on 05-26-2011 5:41 AM
Dear Gurus,
We have decided to use NWBC 3.0, we would like to connect it to ABAP system.
In SAPGUI we are using SNC for sso, how do we configure sso with NWBC to ABAP system ?
what are the options ?
Please advise,
Dimitry Haritonov
Dimitry,
Thankyou for starting a new thread for this question, instead of adding to an already closed thread.
The NWBC software requires SAP GUI to be installed, and any SAP GUI functionality is still supported, so you can use SAP GUI authentication via SNC, even with NWBC. Also, NWBC uses Web authentication, so you will need to consider how you want to authenticate users to your SAP system - maybe using a product that supports Active Directory authentication via a Web browser ?
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
SNC would not be used for Web authentication, so in this case, you would need to configure Active Directory authentication on a Java stack, and change the ICF configuration of the service to redirect to the Java stack to authenticate the user, and then redirect back after creating an SSO2 ticket. This redirection happens without the user noticing, and the end result is that the user is logged into the ICF application using their Active Directory domain credentials.
Hi Tim,
>
> Can you explain how it will work exactly with the certificates ?
>
> Dimitry
You need to deploy/use a certificate authority (CA) (or a full PKI) so that users have certificates issued to them, and available to browser. It is common for this kind of authentication to involve each user having a smart card to store their certificate. The user certificate would then be used to identify the user to the SAP system, using configuration in the ABAP stack. You can find info on setup of certificate authentication in SAP documentation. It is not easy, and can be very expensive. Most companies that I know don't do this, instead they install a Java stack somewhere and use Kerberos authentication, since there is no additional infrastructure required for using your Active Directory domain for authentication to SAP.
The browser opens session with application URL on ABAP stack. The SICF configuration for this app will check if an SSO2 ticket is sent in the request. If not, it will redirect browser to the Java stack, where the user will be authenticated and issued with an SSO2 ticket. After this authentication, the user is redirected back to the original URL where the SSO2 ticket is accepted and they will be logged in.
Dimitry,
The SICF configuration has a field for putting a redirect URL. This is standard SAP functionality. The question is, what URL do you give ... If you are using the product at http://ecohub.sap.com/catalog/#!solution:trustbrokeradapter then you would invoke a servlet included with this product which authenticates the user on the Java stack and redirects back to the original URL. Without this product I am not sure of any other way.
Thanks,
Tim
Hi Tim,
>
> Can you explain how it will work exactly with the certificates ?
>
> Dimitry
As you have read in the press SAP has acquired some products of Secude.
Now [SAP NetWeaver Single SIgn-On Release 1.0|http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/70d49577-5863-2e10-20a8-f6cd79adf434] [original link is broken]; is available. Just for your information ...
Wolfgang,
Yes, SAP NetWeaver Single Sign-On 1.0 is available soon, and indeed (if customer wants) this product can be used to generate a certificate for the user at their workstation and this certificate can be then used by the browser to authenticate the user to the ABAP stack - there will then be no need to have any redirection to Java stack for BSP apps. This is an alternative to what I have previously discussed and anybody reading this might want to compare both options and look at the costs of each etc.
Thanks,
Tim
User | Count |
---|---|
88 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.