Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO configuration on SAPGUI

Go to solution
Former Member

‎02-15-2010 7:07 PM

0 Kudos

Hi.

I am working on sso configuration between ad,abap and portal.

I did use spnego for my portal sso connection and It works, now I want to use sso to Enabling SAPGUI to logon on R/3 .

Is it possible and how?

Any ideas are most welcome.

Cheer

Reza

1 ACCEPTED SOLUTION

Go to solution
tim_alsop
Active Contributor

‎02-15-2010 8:14 PM

0 Kudos

Reza,

Hello again !

If you search this forum you will find that this exact same question gets asked regularly. Basically it is implemented using SNC interfaces and a GSS-API library that uses Kerberos credentials from the workstation logon (just like the spnego method is using same credentials at browser).

I suggest you search the forum first and if you have any doubts or questions, please update this thread or close this thread if you are satisifed with what you found elsewhere on SDN.

Thanks,

Tim

9 REPLIES 9

Go to solution
tim_alsop
Active Contributor

‎02-15-2010 8:14 PM

0 Kudos

Reza,

Hello again !

If you search this forum you will find that this exact same question gets asked regularly. Basically it is implemented using SNC interfaces and a GSS-API library that uses Kerberos credentials from the workstation logon (just like the spnego method is using same credentials at browser).

I suggest you search the forum first and if you have any doubts or questions, please update this thread or close this thread if you are satisifed with what you found elsewhere on SDN.

Thanks,

Tim

Go to solution
Former Member
In response to tim_alsop

‎02-16-2010 1:12 PM

0 Kudos

Hi Tim.

I did search for information and I did find a lot of info. And I think is it ok and good, but my question is.

My R/3 server is on a Linux server.

Is it possible to use u201CSingle Sign-On with Microsoft Kerberos SSPu201D on Linux or I should use

u201CSingle Sign-On with Client Certificatesu201D.

Any help

Thanks Reza

Go to solution
tim_alsop
Active Contributor
In response to tim_alsop

‎02-16-2010 1:19 PM

0 Kudos

Hi,

Yes, it is possible to use an SNC library that supports x.509 certificates, or you can use an SNC library which supports Kerberos tickets. Both are available from SAP partners. If you want to use x.509 certificates, then you need to issue these certificates to users, but Kerberos tickets are already being issued to users when they logon to their domain account, and you are already using Kerberos with your browser SSO (via SPNEGO login module).

An example product which supports Linux and uses Kerberos can be found on SAP EcoHub at http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokersecureclient

Thanks,

Tim

Go to solution
tim_alsop
Active Contributor
In response to tim_alsop

‎02-16-2010 1:22 PM

0 Kudos

Reza,

If you visit http://forums.sdn.sap.com/search.jspa?objID=f208&q=snclinuxkerberos and click on first link shown you will also find the answer you need.

Thanks,

Tim

Go to solution
Former Member
In response to tim_alsop

‎02-16-2010 2:01 PM

0 Kudos

Tim,

If I did understand you right, you saying that I can use u201CSingle Sign-On with Microsoft Kerberos SSPu201D on Linux but I need a u2018third part productu2019?

Thans agin

Reza

Go to solution
tim_alsop
Active Contributor
In response to tim_alsop

‎02-16-2010 2:28 PM

0 Kudos

Reza,

Yes, this is correct. However, if you are brave and have the required skills you can download an open source implementation of Kerberos, compile it on your Linux server, configure it to work with SAP and use this library. You will not get any support and if SAP is not able to start due to some issue with the SNC library you will be stuck. The commercially available products have additional features and the vendors provide support to allow you to be confident that your users are always able to logon.

Regards,

Tim

Go to solution
Former Member
In response to tim_alsop

‎02-16-2010 2:51 PM

0 Kudos

Tim,

Thanks a lot for your fast reply. So it is not any way to configure SSO on Linux without changing any Kerberos cod or using u2018third part productu2019?

Any another ideas, what about using u201CSingle Sign-On with Client Certificatesu201D?

Reza

Go to solution
tim_alsop
Active Contributor
In response to tim_alsop

‎02-16-2010 3:32 PM

0 Kudos

Reza,

I thought I had explained this already.

If you want to use Kerberos, you have two options:

a) Use third party, SAP certified product.

b) Develop your own library using open source implementation of Kerberos.

if you want to use x.509 certificates, you have one option:

a) Use a product from the software vendor that provides an SNC library which support x.509 certificates. I cannot mention the name of this company in this forum. For this option you would need to install client software that issues certificates for the user, but if you use Kerberos instead (see above) you would be able to use the kerberos ticket already available after the user logs into the AD domain.

Thanks,

Tim

Go to solution
koehntopp
Product and Topic Expert
Product and Topic Expert
In response to tim_alsop

‎02-16-2010 4:51 PM

0 Kudos

The SAP EcoHub will point you to vendors for certified SNC products (I think Tim knows one of them well )

[http://ecohub.sdn.sap.com/irj/ecohub/solutions?query=snc|http://ecohub.sdn.sap.com/irj/ecohub/solutions?query=snc]

Frank.