- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Gui 7.10 (XP) SSO -> ABAP (i5 aka AS/400)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Gui 7.10 (XP) SSO -> ABAP (i5 aka AS/400)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2008 4:46 AM
We are a new and excited (so far) SAP customer - in blueprint phase - with solution manager running on i5/iSeries OS (IBM AS/400 h/w); SAP Gui 7.10 on Win XP/AD 2003. We have poor man's idenitity security to date: SAP LDAPsync pulls in user accounts+attributes from Active Directory. Imported accounts need password reset on ABAP side. End-user is "requested" to match password to AD password upon first log on. AD account if disabled has no direct effect on ABAP side.
Wish to establish SSO, remove repeat logon, and not allow SAP logon if AD account is disabled. Don't know if portal is in our scope. And how this all impacts LDAPsync to CUA?
Suggestions appreciated! I hear/read logon tickets, SNC, Kerberos. Thank you!
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2008 8:10 AM
Randeep,
What you have described is a classic example of where SNC and Kerberos can help. Then, user will logon to workstation using their AD account and password, open SAP GUI and be able to logon to SAP applications using the credentials whcih are already issued on workstation for their AD domain account. The user will not have to logon twice, and you don't need to use a portal for this.
As I am sure you have read elsewhere, to acheive this you need to buy a product from a SAP partner that provides SNC Kerberos libraries. There are other SNC libraries available that use x.509 certificates from some vendors, but since your users are already authenticating with AD using simple userid and password, the use of Kerberos will be easier for you.
Thanks,
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2008 8:10 AM
Randeep,
What you have described is a classic example of where SNC and Kerberos can help. Then, user will logon to workstation using their AD account and password, open SAP GUI and be able to logon to SAP applications using the credentials whcih are already issued on workstation for their AD domain account. The user will not have to logon twice, and you don't need to use a portal for this.
As I am sure you have read elsewhere, to acheive this you need to buy a product from a SAP partner that provides SNC Kerberos libraries. There are other SNC libraries available that use x.509 certificates from some vendors, but since your users are already authenticating with AD using simple userid and password, the use of Kerberos will be easier for you.
Thanks,
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2008 8:11 AM
>
> Suggestions appreciated! I hear/read logon tickets, SNC, Kerberos. Thank you!
Logon tickets would only be used if you were logging on using web browser, but you are not - you are using SAP GUI on Windows workstations, which is why you need to use SNC.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2008 10:42 PM
Tim,
Appreciate your answer(s). Yes, did read your other posts which made the solution comprehensible.
However, if in a later stage we do go the route of enterprise portal (even if just to ease out SSO pains) would SNC/Kerberos investments need revisit?
If answer with portal is logon tickets, does a WinGUI user first need to authenticate off a portal/web link before invoking WinGUI client?
Cheers
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2008 10:46 PM
Randeep,
If you were going to use EP in future and will no longer use SAP GUI then you will not need/use SNC/Kerberos, but you can use Kerberos for authentication to EP instead. When using Kerberos with EP, this is used for initial authentication so that EP can know who is logged on at the workstation, then this id is mapped onto a SAP user, and an SSO2 ticket is issued. The SSO2 ticket is just used so the user does not need to authetnicate every time they open a page - instead they authenticate using Kerberos only when they first open browser and access EP, and hten the SSO2 ticket is used until they close browser.
Thanks,
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2008 3:05 AM
Tim
I am being informed EP and WinGui will most likely co-exist. In that scenario, where does SSO for either implementation overlap?
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2008 8:07 AM
Randeep,
Yes, this is correct. The Windows GUI will very easily co-exist with EP. Many of our customers have a range of requirements - some users use SAP GUI on Windows, some users use EP, some users use both - they all work together and from users point of view they get authenticates as the same user regardless of which method they use to logon to the SAP system.
Thanks,
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2008 8:25 AM
>
> Tim
> I am being informed EP and WinGui will most likely co-exist. In that scenario, where does SSO for either implementation overlap?
I am not sure what you mean by overlap - with EP the user is using browser and for SAP GUI the user is using SNC into ABAP engine, so there is no overlap from technology point of view. If you are using mapping to map the authenticated user id onto a SAP user, then you need to use the same mapping rules for both methods of logon, so I guess this is an area that is relavent to both.
Thanks,
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2008 10:17 AM
To clarify, by overlap, I was referring to if a WinGui user would have to "first" authenticate off a web link, retrieve a logon ticket and "then" invoke thick client for SSO - or am I incorrect in assuming logon tickets as modus for WinGUI auth (which would mean SNC is the only option for WinGUI in this case)
Cheers!
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2008 10:23 AM
Randeep,
The WinGUI is a Windows application, and uses SNC. It does not require user to first authenticate using web link. The authetnication is done by the SNC library installed on the workstation.
I beleive it is also possible, but not widely used because of security issues to logon to SAP application via Web browser, authenticate the user in this browser using any method available, and then an SSO2 ticket will be issued. This SSO2 ticket can be used by an Active-X control to launch WinGUI on workstation and it will use this SSO2 ticket to authenticate the user when they logon. Perhaps this is what you are thinking about ? If so, it will not require SNC, but when you do this SNC is strongly recommended otherwise the SSO2 ticket is being passed across the network unprotected and therefore it is not secure - if you enable SNC as well, then you might as well use SNC to authenticate the user and not require an SSO2 ticket ...
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2008 2:42 PM
