cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NWBC - SSO to ABAP system

Go to solution
Former Member

on ‎05-26-2011 5:41 AM

0 Kudos

Dear Gurus,

We have decided to use NWBC 3.0, we would like to connect it to ABAP system.

In SAPGUI we are using SNC for sso, how do we configure sso with NWBC to ABAP system ?

what are the options ?

Please advise,

Dimitry Haritonov

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

tim_alsop
Active Contributor
‎05-26-2011 7:46 AM
0 Kudos

Dimitry,

Thankyou for starting a new thread for this question, instead of adding to an already closed thread.

The NWBC software requires SAP GUI to be installed, and any SAP GUI functionality is still supported, so you can use SAP GUI authentication via SNC, even with NWBC. Also, NWBC uses Web authentication, so you will need to consider how you want to authenticate users to your SAP system - maybe using a product that supports Active Directory authentication via a Web browser ?

Tim

Show replies
Show replies
Former Member
‎05-26-2011 9:39 AM
0 Kudos

Hi Tim,

Thanks for the info. As I understand the first authentication is via ICM of ABAP (we user port 8000) for connection.

So How do we exactly use SNC for the first authentication ?

Dimitry

tim_alsop
Active Contributor
‎05-26-2011 9:48 AM
0 Kudos

SNC would not be used for Web authentication, so in this case, you would need to configure Active Directory authentication on a Java stack, and change the ICF configuration of the service to redirect to the Java stack to authenticate the user, and then redirect back after creating an SSO2 ticket. This redirection happens without the user noticing, and the end result is that the user is logged into the ICF application using their Active Directory domain credentials.

Former Member
‎05-26-2011 9:58 AM
0 Kudos

Hi Tim,

In our case, we don't have J2ee system.

We are using NWBC for connecting to ABAP system with SAPGUI transactions and WD applications.

what do you suggest ?

Dimitry

tim_alsop
Active Contributor
‎05-26-2011 10:02 AM
0 Kudos

If you don' t have, or don't want to deploy a Java system just to help with authentication, you would need to use the authentication methods which are supported on ABAP stack already, e.g. x.509 client certificates, user+password.

Former Member
‎05-26-2011 10:44 AM
0 Kudos

Hi Tim,

Can you explain how it will work exactly with the certificates ?

Dimitry

tim_alsop
Active Contributor
‎05-26-2011 10:48 AM
0 Kudos 
Hi Tim,
> 
> Can you explain how it will work exactly with the certificates ?
> 
> Dimitry

You need to deploy/use a certificate authority (CA) (or a full PKI) so that users have certificates issued to them, and available to browser. It is common for this kind of authentication to involve each user having a smart card to store their certificate. The user certificate would then be used to identify the user to the SAP system, using configuration in the ABAP stack. You can find info on setup of certificate authentication in SAP documentation. It is not easy, and can be very expensive. Most companies that I know don't do this, instead they install a Java stack somewhere and use Kerberos authentication, since there is no additional infrastructure required for using your Active Directory domain for authentication to SAP.

Former Member
‎06-15-2011 1:21 PM
0 Kudos

Hi Tom,

Regarding the NWBC and SPNEGO usage, you mentioned the redirection issue. Can you please explain how exactly it works ?

and how we manage the redirection exactly.

Thanks in advance,

Dimitry

tim_alsop
Active Contributor
‎06-15-2011 5:00 PM
0 Kudos

The browser opens session with application URL on ABAP stack. The SICF configuration for this app will check if an SSO2 ticket is sent in the request. If not, it will redirect browser to the Java stack, where the user will be authenticated and issued with an SSO2 ticket. After this authentication, the user is redirected back to the original URL where the SSO2 ticket is accepted and they will be logged in.

Former Member
‎06-16-2011 10:13 AM
0 Kudos

Hi Tom,

the redirection issue, is it a configuration issue(like in SICF) or a development ?

Dimitry

Edited by: Dima Haritonov on Jun 16, 2011 11:13 AM

tim_alsop
Active Contributor
‎06-16-2011 10:18 AM
0 Kudos

Hello Dimotry (I called you this because you called me Tom and my name is Tim)

Anyway, I don't understand your question.

Former Member
‎06-16-2011 10:25 AM
0 Kudos

Hi Tim ,

The redirection issue, from the SICF service to the external url (portal), is it configurable in SICF or

we need to implement a development for that ?

Regards,

Dimitry

tim_alsop
Active Contributor
‎06-16-2011 12:07 PM
0 Kudos

Dimitry,

The SICF configuration has a field for putting a redirect URL. This is standard SAP functionality. The question is, what URL do you give ... If you are using the product at http://ecohub.sap.com/catalog/#!solution:trustbrokeradapter then you would invoke a servlet included with this product which authenticates the user on the Java stack and redirects back to the original URL. Without this product I am not sure of any other way.

Thanks,

Tim

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
‎06-20-2011 9:36 PM
0 Kudos 
Hi Tim,
> 
> Can you explain how it will work exactly with the certificates ?
> 
> Dimitry

As you have read in the press SAP has acquired some products of Secude.

Now [SAP NetWeaver Single SIgn-On Release 1.0|http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/70d49577-5863-2e10-20a8-f6cd79adf434] [original link is broken]; is available. Just for your information ...

tim_alsop
Active Contributor
‎06-20-2011 10:52 PM
0 Kudos

Wolfgang,

Yes, SAP NetWeaver Single Sign-On 1.0 is available soon, and indeed (if customer wants) this product can be used to generate a certificate for the user at their workstation and this certificate can be then used by the browser to authenticate the user to the ABAP stack - there will then be no need to have any redirection to Java stack for BSP apps. This is an alternative to what I have previously discussed and anybody reading this might want to compare both options and look at the costs of each etc.

Thanks,

Tim

Answers (0)

Ask a Question