Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO from portal to backend ECC

Former Member

‎08-20-2010 6:02 PM

0 Kudos

Hi ,

Does anyone know when we do POC to test varous authentication methods from portal to backend (ECC), its better to create POC for each of the authentication methods? or we keep adding the different authentication mechanisms for single sign on from portal .

or is it a good idea to keep enabling the mechanism one at a time and then disable the others?

Can anyone suggest a good strategy for SSO

Goal of the SSO POC is

1. SPNEGO with SSL

2. SAML 1.0/2.0

3 REPLIES 3

Former Member

‎08-29-2010 6:20 PM

0 Kudos

Hi Franklin,

regarding your two mentioned scenarios:

1. Achieving SSO using Kerberos/SPNego

SPNego is only fully supported on SAP NetWeaver AS Java installations. On AS ABAP systems you have to check the requirements. Setting up SPNego using a NetWeaver AS Java is not a big issue anymore, please see note [1457499|https://service.sap.com/sap/support/notes/1457499]. For SSO between Portal and backend you can easily use MYSAPSSO2 logon tickets, if trust is setup and you have both application servers in the same (sub-)domain.

2. Achieving SSO using SAML

SAML 1.0/1.1 is supported on NetWeaver AS Java 6.40 and above. SAML 1.0/1.1 is not supported on NetWeaver AS ABAP systems. SAML 2.0 is supported on NetWeaver AS Java 7.20 as Identity Provider and Service Provider, on NetWeaver AS ABAP 7.02 will probably do support it as Service Provider. Since NetWeaver 7.02 is not released, you cannot use SAML 2.0 to achieve SSO to ECC. You can however use it for SSO to non-SAP systems or for Java systems.

Hope that helps you for planning your PoC.

Regards,

Martin

thunder_feng
Active Participant

‎08-31-2010 9:57 AM

0 Kudos

Hi Franklin,

It seems you didn't depict the question very clear. Regarding SSO, firsty please be clear that SPNego/Kerberos is desinged to achieve the SSO to portal/JAS, but not to the backend ECC/ABAP syste.

i,e, just image what your users need to do:

1). logon her/his PC

2). access the portal page

3). from portal, access the backend ECC/ABAP data/report... and etc.

so SPNego/kerberos can only be used for SSO from 1) to 2).

From 2) to 3), the most usual way is to use SAP Logon Ticket/Assertion Ticket.

I am sorry I don't know much about SAML, but if you have questions about SPNego/kerberos/LogonTicket, please feel free to let me know.

Thanks and best regards

Thunder Feng

Former Member
In response to thunder_feng

‎08-31-2010 10:11 PM

0 Kudos

>

> Hi Franklin,

>

> It seems you didn't depict the question very clear. Regarding SSO, firsty please be clear that SPNego/Kerberos is desinged to achieve the SSO to portal/JAS, but not to the backend ECC/ABAP syste.

> i,e, just image what your users need to do:

> 1). logon her/his PC

> 2). access the portal page

> 3). from portal, access the backend ECC/ABAP data/report... and etc.

>

> so SPNego/kerberos can only be used for SSO from 1) to 2).

> From 2) to 3), the most usual way is to use SAP Logon Ticket/Assertion Ticket.

Perfect that was my exact plan, that is decision in my documentation

>

> I am sorry I don't know much about SAML, but if you have questions about SPNego/kerberos/LogonTicket, please feel free to let me know.

I think here Martin has given good references, still I am confused about how Iviews will work when I move the ESS and MSS content to the New portal.

Thank you very much for the good answer