Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Single Sign On: user logon trace

pablo_marn
Active Participant
0 Kudos

Hi gurus,

I need to know when a user has logged in our system using SSO, or if he has used his password, but I don't find anything about.

Could you tell me how can I log this parameter??

Thank you

Pablo

16 REPLIES 16

Bernhard_SAP
Employee
Employee
0 Kudos

Hi Pablo,

from my knowledge the way of logging on is not recorded (also not in SM19). There is only one way to trace the way of logging in, which should be used only for short term (as the data volume is high) as per [SAP Note 495911|https://service.sap.com/sap/support/notes/495911]

b.rgds,

Bernhard

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

> from my knowledge the way of logging on is not recorded (also not in SM19).

Sorry, that's wrong - of course this information is contained in the Security Audit Log entry.

0 Kudos

And where can I find this information? How can I access to it?

0 Kudos

Hi,

Use TCODE SM20 for analysing the audit logs.

Regards

0 Kudos

I just checked and the SM19 logs only give the Type of login and the result, but not the Authentication method.

I remember a similar thread a while ago which discussed the various options available (including both the audit log and the trace mentioned by Bernhard).

The search indexes are currently not working very well, but I will add a link to it when I find it (or you might find it first).

Found via google =>

Cheers,

Julius

Edited by: Julius Bussche on Jan 15, 2009 12:02 PM

Added reference.

0 Kudos

Thanks Rajvansh,

I know this trax. But when I audit login events and look for access type, I have just this options:

The user has logged onto the system.

Possible Types (= Access Types):

A  = Dialog logon (SAPGUI)
B  = Background job start
H = HTTP logon
U = User switch (internal call)
' ' = Password check (API, internal call)

SSO and password access have the same type "A". Here are two examples:

11:46:59 XXXXX XXXX SESSION_MANAGER SAPMSYST Logon Successful (Type=A)

11:47:08 XXXXX XXXX SESSION_MANAGER SAPMSYST Logon Successful (Type=A)

Could you help me??

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

> And where can I find this information? How can I access to it?

Are you looking for a programmatic check?

If yes, for which purpose?

The Security Audit Log is controlled by ABAP transactions SM19 and SM20.

This allows to audit events (SM20 looks similiar to the System Log, SM21).

0 Kudos

Hello Wolfgang,

I just need to know which users are using SSO and which are using the tradicional logon method.

Best regards

0 Kudos

Thank you very much Julius.

I realize that size of this logs is a problem, and I need a permanent solution. Maybe it would be a good idea develop a Z program to extract relevant information from it (for example, each night or more frecuently) and clear files.

What do you think about this?

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

> I just checked and the SM19 logs only give the Type of login and the result, but not the Authentication method.

Oh, well - I was wrong.

Yes, only in case of unsucessful logon attempts the return code is contained in the audit log. And the return code is a clear indicator (see SAP Note 320991) for the attempted authentication method.

So it's true - the Security Audit Log does not tell you how the user was authenticated.

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

> Hello Wolfgang,

>

> I just need to know which users are using SSO and which are using the tradicional logon method.

>

> Best regards

For which purpose?

If for auditing, then the Security Audit Log should be enriched by the missing feature (to log also the "effective authentication method" respectively the "attempted authentication method"). Unfortenately that feature request requires a coordinated ABAP and kernel patch; most likely it will be rejected (for shipped releases).

If you intend to programmatically check on the "effective authentication method" in order to use this for access control decisions, then the answer is: sorry, but we do not offer such a feature.

Assuming that you intend to simply log which user is using SNC when logging onto an ABAP system with SAPGUI, then there is a kind of solution for you:

you can use the existing SAPGUI logon user-exit (see SAP Note 37724) to call function module SNC_GET_MY_INFO in order to check whether your communication partner (= SAPGUI) has a (valid) SNC name (PNAME_USER NE SPACE). In that particular case, this is equivalent to "user has authenticated via SNC". And I assume that this is what you intended (notice: you cannot determine whether the user has logged onto the system using SAPGUI with SAP Logon Tickets, i.e. when using some Portal iViews).

0 Kudos

> Oh, well - I was wrong.

I was also sure that I had seen something like it before.

> Yes, only in case of unsucessful logon attempts the return code is contained in the audit log. And the return code is a clear indicator (see SAP Note 320991) for the attempted authentication method.

So you were half correct, but the wrong half

I guess that as an information source (to be able to do something to a set of users) one could see whether the user is still using the password even although they have other authentication methods available by the fact that they change the passwords (or simply instruct the system to delete the password when they use a non-ABAP password to authenticate).

For forensics, this might be a bit more difficult though (except for initial passwords used for the first time). But there might be some obscure way of finding out. Unfortunately I cannot remember exactly what my idea was in the thread with Tim (see link above) - but in the end it was not viable if I do remember that part correctly.

I will dig around in my mails to see whether I can find it.

Cheers,

Julius

0 Kudos

Thank you very for your answers.

0 Kudos

Hi Pablo,

I know its old thread but still would like to know whether you got solution what you are looking for.

because I am also looking for information on about tables or place where SAP stores the information about the authentication method which user used to logon to SAP system. for example like below

Logon successful (type=A, method=P ) - Means user logged on using SAP GUI using user name and password

Logon successful (type=A, method=H) - Means user logged on using SSO.


Please share me the information if you have answers.


Regards,

Krishna R

0 Kudos

Hi Krishna,

We are using SSO to login to SAP system. I have checked the SM20 logs for myself.

I see multiple entries with Logon Type as 'A' & 'B' and method as 'T' & 'P'. I don't know why the logon method is shown as 'P' when I always login with SSO.

Regards,

Surya

0 Kudos

Hi

did you get any solution on the above requirement?

Thank you

Santosh Lad