Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAPGUI SSO in a Heterogeneous Landscape / Cross Security Domains

Former Member

‎05-19-2011 7:23 PM

0 Kudos

Hello,

As we look at SAML to solve some of these problems we are also needing to understand our options to allow access to SAP systems from non-domain connected clients. SAML deals with this for Web SSO. Are there any options for SAPGUI? Our domain connected PC's use the Kerberos configuration. What are our options for cross domain?

Thanks,

Doug

6 REPLIES 6

tim_alsop
Active Contributor

‎05-19-2011 7:39 PM

0 Kudos

Doug,

When you refer to cross domain, are you referring to Active Directory domains ?

If a user logs onto a domain PC and authenticates to MS AD, they get Kerberos credentials and these can be used to authenticate them to a SAP system using SNC, when the SAP system is configured to use Kerberos with SNC, and has a service principal in the same domain as used by users, or any other AD domain which trusts the user domain - with the trust, cross realm Kerberos tickets are used when the user logs on. For example it is common to have users in sub-domain.company.com and have the SAP systems registered in another-domain.company.com

if a user logs onto a workstation which is in another domain and this domain is not trusted by the AD domain used by the SAP system, then if you use the correct product, the user can be shown a SignOn screen during this SAP GUI logon and authenticate using a domain which is trusted, and then the logon will be allowed to continue and the session will be secured in same way as if the user was logged onto Windows using a trusted domain.

Tim

Edited by: Tim Alsop on May 19, 2011 7:39 PM

Former Member
In response to tim_alsop

‎05-19-2011 8:26 PM

0 Kudos

Thanks Tim,

Yes. These are AD domains. The AD/Kerberos you describe is what we are using today and will continue to use.

Up front I have to say that I am neither a hard core security nor BASIS guy. I belong to a SAP technical app design group and we're being asked to investigate some new functionality now that we're on ECC6 (7.01) and EP7 NW7.1. Most has been around SAML, understanding what's available in what versions of SAP platforms, etc. Some of what is driving this though is some work underway on alternative ideas (some say crazy) on provisioning PC's, from user provisioned/non domain connected. Add to the mix what is coming diown the road for mobile solutions and it has us looking at our options.

If I undertand you say there are third party products that will authenticate the users on a trusted domain? Is there any way as part of SAPGUI logon to accept a token from a trusted party outside of your organization? This would be one scenario we may be interested in. And it may come down to using WebGui where we can use WebSSO/SAML, but for now just trying understand the options.

Thanks,

Doug

tim_alsop
Active Contributor
In response to tim_alsop

‎05-19-2011 8:40 PM

0 Kudos

Doug,

The SAP GUI for Windows and SAP GUI for Java support userid and password authentication, e.g. when SAP user store has the users password and password of user is sent over the network with limited protection. Or, it supports SNC authentication, which requires a cryptographic library, that supports a cryptographic mechanism such as Kerberos. Since you are using MS AD internally and familiar with this approach, you can use same protocol for external users or users who are using SAP GUI for Windows or Java and wanting to logon using SNC secure sessions. The only thing you need is a product which includes an SNC library and also authenticates the user during their SAP logon, instead of assuming that the users credentials from their windows logon can be used. This means the user can logon to Windows using any domain or even a local account and they will be authenticated to a trusted domain when required, during the SAP GUI logon. i know a large number of SAP customers who are using this approach for external users, and users at business partners who are logged onto Windows domains for their own company, which has no trust with the domain used by the company hosting the SAP systems.

Thanks

Tim

Former Member
In response to tim_alsop

‎05-19-2011 9:13 PM

0 Kudos

Hi Tim,

This helps clear things up. We have a similar situation where we are logging onto a service providers R3 system but the architecture already requires a VPN tunnel so we just have an entry in some users saplogon.ini for the provider system and they simply log in using their R3 credentials. This is for a very small group of people. What you describe I believe would allow the same without VPN but with the right network architecture of course, firewalls, app gateway, etc. Do you know any of the top vendors in this space?

Thanks,

Doug

tim_alsop
Active Contributor
In response to tim_alsop

‎05-19-2011 9:18 PM

0 Kudos 
This helps clear things up. We have a similar situation where we are logging onto a service providers R3 system but the architecture already requires a VPN tunnel so we just have an entry in some users saplogon.ini for the provider system and they simply log in using their R3 credentials. This is for a very small group of people. What you describe I believe would allow the same without VPN but with the right network architecture of course, firewalls, app gateway, etc.

yes, your understanding is correct.

Do you know any of the top vendors in this space?

yes, I do. I work for the top vendor in this space, which is how I know about it

Former Member
In response to tim_alsop

‎05-19-2011 9:59 PM

0 Kudos

Ah... Well thanks for the info. Not sure where this will lead us but at least we know one vendor now.