Singal sign on for portal

Former Member · ‎05-29-2010

Hi Friends

I have system with AS java is portal and AS ABAP is ECC at backend.

At the moment my UME is ABAP.

now we need to configure single sign on based on active directory. In future we might go for SSO from citrix.

Citrix use user from active directory only.

what would be best solution to implement single sign on ?

What would be best method ? I mean SAP log on ticket, X.509, kerberos ?

Any document for LDAP installation and configuration ?

Please guide me

Thanks

Sachin

p330068 · ‎05-29-2010

Hi Sachin,

Please have a look at http://www.sdn.sap.com/irj/sdn/security

Hope it will helps

Regards

Arun

tim_alsop · ‎05-29-2010

Sachin,

When a user logs onto a Citrix server using Active Directory account, Kerberos tickets are issued by Active Directory, so any client app running on Citrix server can use these credentials for SSO. If you use Kerberos for Portal SSO, then the same credentials can be used for browser based logon to SAP applications such as the portal.

There is a login module provided by SAP called the SPNEGO login module which uses Kerberos to authenticate the user in the way I have described above. There are also third party products which provide similar and/or better functionality to use Kerberos for SSO. You can find them by searching SAP EcoHub for SPNEGO.

When Kerberos is used to logon to portal, as described above, an SSO2 ticket is created and this is stored in browser as a cookie, and then used for subsequent page accesses to avoid re-authentication. I mentioned this because you asked about using SAP logon tickets, which are SSO2 tickets.

Thanks,

Tim

Former Member · ‎05-30-2010

Hi Tim

Thanks for response

I am planning to deploy SAP log on ticket for SSO can it also work with Citrix ?

where I can find cristal clear documents for SSO , any idea .

Appreciate your help!

BR/Sachin

tim_alsop · ‎05-30-2010

>


> Hi Tim
> Thanks for response
> 
> I am planning to deploy SAP log on ticket for SSO can it also work with Citrix ?
I already answered this question in my last post. Yes is the answer. Please note that SAP logon ticket = SSO2 ticket.
> 
> where I can find cristal clear documents for SSO , any idea .
There is a lot of documentation regarding SAP SSO on SDN, and products are available from third party vendors and described on SAP EcoHub.
> 
> Appreciate your help!
I look forward to helping more, if required.
> 
> BR/Sachin

Former Member · ‎05-30-2010

I updated the SSO section of the FAQ sticky thread thanks to some suggestions from Gowrinadh Challagundla and will be adding more in the next days.

You might want to consider using the search as well for general questions. In the FAQ thread we try to maintain the good and interesting ones only as it has many views.

Cheers,

Julius

Former Member · ‎06-03-2010

Hi

Appreciate your help...

Please see my scenario...

My Client having Shared PC at Distribution center (DC). They have shared log in user ID for those PC,

This Shared user ID is not belongs to any Personal ID.This ID also maintained at active directory.

Now scenario is , portal link is maintained in Intranet.

If user log in to Intranet he will click on portal link and based intranet ID system should authenticate.

Intranet ID is same windows log in ID as they are also authenticate from Active directory.

So based on Intranet log in can we configured SSO?

If yes what could be best solution ?

Thanks a lot.

tim_alsop · ‎06-03-2010

Sachin,

So, you have a shared logon to the PC, which is not a users login id, but one which is used to get access to Windows desktop only - correct ?

You want to setup portal authentication so that a user can visit this shared PC and logon to portal as themself but using Active Directory userid and password when asked for password ?

Thanks,

Tim

Former Member · ‎06-03-2010

Tim

correct but little bit correction.

Yes they use shared PC but after they log in to Intranet (their internal website) by using Active directory id .

they get TAB as MYportal which is SAP portal (ESS) link.if they click on tab they should authenticate based on Intranet .

I means single sign on should work.

Many thanks ...

tim_alsop · ‎06-03-2010

Sachin,

So, is this correct:

1. Somebody logs onto shared PC using Active Directory account (e.g. common_user)

2. A user visits the PC and opens web browser and accesses the company intranet website. On this website they have a link to access SAP portal, so they click on this link.

3. When user clicks on link to access SAP portal, you want them to be asked for their personal AD account/password so that they can be authenticated to SAP portal as themself, and not as common_user.

Ok ?

Tim

tim_alsop · ‎06-03-2010

>


> Yes they use shared PC but after they log in to Intranet (their internal website) by using Active  directory id .
When user logs onto this internal website, are they authenticated as themselves ? If so, I assume this website asks them to enter their AD account name and password ?
Do you want this to be only authentication required, e.g. user logs onto this internal intranet website and when they logon to portal they are not asked for password again ?

Former Member · ‎06-03-2010

HI Tim

Yes.

common_user should not able to access SAP portal.

user who logged in to intranet by using his Active Directory ID should able to access portal without asking his ID and password again.

can you guide me on below scenario ?

Thanks!

Sachin

tim_alsop · ‎06-03-2010

Sachin,

Sorry for so many questions, but it is important for me to understand your exact requirement and not make assumptions.

Next, I need to know what technology your intranet portal is based on ? Is it based on MS sharepoint, or something else ? Basically you will need to use something which has been issued during this intranet logon to authenticate the user to the SAP portal, and therefore avoid re-authenticatiion.

Tim

Former Member · ‎06-03-2010

Tim

Intranet developed by using technologies is .Net and MS SQL as database.

Thanks

Sachin

tim_alsop · ‎06-03-2010

Sachin,

There are two options:

Option 1

- User logs onto intranet portal using AD account and password. I assume that to support shared workstation, this portal is configured to use basic authentication.

- User clicks on link to access SAP portal, and is again presented with a SAP login screen where he/she must enter their AD account and password - same as entered when accessed intranet

Option 2

- User logs onto intranet portal using AD account and password, when asked.

- User clicks on link in portal and is taken to SAP portal without being asked for userid and password.

Option 1 is easy, but Option 2, which I suspect is what you want, is not easy. There are many ways to implement Option 2, and some are not very secure, and the secure methods are complex.

I also assume that you have other users who logon to intranet and portal but are not using shared workstations, so you want these to work without asking user for intranet id/password, since they entered this when they logged onto their windows workstation.

This is certainly not a simple case of SSO.

Thanks,

Tim

tim_alsop · ‎06-03-2010

Sachin,

Is this the same customer/project as described at /message/9139431#9139431 [original link is broken] ?

Thanks

Tim

Former Member · ‎06-03-2010

Yes.

tim_alsop · ‎06-03-2010

I thought they looked similar !

Anyway, the situation you described for handling shared worksations and being able to logon to intranet first (Option 2) needs to be solved. The hard part, which is hard to secure is linking the Microsoft IIS server authentication (e.g. intranet portal) to the authentication of the user when logging onto SAP portal. You can do this by making IIS as a reverse proxy for the SAP portal, and HTTP header variables are sometimes useful.

Thanks,

Tim

Former Member · ‎06-03-2010

HI Tim

Thanks for valuable input...

where I can find all those expertise details/document ?

BR/ Sachin

tim_alsop · ‎06-03-2010

>


> HI Tim 
> 
> Thanks for valuable input...
> where I can find all those expertise details/document ?
my expertise is in my head 
> 
> BR/ Sachin

Former Member · ‎06-03-2010

hehe

Anyways thanks for extended help....

Sachin

Former Member · ‎06-04-2010

Tim

Can we configure SSO with SAP instance who has Local Installation, I mean not Domain controller installation.

Yes,what method we can ?

Thanks

tim_alsop · ‎06-05-2010

Sachin,

For ABAP SSO, if you are running SAP NetWeaver on Windows Server, your Windows Server needs to be joined to a domain if you are using the SNC library provided by SAP. If you are using an SNC library from a partner, this might not be the case. I know that the product described at http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokersecureclient does not require Windows server to be joined to the domain - it also supports UNIX and Linux servers.

For Java SSO, I am not sure of restrictions with login modules provided by SAP, but I think they don't need domain membership to work. Same for third party login modules.

Thanks,

Tim