WL v8.1 sp4 (SPNEGO for SSO)

Similar Messages

• HTTP/SPNEGO for "SSO" on MS Windows

  HTTP/SPNEGO for "SSO" on MS Windows
  Hi all of you !
  The scene is simple : I got a software (All in plain java ) and some simple web access to this system. ( it's not a real web server wich will be in need for Apache or some big container it's just a few access to some informations of the software )
  The client company is all MS Windows, and it's used to some SSO approach,
  they got a AD server on Win2003, all laptops are under winXP Pro and got IE at least version 6
  Now The question is this ;
  I got
  -a guy (properly authentified) who is
  - using IE (properly setted)
  - on a computer (properly attached to AD)
  to access a ressource URL of my app
  It's quite simple to send him a http 401 or 407 so IE go back to the AD server and get its token
  BUT how can I manage in java to extract the account used by the client
  from the SPENEGO token ? this is all I need
  I cant find any help on this, So please if someone can help me in this...
  I'm lost ... Thanks in adavnce for a simple hint or a url linking me on the good path

  I forget :
  Ok for the configuration, thanks to some of your posts (thanks all)
  I know all the importants steps to be followed
  For exemple I quote danielshrem last post on the thread http://forum.java.sun.com/thread.jspa?forumID=545&threadID=760214
  <quote>
  Hey Seema,
  Indeed my server's principal was not the correct one, now everything is cool with rc4 encryption.
  for all u dudes out there in need of Java HTTP kerberos auth here's a few simple configuration procedures:
  1. on the Domain Controller add an HTTP SPN to the account running the web service (use setspn.exe). the SPN has to be in format HTTP/host@Realm or HTTP/host (this SPN worked for me). if u dont know exactly which SPN u need u can sniff an HTTP session on ethereal look for Kerberos AP Req-->ticket-->Server Name. from what i gather this is the principal the clients use.
  2. on the DC add a mapping to the newly created SPN (use ktpass.exe)
  3. on the host running the service create a keytab file containing the newly created HTTP principal (use java's ktab.exe)
  4. make sure the SPN is set up OK by running kinit and pass the newly created keytab file and the newly created SPN.
  once u recieve an ok result you are good to go (login and authenticate users)
  hope this helps
  Daniel.
  </quote>
  My problem (I know it must sounds stupid) : how do I extract the login account from this ?

• SPNego for multi-forest using IBM JDK

  Hi All,
  I need to setup SPNego authentication for EP7 and IBM JDK for a multi-forest landscape (2 Active directory domains).  There's a guide about how to do this for Sun JDK : https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/c771c3d3-0c01-0010-b5b6-86755a2cf778 but I need one for IBM JDK as the login stack mudules are different.
  Can anyone supply me with a guide or any helpful information regarding this ?  Do you know if it works?  I've currently got SPNego working for a single domain.
  Thanks in Advance,
  Anthony

  Jan,
  ok, thanks. I will now explain how I think we can help.
  Firstly, to be sure you understand - I represent a SAP partner company known as CyberSafe, and we have a product which uses SPNEGO for Kerberos authentication in a browser environment, so my answer relates mainly to our product functionality, and not related to the SAP login module, which has less functionality.
  I must also apologise in case anybody reading this thread has an issue with me discussing non-SAP software. My view is that the most important thing on this forum is to help you (the SAP customer) get a solution that meets your needs, and if this involves SAP Partner products as well as SAP products, then that is acceptable.
  Firstly, our product does not use the Java implementation of Kerberos. Instead, we use a JNI (Java Native Interface) so that our host based Kerberos library can be used to implement the protocol. This means that any differences between IBM, SUN or any other vendor JDK version related to Kerberos functionality, multi-domain support etc. are not relavent to our product. We support many things in our product which are not supported in Java implementations of Kerberos, so you don't need to wait for new versions of JDK to take advantage.
  Secondly, and perhaps more relavent to this discussion is that our login module authenticates the user by decrypting the service ticket received using the key in the Key Table File on the host, and then we map this principal name onto a SAP user id. We then (via. the login module stack) cause the SAP system to issue an SSO2 logon ticket for this user id. The secret is the way we perform the mapping - we are not dependant on UME datasources for this, and I will describe below how we acheive mapping by using an example :
  Lets suppose a user is authenticated as user.name@DOMAIN1, the SAP system login module has been setup using domain 2 (Realm = DOMAIN2) and trusted via a key in a key table file, with principal name of HTTP/hostname@DOMAIN2. Then, using normal Kerberos cross realm trust, and cross realm TGTs the browser requests a ticket from AD for HTTP/hostname@DOMAIN2, and this is issued by AD in domain 2 using the cross realm TGT, but the principal name of the authenticated user inside this service ticket is user.name@DOMAIN1. The login module on the SAP server can decrypt the ticket it receives to find the users Kerberos principal name.
  So, the login module knows the user is user.name@DOMAIN1, it then has to decide how to determine the SAP user id. Our login module currently supports two different methods of performing this mapping, but we are adding more methods in each release to make the product even more flexible. Currently we support the following methods :
  1. Simple mapping - this is where we remove the realm name and convert the principal name to upper case, so in this example user.name@DOMAIN1 would be mapped to a SAP userid of USER.NAME and used to issue an SSO2 ticket. Clearly this is only suitable for single domains, and makes administration very easy - many of our customers use this method, but you would need a different mapping method due to yoru multiple domains.
  2. USRACL mapping - Since we also sell an SNC product for SAP GUI SSO, our customers already maintain mapping of Kerberos principal name to SAP user id using a table in ABAP engine called USRACL. This table is maintained using SU01 transaction. We now have support in our login module to read the USRACL table using the authenticated Kerberos principal name of the user (e.g. user.name@DOMAIN1) and find the required SAP user id, so that an SSO2 logon ticket can be issued.
  I hope this helps you understand. If you are interested in more detail about our product, and how we might be able to help you, please feel free to contact me offline instead of via this forum.
  Thanks,
  Tim

• 10g904 - custom login pages & development method of applics for SSO

  i am getting baffled with these custom login pages and their connection with the SSO.
  I have now read extensive documentation from the following:
  Oracle® AS SSO Admin Guide for release 10g (9.0.4) (B10378-01)
  Oracle® AS SSO App Developers Guide for release 10g (9.0.4) (B10852-01)
  Oracle® AS SSO Admin Guide 10g (9.0.4) (B13791-01)
  Oracle® AS App Developers Guide for release 10g (9.0.4) (B10378-01)
  Oracle® SSO Developers Guide for version 306
  what baffles me is how custom login pages are to be defined for the 10g versions of AS.
  in 10g (904) version, applications for SSO can be protected using mod_osso, and may be developed using mod_osso or using SSO-SDK which is deprecated from this version.
  1. this means that if we do not have to use SSO-SDK (which is deprecated in 904 version) and where we need to protect applications using the mod_osso, then why do we need to use the custom pages.
  2. how do the custom-defined deployment specific login pages or change-password pages work?
  3. what is the role of SSO for partner applications if we do not configure it specifically.
  any helpful hints or links would be highly appreciated.
  thanks

  i am getting baffled with these custom login pages and their connection with the SSO.
  I have now read extensive documentation from the following:
  Oracle® AS SSO Admin Guide for release 10g (9.0.4) (B10378-01)
  Oracle® AS SSO App Developers Guide for release 10g (9.0.4) (B10852-01)
  Oracle® AS SSO Admin Guide 10g (9.0.4) (B13791-01)
  Oracle® AS App Developers Guide for release 10g (9.0.4) (B10378-01)
  Oracle® SSO Developers Guide for version 306
  what baffles me is how custom login pages are to be defined for the 10g versions of AS.
  in 10g (904) version, applications for SSO can be protected using mod_osso, and may be developed using mod_osso or using SSO-SDK which is deprecated from this version.
  1. this means that if we do not have to use SSO-SDK (which is deprecated in 904 version) and where we need to protect applications using the mod_osso, then why do we need to use the custom pages.
  2. how do the custom-defined deployment specific login pages or change-password pages work?
  3. what is the role of SSO for partner applications if we do not configure it specifically.
  any helpful hints or links would be highly appreciated.
  thanks

• How to setup the dad file for SSO.

  Hi
  We need to setup the dad file for SSO. Can any one help us to setup the dad file.
  Thanks,
  Arvind Goel

  Hi
  It seems that SSO is for AppEx Application Authentication only. You can't specify which Database User your application will connect to the database with if you are authenticating using SSO.
  I came up against this in the following thread.
  Re: How can an AppEX Application work with DB users referenced in DB Trigge
  G.

• SAP Best Practices for SSO Configuration

  Hello There,
  Are there any SAP Best Practices available for SSO Configuration. If so, Kindly help me with those..
  And also any Third party tools available in the market for SSO Configuration..
  Appriciate your Help on this.. Thanks in advance.
  Regards,
  Pranay S
  Edited by: Pranay Subedari on Apr 29, 2011 9:12 AM

  Hello,
  Types on the SSO are classified with the systems involved in configuration (i.e.) SSO between ABAP Stack and Java stack or LDAP, OS
  Refer the link for more details [Document Deleted]
  Regards,
  Anand
  Message was edited by: Jason Lax

• securityagent name when using IBM TAM for SSO with Hyerion

  Hi,
  What should we declare in the css_config.xml file for the <securityagent>, when using IBM TAM for SSO with Hyperion.
  The admin guide only mentions Netegrity, but that would be the case when we use Siteminder for SSO.
  Any lights??
  Thanks,
  Sasi

  While, seems one way is to use stream to bypass login.

• How I can configure 2 EP 7.0 server for SSO with ECC 6.0?

  Hi,
  How I can configure 2 EP 7.0 server for SSO by using SAP Logon ticket with same ECC 6.0 back end?
  Developement EP 7.0 SP14 is already configure with ECC 6.0 back end now I want to configure my local EP 7.0 SP9 (Sneak Preview) server with same ECC 6.0 Development.
  How I can acheive this?
  I really appreciate if some one guide me.
  Thanks.
  Ashish.

  Hi,
  You have to follow the SSO steps.
  1.Create RFC Destination in SM59
  2.Create RFC Destination in Visual admin
  3.Export verify.der certificate from portal
  4.Import verify.der certificate to R/3
  5.Create system alias
  6.Export R/3 certificate from R/3
  7.Import R/3 certificate to portal
  8.Maintain the SSO parameters in RZ10
  Please check the below link also.
  http://help.sap.com/erp2005_ehp_03/helpdata/EN/4d/dd9b9ce80311d5995500508b6b8b11/frameset.htm
  Regards,
  Bala.

• Error 12 for sso token ID

  Hello everybody,
  Here is the configuration i am trying to deploy:
  - Apache server 2.0.55 secured with ssl
  - Tomcat 6.0.14 also secured with ssl
  - An fam-samples.war configured as IdP on tomcat
  - Web agent installed on apache server
  Now if a non authenticated user tries to access a resource on apache, the web agent redirect him to IdP for authentication. After giving the write login and password he's redirected to the resource initially requested. Here i got an "Internal server error" and when i looked in the amAgent file for error i found this:
  <--
  2007-09-17 15:17:06.594 Error 6447:98a16d8 all: LineBuffer::findEndOfLine():
  2007-09-17 15:17:06.608 Error 6447:98a16d8 all: LineBuffer::findEndOfLine():
  2007-09-17 15:17:06.617 Error 6447:98a16d8 all: LineBuffer::findEndOfLine():
  2007-09-17 15:17:06.618 Error 6447:98a16d8 AM_SSO_SERVICE: SSOTokenService::getSessionInfo(): Error 12 for sso token ID AQIC5wM2LY4SfcxUl+Qrr8Za5tjVgKq5XRocwCegb79ttmE=@AAJTSQACMDE=#.
  2007-09-17 15:17:06.618 Error 6447:98a16d8 PolicyEngine: am_policy_evaluate: InternalException in Service::initialize() with error message:Session query failed during service creation. and code:12
  -->
  I tried to look in the web agent configuration file AmAgent.properties for some properties to change but i didn't found the solution!
  Does anyone please have an idea about this problem?
  Note: If tomcat is not secured all works perfectly.
  THANKS

  I think the problem is due to agent configuration...
  What i did is to add the property (com.sun.am.ignore.naming_service = true) to the AMAgent.properties file to disable looking for the naming service url. The problem was solved but i am not sure if it's really the good solution or not.
  Any suggestions?

• Need Extended Version of JCO Pool Viewer Tool for SSO Expiration Problem

  Hi, SDN Fellow.
  When we are running some of our Web Dynpro application, it ran into this error". Cannot create JCOClientConnection for Logical System XXXXX_WD_MODELDATA_DEST - Model class xxxxx. The SSO ticket needed for authentication to  XXXXX_WD_MODELDATA_DEST has expired. Close all applications and lofon anew!"
  We have researched on this error, and find that the optimal fix is to upgrade to SP12, then use the Assertion Ticket. But we are currently not ready to apply SP12 from SP11 yet.
  I have read about SAP Note 1130191 - JCO Pool Viewer Tool for SSO Expiration Problem.
  For workaround fix, we decided to try out Extended Version of JCO Pool Viewer Tool to clear the cache when this error occurs.
  The note did not mention where can I get the tool. I remembered I read a blog on this tool too, but could not recall the blog link. Can anyone guide me where can I get this tool?
  Thanks,
  Kent

  Hi Cui,
  Navigate to Content Admin-> Web Dynpro-> SAP.COM space in left navigation area.
  There you can find the EAR/WAR file for this tool, open it and click on run.
  Now it will show you list of threads which are faulty, you can remove the faulty thread from this list.
  So no server restart is needed in case of one thread failure.
  If you are not able to get this tool, I will mail it to your ID.
  regards
  Kedar Kulkarni
  Reward points for useful answers
  Edited by: Kedar Kulkarni on Jun 18, 2008 2:58 PM

• Connectiong to OIM from Webcenter Frame Work application for SSO.

  Hi all ,
  I am trying to connect to OIM from Webcenter Frame Work application for SSO.
  Need help on finding documents regarding that.
  Complete installation of OIM 11g(11.1.1.6) is done.
  Regards,
  Shakir

  Hi Vinay,
  Thanks for your reply ,
  The document you suggested has only installation steps which is already completed.
  I just want to know how you connect your web center frame work application to OIM (for SSO) through API's or some other way,
  so that whenever user try to access any page of your application ..you are redirected to OIM
  Thanks & Regards,
  Shakir

• Error 21 for SSO Token

  Hi, I have Tomcat with opensso installed on the same machine with IIS 6 + agent.
  While trying to browse any of pages in IIS pages get immediately that error after authentication:
  2009-10-06 11:16:43.357   Error 3240:161bd38 AM_SSO_SERVICE: SSOTokenService::getSessionInfo(): Error 21 for sso token ID AQIC5wM2LY4SfczzPs5KzV6tcQMK0T1shHOpKmXvAr8vmSQ=@AAJTSQACMDE=#.
  2009-10-06 11:16:43.357   Error 3240:161bd38 PolicyEngine: am_policy_evaluate: InternalException in Service::initialize() with error message:Session query failed during service creation. and code:21
  2009-10-06 11:16:43.357   Error 3240:161bd38 PolicyAgent: HttpExtensionProc(): status: HTTP error (21)Any suggestion is welcome !
  Thank You !
  Edited by: AlexanderL on Oct 6, 2009 11:20 AM

  I think the problem is due to agent configuration...
  What i did is to add the property (com.sun.am.ignore.naming_service = true) to the AMAgent.properties file to disable looking for the naming service url. The problem was solved but i am not sure if it's really the good solution or not.
  Any suggestions?

• How to run Crypto Tools for SSO Enabling

  Hi Friends,
  How to run Crypto tools for SSO enabling. If any body knows please help me...
  Thanks

  Hi ;
  what is the script for windows Environment...

• Integrate SAP Netweaver 7 with SharePoint 2013 for SSO

  We are planning to Integrate SAP Netweaver 7.0 with SharePoint 2013 for SSO using SAML 2.0
  Would like to know what 3rd Party IDM tools are supported by SharePoint 2013  apart from ADFS
  Regards
  Mirza
  FBM

  This should help you Faheem
  http://scn.sap.com/community/interoperability-microsoft/blog/2011/01/31/installing-duet-enterprise-the-sap-side--a-video-guide
  Please remember to click 'Mark as Answer' on the answer if it helps you

• Has anybody integrated with CO-Sign for SSO / Authentication

  Hi Folks,
  Has anybody looked at Co-Sign for SSO in terms of forms / discoverer in the 11g release?
  Gary

  Marvin,
  You make me feel better. I thought I might have been the only one who had ever done this. ;-) It's not too bad to clean up.
  I am referencing old notes, and do not currently have access to an OID instance to verify, but try this:
  In Entry Management, look under the default Oracle Context, under Services, and Ebusiness. You should see an entry for your EBS instance. (For example, the full DN might be: cn=VIS,cn=EBusiness,cn=Services,cn=OracleContext). Remove this record, and you should be set. You may need to remove other links to this record under your custom context. For example, there may also be a DN cn=VIS,cn=EBusiness,cn=Services,cn=OracleContext,dc=your_org,dc=com.
  I was initially concerned that there might be a ton of junk to remove from OID related to the EBS instance registration, but I was not able to find any other likely entries, and was able to proceed with re-registration without issues after removing these two entries.
  Hope this helps!
  Regards,
  John P.
  http://only4left.jpiwowar.com