cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Best way to achieve SSo

Former Member

on ‎10-10-2011 9:45 PM

0 Kudos

We are in the middle of a new ECC 6/CRM 7 implementation and would like to know the best way to accomplish SSO in our environment so that both the regular SAP GUI and the NWBC client can benefit from single sign on.

We currently have two separate AD forrests. One in which our PC's are called SE_DOMAIN.COM. This domain has the underscore character n on it so we created a new AD domain and forest called SEI.LOCAL and we are in the process of migrating everything from SE_DOMAIN into SEI.

Our current SAP servers are already in the SEI domain while the users are still in SE_DOMAIN. I have read a few guides for SSO, but still unsure which is the best way to accomplish this as some mentions a CA and others apparently are in favor of the latest Federation services from Active Directory and SAML (Security Assertion Markup Language).

is SAML the new and recommended way to go?

Regards,

Paul Aviles

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

tim_alsop
Active Contributor
‎10-11-2011 10:33 PM
0 Kudos

Hi,

There is no need to use certificates for this, and no need to use SAML. In fact if you want SAP GUI authentication, there is only one possible way - you have to use a cryptographic library and use the SNC interface provided in SAP GUI and in SAP ABAP AS. When using SNC with Active Directory it is best to use an SNC/Kerberos library since Kerberos is the protocol used by AD for authentication of users when they logon to the domain.

You would need to install the software on each workstation running SAP GUI and also on each server running ABAP AS. Then you would ensure that there is a one way trust between your two AD forests, and then you will get SSO for users logging into the old domain (the one containing the _) and also users will benefit who are logged onto the new domain. This will help during your migration.

I suggest you look at http://sap.cybersafe.com and I recommend you look at the products on this site.

Thanks,

Tim

Show replies
Show replies
Former Member
‎10-11-2011 11:26 PM
0 Kudos

Tim, thanks for the reply.

We did get the regular SAP GUI running with SNC as you mentioned, but no the NWBC client and we were told it would not work hence the search for a method that will work for both with the same approach.

Have you see this doc?

http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/30fe0e7b-b334-2d10-45b0-f35afb25a5bc

Regards,

Paul Aviles

tim_alsop
Active Contributor
‎10-12-2011 7:51 AM
0 Kudos

Paul,

Yes, I have seen the doc - I am very familiar with SAML 2. For your requirement there is no need to use SAML 2.

For NWBC you can use SAP GUI with SNC authentication and also use the HTTP Negotiate protocol for Web based applications, e.g. BSP apps on ABAP stack. I have set this up and can demonstrate it.

Thanks,

Tim

Former Member
‎10-12-2011 2:22 PM
0 Kudos

Tim, is that using native SAP and Microsoft products or some third party involved?

Since I already got the SAP GUI working, what is necessary to make NWBC working?

Regards,

Paul Aviles

tim_alsop
Active Contributor
‎10-12-2011 3:15 PM
0 Kudos

Paul,

I have used third-party software only to support SAP GUI and SAP Portal and NWBC authentication of users.

Thanks,

Tim

Ask a Question