAPSSOServiceinSAPBOBI4.0+CMC
    Best Regards

  • Need information on Single Sign On

    Hi,
    Can we have SAP integeration and Business Objects AD SSO authentication work on the same application server.In our environment this same instance has to support SAP users to login also . For that default should be secSAPR3 and Vintela should be false and other SSO enabled as mentioned in document.
    But for Single sign on, authentication.default has to be secWinAD,Vintela true.For SAP , authentication.default has to be secSAPR3 We want both of them to work. Is this possible.
                                                           OR
    Is recommendation from BO to separate out instance for SAP users integrated with BO in one instance and all non sap users in another?
    Is there any documentation/steps to configure SSO for XI 3.1?
    Please guide!!!
    Thanks...

    Hi,
    not sure if I fully got your scenario but it looks like you have three different authentication mechanisms:
    - Win AD
    - SAP
    - Vintela
    An chance to consolidate with a scenario like SNC ?
    What are the use cases for the end-user or asked different when would a user use Win AD, SAP, Vintela ?
    thanks
    ingo

  • How to enable a partner application for Single Sign-On?

    Can someone please advise me on how to enable my existing J2EE web application for the Oracle Single Sign-On?
    My requirement is i want to provide the single sign-on authentication service to my J2EE web application. For this, I would like to make my application as a partner application similar like the OracleAS Portal.
    I am using Oracle 10g ( OralceAS, Oracle Infra, OID ...)
    I found the following service/APIs which Oracle provides. I am not sure which one is suitable for me.
    1. mod_osso ( Static)
    --- In this case, I have to make a entry in mod_osso.config file to protect the URL. should I have to register the URL again through single sign on admin page ("Administer Partner Application") after make a entry in config file?
    2. mod_osso ( Dynamic directive)
    -- in this case, I have to modify the code by providing the directives like 401, 499.. etc. So i don't prefer this as i don't want to touch my app.
    --If I go with this option, should i have to register the URL with Single sign on server through SSO admin page ( as mentioned in the above step#1) ?
    3. SSO SDK
    - Since it was deprecated and need java coding, i am prefer this option.
    -- however, if i go with this option, i will develop code by using SDK. in this case i need to register the URL in SSO server through admin page.. am i right?
    Note:- OSSO server integrated with Active Directory for the authentication.
    Thanks,
    -Senthil

    sharon38_74 wrote:
    they said that our internal application needs to send a "login request" to etran via SSL with the user's information encoded in base 64 format. etran captures the HTTP header containing user authentication and authorization information, and parses the required information from the HTTP header.
    My question is that how I set user information in HTTP header? From my understanding, once I am able to set the user information in HTTP header, it is in base 64 format?Your application need to act like a proxy. You can invoke a HTTP request programmatically using java.net.URLConnection. You can set request headers using URLConnection#setRequestProperty(). Also see the API docs: [http://java.sun.com/javase/6/docs/api/java/net/URLConnection.html]. You only need to know the header field name where to set the Base64-encoded value in. You need to Base64-encode the value yourself.

  • Workflow + Single Sign-on: 503 Service Temporarily Unavailable Error

    Hello.
    I've the following system:
    Windows 2000 Professional Edition
    DB Oracle 9i: OraDb9i_home1
    AS 10g as Infrastructure (in order to use it as a provider for Single Sign-on): OraAs10g_home1
    AS 10g as Development (in order to use it as Application Server to run Workflow 2.6.3 processes): OraAs10g_home2
    The name of my host is cami5 (local IP address 192.168.0.14)
    I can succesfully log in the OraAs10g_home1 enterprise manager via http://cami5:1810 as ias_admin, and it reports me that OID
    and Single Sign-on:orasso are up and running (and LDAP is up: via a netstat -an command I see that the related ports, TCP 389
    and 636, are in listening, and investigating I see that they are binded from oidldapd.exe).
    I can succesfully log in the OraAs10g_home2 enterprise manager via http://cami5:1811 as ias_admin, and it reports me that
    HTTP_Server is up and running (it is binded to the 80 port).
    If I configure a DAD via PLP/SQL Properties in the Administration tab, I can choose from different authentication modes.
    If I select "Basic", it runs fine.
    i.e., I've made a very basic workflow process, I deployed it to /pls/wf1, and browsing http://cami5/pls/wf1/wfa_html.home
    it runs fine.
    But, if I select "Single Sign On" authentication mode (the one I have to choose because of some specs I have to satisfy), the
    service is deployed without any errors to /pls/wf2, but then it is reported as down in the DADs list, and if trying to go to
    http://cami5/pls/wf2/owf_mgr.home it appears as:
    Service Temporarily Unavailable
    The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again
    later.
    Oracle-HTTP-Server/1.3.28 Server at CAMI5 Port 80
    The same identical thing happens if I try to configure the DAD via the "Mod_plsql Configuration Menu" in http://localhost:7778
    Where am I wrong?
    The error description reported by the http server is telling the real problem, or have I missed something else?
    What can I do in order to solve the problem?
    Any suggestion is appreciated.
    Thank you in advance.
    Regards,
    Umberto

    Raja,
    thank you for your help.
    Unfortunately it didn't solve the problem.
    Yes, I installed wf263 from CMSDK_9.0.4.1.0_RTM.
    But during the installation, the workflow configuration assistant didn't show me any SSO option to be choosed: it just asked me about LDAP parameters, and I provided it following data:
    Host Name: cami5 (it is the host name of the machine that is running the LDAP server via the Oracle IAS 10g Infrastructure)
    Port No.: 389
    User Name: cn=orcladmin
    Old Password: cami5 (the password I used)
    Log Base and User Base: (nothing, I left it blank)
    I already followed the metalink notes you've suggested me (Oracle Workflow 2.6.3 Installation Update), but the "Workflow Manager" link still not appeared in the AS Enterprise Manager: I can just see the "WFALSNRSVCApp" and the "WFMLRSVCApp" Applications. In order to get to the workflow manager I had to deploy the dad via the Mod_plsql Configuration menu in the http...:7778 service provided by the AS instance in which was installed the workflow component. (I never was able to let that link to appear, even in new installations on other computers reinstalled from scratch).
    Any other suggestion?
    Regards,
    Umberto

  • Success stories of NW single sign-on

    Dear Experts,
    We are planning to implement NW single sign-on 2 in our landscape.
    Could you please share some sucess stories of this product ?
    Best Regards,
    KK

    Please look at below documents
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c00464ce-c974-2e10-f5be-f8f4c6dce31c?QuickLink=index&…
    Secure Login for SAP NetWeaver Single Sign-On 2.0 SP03 Implementation Guide Is Available on SAP Help Portal
    SAP NetWeaver Single Sign-On 2.0 – SAP Help Portal Page
    Regards
    Vijay Kalluri

  • Implementing Single Sign-On in J2SE Application

    I am developing a application which is going to do some Single Sign-On authentication.
    For those who do not know what Single Sign-On is: For user who have multiple usernames and password for different web site, Single Sign-On offers them a way to authenticate to these different site without the need to remember all those passwords. It takes over the authentication process, and authenticates to these web sites for the user. The usernames and passwords are stored in a database.
    I am going to develop such a program in Java. This program is going to fetch the web site which contains the login form. Find out what to send to the web server. Send the username and password stored for that web site and in return if authentication goes through the web site will send the web page to the Java program which when receive it will open it in a web browser.
    Does anyone have any idea how I can implement this Single Sign-On feature? I know there exist several applications for windows which offers such Single Sign-On and which works with Internet Explorer. So somehow I should be able to make such a feature for a Java application.

    Thanks for the reply
    Should I read the following from the document you sent in Section 4.5? I just wanna confirm..
    4.5 Configuring Custom SSO Environments
    For information about configuring Oracle Business Intelligence to participate in custom SSO environments (for example, setting up SSO using Active Directory or SiteMinder), see articles 1287479.1 and 1274953.1 on My Oracle Support at:
    https://support.oracle.com

  • How enabled Single Sign-On with a System SAP WAS ABAP (Run application BSP)

    Hi.
    I need to run any application BSP from a System SAP WAS ABAP, without entering SAP user and password. Using the windows authentication and without SAP Enterprise Portal.
    What authentication methods I have to apply for enabled Single Sign-On with a System SAP WAS ABAP?.
    And How can I enabled this method?.
    Best regards.
    Luis Gomez.

    Hi Ticiano,
    SAP WebAS ABAP supports a number of authenticaiton mechanisms. See
    [http://help.sap.com/saphelp_nw04s/helpdata/en/02/d4d53aa8a9324de10000000a114084/frameset.htm]
    A number of these authentication mechanisms can be combined with Windows authentication (e.g. SNC, client certificates, ...).
    The decision what mechanism fits best depends on critieria like
    - SAP server platform
    - security requirements
    - extensibility (should same authentication mechanism be used for future SAP environments, which will be E-SOA based)
    - authentication from outside company domain
    - Use of SAP security library (SAPcryptolib)
    You may want to look at the SAP Software Solution Partner Catalog, if you look for certified SSO solution vendors for SAP.
    Best regards,
    Peter

  • SAP Single Sign in

    Dear All
    My compnay wants to Single sign in on SAP using DS3 Athentication, does anyone have the expereince related to this or anyone guide me related to this, I am not sure is it the right Forum to ask such a question?
    Thanks
    Regards

    The SSO is not working yet in BPC.
    You can try to use the windows authentication but still is not a real SSO.
    In all the cases when you are open for example webexcel you are asked about an authentication and this it happens after you already were authenticate for internet explorer.
    Windows authentication used by user + into server manager unchecking Sarban Oxley flag it will provide you something like a SSO.
    Kind Regards
    Sorin Radulescu

  • Single Sign On for SAP - Integration wih AD

    Users often need both an SAP and Active Directory identity and password to work in their IT environment. However, these multiple identities and passwords create several problems: user confusion leading to decreased productivity, increased help desk costs and security breaches.
    For this purpose how can we extend Active Directory authentication for single sign-on to SAP?
    Regards,
    Majid Khan

    Hi,
    It seems that SAP SSO/IWA  based on Spnego Kerberos is what you want.
    Spnego Kerberos only works on a J2EE stack based system.
    The classical technique is so to implement it on a SAP portal and to use redirect applications to use the portal saplogon ticket to authenticate on abap systems.
    Check help.sap.com on the subject, you will get a lot of information.
    Regards,
    Olivier

  • How to pass credentials/saml token access sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication

    How to pass credentials/saml token exchange to the sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication 
    Identity provider here is Oracle identity provider 
    harika kakkireni

    Hi,
    The following materials for your reference:
    Consuming List.asmx on a claims based sharepoint site
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/f965c1ee-4017-4066-ad0f-a4f56cd0e8da/consuming-listasmx-on-a-claims-based-sharepoint-site?forum=sharepointcustomizationprevious
    Sharepoint Claims based authentication and Single Sign on
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/2dfc1fdc-abc0-4fad-a414-302f52c1178b/sharepoint-claims-based-authentication-and-single-sign-on?forum=sharepointadminprevious
    Sharepoint Claim Based Authentication Web Service issuehttp://social.msdn.microsoft.com/Forums/office/en-US/dd4cc581-863c-439f-938f-948809dd18db/sharepoint-claim-based-authentication-web-service-issue?forum=sharepointgeneralprevious
    Best Regards
    Dennis Guo
    TechNet Community Support

  • Authentication between Single Sign-On and Web based applications

    Hi everyone,
    I need to create a way in Portal 10g (10.1.2.0.2) that allow me to do the following:
    Once the user is logged on Portal (against Single Sign-On - SSO) he doesn't need to retype his username/password when he access a web based application throught the portal, in my case, an ASP application (not .NET, just ASP).
    I made a test creating a External Application in SSO and after publishing this portlet (external application) inside portal.
    It worked, BUT I was prompted to inform username/password to log on the aplication.
    So, the user end up entering his password twice.
    Does anybody know a way to acomplish this task?
    The documentation I'm researching is:
    Oracle Application Server Single Sign-On
    Administrator's Guide
    10g Release 2 (10.1.2)
    B14078-02
    Oracle Application Server Single Sign-On
    Security Guide
    10g Release 2 (10.1.2)
    B13999-03
    Thank you very much,
    Diogo Santos.

    have figured out how to secure any HTML, ASP, PHP, CFM, etc. web page again Portal / OID using the PDK toolkit.
    Using AJAX (Asynchronous JavaScript and XML) and one Oracle Stored Procedure just adding a simple Javascript call to any HTML, ASP, PHP, etc. web page can secure it via Oracle SSO (OID). Access to any secured web page will require that it to be linked from an authenticated Portal session or a page opened in an authenticated Portal session.
    This process can be easily modified to add in group security etc. This is just my starting point.
    1) Create a stored procedure
    # Make sure it has access to portal.wwctx_api.is_logged_on
    CREATE OR REPLACE PROCEDURE login_ajax_check (
    display_error IN number default NULL) AS
    BEGIN NULL;
    If portal.wwctx_api.is_logged_on = false then
    htp.prn('DENY');
    ELSE
    htp.prn('ALLOW');
    END IF;
    Exception when others then htp.p('DENY');
    END;
    2) Use this Javascript in any page you wish to secure.
    <-- Begin Paste Here -->
    <script>
    var allowgo=2
    function ajaxCallRemotePage(url)
    if (window.XMLHttpRequest)
    // Non-IE browsers
    req = new XMLHttpRequest();
    req.onreadystatechange = processStateChange;
    req.open("GET", url, false);
    req.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT");
    req.send(null);
    else if (window.ActiveXObject)
    // IE
    req = new ActiveXObject("Msxml2.XMLHTTP");
    req.onreadystatechange = processStateChange;
    req.open("GET", url, false);
    req.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT");
    req.send();
    else
    return; // Navigateur non compatible
    // process the return of the "ajaxCallRemotePage"
    function CheckPortal()
    ajaxCallRemotePage('[Your page calling the procedure from above]');
    function processStateChange()
    if (req.readyState == 4)
    if (req.status == 200)
    if (req.responseText.substring(0,4) == 'ALLO')
    allowgo = 0;
    else
    allowgo = 1;
    function doPage()
    if (allowgo==1)
    window.location='[Your login or error page]';
    CheckPortal();
    doPage();
    </script>
    <-- End Paste Here -->
    That's it!!! Super easy. It works great too.
    Larry Schenavar
    [email protected]

  • Authentication and Single Sign-On

    Does the Ironport support LDAP authentication with Single Sign-On. Or, is it only supported on NTLM? Can you setup multiple authentication realms to the same AD server, but call different AD groups? What I am trying to accomplish is to have single sign-on working and also have users places in certain access policies according to which AD group they are in. For instance, the marketing group would be placed into on access policy while HR would be place in another.

    Hello,
    Single Sign on is done on NTLM.
    If you go to your GUI? Top Right Hand side > Support and Help Dropdown >  Select On Line Help > Then search for working with authentication realms
    You will see as follows :
    An authentication realm is a set of  authentication servers (or a single server) supporting a single  authentication protocol with a particular configuration.
    You can perform any of the following tasks  when configuring authentication:
    Include up to three authentication  servers in a realm.
    Create zero or more LDAP  realms.
    Create zero or one NTLM  realm.
    Include an authentication server in  multiple realms.
    Include one or more realms in an  authentication sequence.
    Include realms of different  protocols in a single authentication  sequence.
    Assign a realm or a sequence to an  Access Policy group.
    You can do what you are trying to do with NTLM.
    I hope this answers your query.
    Regards,
    Eric

  • Authentication on single sign on page slow and hangs.

    Hi members
    We are using Oracle application server single signon with Apex as partner application. The single sign on page authentication was working properly until yesterday when all of a sudden it became very slow. After the username and password are entered and login button is pressed, the blue status bar is moving extremely slow finally leading to a page not found. Can someone advise what components (logfiles etc) need to be checked to resolve this?
    Thank you.
    Ravi.

    Hi,
    I tried to find the cause but I have no clue yet as to what is wrong with this slowness of single sign on page. Can someone throw some light on this and tell what could be wrong here? Thank you. There are some errors in the HTTP Server Virtual Host log file and the log file is creates when oc4j_security was restarted. In the documentation, they were described as not uncommon. I am doubting if that is the reason behind the slowness. Thanks in advance.
    Wed May 27 11:46:09 2009] [error] [client 198.222.232.234] [ecid:
    1243439169:198.222.232.234:476:3948:151,0] File does not exist:
    d:/oracle/oracleas/apache/apache/htdocs/favicon.ico
    [Wed May 27 14:54:15 2009] [error] [client 198.222.232.234] [ecid:
    1243450455:198.222.232.234:476:4028:185,0] MOD_OC4J_0015: recv() returns
    0. There has no message available to be received and oc4j has gracefully (orderly)
    closed the connection.
    [Wed May 27 14:54:15 2009] [error] [client 198.222.232.234] [ecid: 1243450455:198.222.232.234:476:4028:185,0] MOD_OC4J_0054:
    Failed to call
    network routine to receive an ajp13 message from oc4j.
    [Wed May 27 14:54:15 2009] [error] [client 198.222.232.234] [ecid:
    1243450455:198.222.232.234:476:4028:185,0] MOD_OC4J_0033: Failed to receive
    an ajp13 message from oc4j.
    [Wed May 27 14:54:15 2009] [warn] [client 198.222.232.234] [ecid: 1243450455:198.222.232.234:476:4028:185,0] MOD_OC4J_0078:
    Network connection
    errors happened to host: test02 and port: 12501 while receiving the first response from oc4j. This request is recoverable.
    [Wed May 27 15:13:19 2009] [notice] FastCGI: process manager initialized
    (End of Log File)

Maybe you are looking for