Solved: SSO to SAP using workstation password (GUI/Web)

Former Member · ‎09-16-2008

Hello All - I am very new to this area and I am analyzing a SSO solution to implement in our company where in the User's workstation password will be the only authentication to logon to SAP. We are looking into SSO using Kerberos but we are still not clear on the solution. Below are some of the questions that I can think of from the top of my head.

1) What is the pre requisite to logon to SAP without password? AD/etc...

2) Can logon via. SAP Logon GUI be passwordless? If yes, what is the solution/technology? Also if passwordless GUI log on is possible, what will be situation where a system has more than one client? Will it prompt to enter the client number?

3) WIll SSO work across multiple landscapes like 4.7, MySAP, BW, Netweaver, etc?

I apologise ahead if I my questions are very vague. Kindly bear with me and point me to the right information, so that I can have the analysis of SSO ready for my company.

tim_alsop · ‎09-17-2008

Kishore,

My answer was specific to GUI with Kerberos authentication into AD. If you also want to use same functionality with Web access you can use a login module provided by SAP called SPNEGO login module. This login module is installed into a Java engine somewhere in your landscape. You can use this to support Web applications on ABAP AS using redirection.

Thanks,

Tim

Former Member · ‎09-16-2008

Hi,

Welcome to SDN!

While waiting for answers I suggest that you use the search for terms such as "SSO" and "kerberos".

You will quickly find the names of people to keep an eye out for or read the posts of.

In the "sticky thread on FAQ's" there is also a thread which will lead you to a general overview.

Cheers and enjoy the search...

Julius

tim_alsop · ‎09-16-2008

Kishore,

Julius has already suggested that you use search feature in SDN to find details regarding this solution as it is a common question asked in this forum. I would like to answer your specific questions - see below:

>


> 1) What is the pre requisite to logon to SAP without password? AD/etc...
You need AD as the Kerberos server, or you can use another Kerberos server if you like but most companies use AD. You also need to install an SNC library on each workstation where SAP GUI is installed, and also on the ABAP AS servers. This library can be obtained from a SAP partner if you are running SAP on UNIX or Linux, or if you are running SAP only on Windows you can get this library from SAP.
> 2) Can logon via. SAP Logon GUI be passwordless? If yes, what is the solution/technology? Also if passwordless GUI log on is possible, what will be situation where a system has more than one client? Will it prompt to enter the client number? 
Yes, SAP GUI logon is passwordless when using this method of authentication, and also the session between the GUI and SAP ABAP AS can be encrypted if you enable this in your configturation. Each Kerberos authenticated user can be mapped onto a specific SAP user + client or onto many SAP users and clients, in which case they are asked when they login which client they want to logon to for this particular login.
> 3) WIll SSO work across multiple landscapes like 4.7, MySAP, BW, Netweaver, etc? 
Yes.
> 
> I apologise ahead if I my questions are very vague. Kindly bear with me and point me to the right information, so that I can have the analysis of SSO ready for my company.

former_member248712 · ‎09-16-2008

Also check in service.sap.com/security under Security in Detail and Media Library Sections.

Also you may need to discuss with other Teams (like your compliance teams) in the company if SSO is way to go or not since it may violate some of your security policies.

AB

tim_alsop · ‎09-17-2008

Kishore,

My answer was specific to GUI with Kerberos authentication into AD. If you also want to use same functionality with Web access you can use a login module provided by SAP called SPNEGO login module. This login module is installed into a Java engine somewhere in your landscape. You can use this to support Web applications on ABAP AS using redirection.

Thanks,

Tim

Former Member · ‎09-17-2008

For completeness sake, I would like to mention that there are other technologies besides Kerberos to implement SSO, namely X.509 certificates. You should make a careful comparison first before deciding on a technology!

@Tim: Apparently, you survived the trip back home!

Former Member · ‎09-17-2008

Hello All - Thanks a lot of the quick response. I am very impressed by this forum. I will spend some time in SDN trying to find more information on SSO. RIght now, I like the SNC and X.509 certificates solutions so far. I will spend more time analyzing these two. We are looking for the effective, cheapest and easy to manage solution to implement in a very complex landscape.

I have one follow up quetsion. Will SAP help to setup SNC or X.509 solution for us than we working with the SAP partners. Any suggestions on SAP parteners with Reason to Believe facts that it had worked.

tim_alsop · ‎09-17-2008

>


> I have one follow up quetsion. Will SAP help to setup SNC or X.509 solution for us than we working with the SAP partners. Any suggestions on SAP parteners with Reason to Believe facts that it had worked.

Normally the SAP partner/vendor provides the help and documentation required to setup the solution. The company I work for offers the Kerberos solution and we normally provide documentation so that our customers can install the software and configure SNC themselves, and this normally takes just a few hours before they have a working solution - e.g. there is no need for any professional services.

tim_alsop · ‎09-17-2008

>


We are looking for the effective, cheapest and easy to manage solution to implement in a very complex landscape.

I suggest you contact the vendors who provide such solutions and ask them to advise you on the cost and how easy the product is to manage and setup, then you can compare and make a decision on which way to go.

former_member248712 · ‎09-17-2008

We are looking for the effective, cheapest and easy to manage solution to implement in a very complex landscape.

Effective, Easy to manage and Cheapest(rather I would call cost-effective) would not go together. You would get for what you pay..

Will SAP help to setup SNC or X.509 solution for us

Why not, SAP has its own consulting wing.

Any suggestions on SAP parteners with Reason to Believe facts that it had worked

Follow the Murphy's law.

AB

Former Member · ‎09-19-2008

Hi Guys - Iam back again. I am not sure if I need to open a new thread since I marked that my question was answerd. I had a chance to discuss the possibilties of enabling single sign on to GUI and my web with the experts in our company and we have the below questions. Since we already have Kerberos enabled in our workstations, we like the idea of installing SNC libraries.

1) Will SSO via. GUI using SNC libraries will work for all versions of SAP including 4.5, 4.6, mySAP, etc.. (I just want to ensure that I covered 4.5, 4.6, mySAP as well, as I didnot mention this in my previous post)?

2) Will installing SAPNEGO module enable single signon for web for all versions of SAP?

3) Is there a whitepaper or a source where we can verify the above so that can get approval to get help from the SAP or SAP partners to devise a SSO plan for our complex SAP landscape?

For some reason, our Security Architect believes that SSO via. GUI is not possible using SNC libraries. I need some data from a trusted source. I did lookup by searching for SSO in thge forums and hwite papers but I am unable to find a source that validates the information.

I will have one more follow up question to clarify but I will wait for the response to above. If I have to create a new thread, please let me know and i am happy to do so.

tim_alsop · ‎09-19-2008

>


> Hi Guys -  Iam back again. I am not sure if  I need to open a new thread since  I marked that my question was answerd. I had a chance to discuss the possibilties of enabling single sign on to GUI and my web with the experts in our company and we have the below questions. Since we already have Kerberos enabled in our workstations, we like the idea of installing SNC libraries. 
Good choice  Yes, you could have opened another thread, but I am happy to help you using this thread.
> 1) Will SSO via. GUI using SNC libraries will work for all versions of SAP including 4.5, 4.6, mySAP, etc.. (I just want to ensure that I covered 4.5, 4.6, mySAP as well, as I didnot mention this in my previous post)?
Yes, SNC is supported on versions of SAP ABAP AS since 3.1I through to NetWeaver 2004s and beyond. So, you can use same solution for all versions of SAP in your landscape, and on all platforms as long as the vendor product you use has libraries for the operating system.
> 2) Will installing SAPNEGO module enable single signon for web for all versions of SAP? 
Yes, this is one option as it uses Kerberos capability already included in IE browser and also in Firefox browser - there is therefore no client software required and you can utilise Kerberos credentials already on workstation.
> 3) Is there a whitepaper or a source where we can verify the above so that can get approval to get help from the SAP or SAP partners to devise a SSO plan for our complex SAP landscape?
As I explained before - some of this functionality is provided by SAP Partners so you need to contact one of them to ask for such papers. If you contact me I can give you a demonstration of this technology via a web meeting and answer any detailed questions you might have when you have seen it working. You might want to invite other people from your company as well.
> For some reason, our Security Architect believes that SSO via. GUI is not possible using SNC libraries. I need some data from a trusted source. I did lookup by searching for SSO in thge forums and hwite papers but I am unable to find a source that validates the information. 
I can show it to him working, or you can point him to http://www.cybersafe.com/d2 so he can see the products being installed and demonstrated.
> I will have one more follow up question to clarify but I will wait for the response to above. If I have to create a new thread, please let me know and i am happy to do so.
Since you have started on this thread you might as well continue. No need to confuse matters by opening new thread, but in future when a thread is closed it is better to open a new one if you have additional questions.

former_member248712 · ‎09-19-2008

Here's one link.

https://websmp209.sap-ag.de/~sapdownload/011000358700007185582000E/SSO_MIT_KERBEROS.PDF

AB

WolfgangJanzen · ‎09-20-2008

>1) Will SSO via. GUI using SNC libraries will work for all versions of SAP including 4.5, 4.6, mySAP, etc.. (I just want to ensure that I covered 4.5, 4.6, mySAP as well, as I didnot mention this in my previous post)?

Yes (see also Tim's reply).

Notice: SNC is the most suitable SSO mechanism for SAPGUI and RFC-based client access to ABAP systems. If your ABAP server is running on a Windows platform you can use the SNC libraries provided by SAP - otherwise you have to purchase a (certified) SNC partner product. SNC is based on the Generic Security Services API (GSS-API) and therefore abstracts from the actual security technology (Kerberos, PKI-based, Biometrics, Smartcard / Software solution, ...). The SNC libraries (for Windows) provided by SAP are pure software solutions which use the Security Services Provider Interface (SSPI) offered by the Microsoft operating system (SAP does not ship any cryptographic functions but only utilize the existing services provided by the OS).

> 2) Will installing SAPNEGO module enable single signon for web for all versions of SAP?

Notice: SPNEGO (I assume there was a typo) is only offered for NWAS Java - not NWAS ABAP. And there's also a release constraint (which I have to lookup searching for notes).

> 3) Is there a whitepaper or a source where we can verify the above so that can get approval to get help from the SAP or SAP partners to devise a SSO plan for our complex SAP landscape?

Documents (Whitepapers, etc.) can be found at http://service.sap.com/security. SAP also offered special security consultancy services (http://service.sap.com/securityconsulting) - in addition to the services provided by our partners, of course.

> For some reason, our Security Architect believes that SSO via. GUI is not possible using SNC libraries. I need some data from a trusted source. I did lookup by searching for SSO in thge forums and hwite papers but I am unable to find a source that validates the information.

Well, you can quote me ... (if you consider me a "trusted source")

And might might consider to contact the SAP Security Product Management (mail to security(at)sap.com). But it's better to check on the documents published on http://service.sap.com/security, first.