08-20-2010 6:02 PM
Hi ,
Does anyone know when we do POC to test varous authentication methods from portal to backend (ECC), its better to create POC for each of the authentication methods? or we keep adding the different authentication mechanisms for single sign on from portal .
or is it a good idea to keep enabling the mechanism one at a time and then disable the others?
Can anyone suggest a good strategy for SSO
Goal of the SSO POC is
1. SPNEGO with SSL
2. SAML 1.0/2.0
08-29-2010 6:20 PM
Hi Franklin,
regarding your two mentioned scenarios:
1. Achieving SSO using Kerberos/SPNego
SPNego is only fully supported on SAP NetWeaver AS Java installations. On AS ABAP systems you have to check the requirements. Setting up SPNego using a NetWeaver AS Java is not a big issue anymore, please see note [1457499|https://service.sap.com/sap/support/notes/1457499]. For SSO between Portal and backend you can easily use MYSAPSSO2 logon tickets, if trust is setup and you have both application servers in the same (sub-)domain.
2. Achieving SSO using SAML
SAML 1.0/1.1 is supported on NetWeaver AS Java 6.40 and above. SAML 1.0/1.1 is not supported on NetWeaver AS ABAP systems. SAML 2.0 is supported on NetWeaver AS Java 7.20 as Identity Provider and Service Provider, on NetWeaver AS ABAP 7.02 will probably do support it as Service Provider. Since NetWeaver 7.02 is not released, you cannot use SAML 2.0 to achieve SSO to ECC. You can however use it for SSO to non-SAP systems or for Java systems.
Hope that helps you for planning your PoC.
Regards,
Martin
08-31-2010 9:57 AM
Hi Franklin,
It seems you didn't depict the question very clear. Regarding SSO, firsty please be clear that SPNego/Kerberos is desinged to achieve the SSO to portal/JAS, but not to the backend ECC/ABAP syste.
i,e, just image what your users need to do:
1). logon her/his PC
2). access the portal page
3). from portal, access the backend ECC/ABAP data/report... and etc.
so SPNego/kerberos can only be used for SSO from 1) to 2).
From 2) to 3), the most usual way is to use SAP Logon Ticket/Assertion Ticket.
I am sorry I don't know much about SAML, but if you have questions about SPNego/kerberos/LogonTicket, please feel free to let me know.
Thanks and best regards
Thunder Feng
08-31-2010 10:11 PM
>
> Hi Franklin,
>
> It seems you didn't depict the question very clear. Regarding SSO, firsty please be clear that SPNego/Kerberos is desinged to achieve the SSO to portal/JAS, but not to the backend ECC/ABAP syste.
> i,e, just image what your users need to do:
> 1). logon her/his PC
> 2). access the portal page
> 3). from portal, access the backend ECC/ABAP data/report... and etc.
>
> so SPNego/kerberos can only be used for SSO from 1) to 2).
> From 2) to 3), the most usual way is to use SAP Logon Ticket/Assertion Ticket.
Perfect that was my exact plan, that is decision in my documentation
>
> I am sorry I don't know much about SAML, but if you have questions about SPNego/kerberos/LogonTicket, please feel free to let me know.
I think here Martin has given good references, still I am confused about how Iviews will work when I move the ESS and MSS content to the New portal.
Thank you very much for the good answer