03-03-2013 2:58 AM
Hello Experts,
We are trying to implement SAP SSO by enabling SNC through Kerberos. Our users & SAP servers are in different domains.
And to implement SSO, we need to establish trust between two domains.
We don't want to establish trust due to security & company policy.
Now, I have question regarding an alternate solution which is through SAP Router. Currently SAP Router cannot be accessed from active directory before asking infrastructure team to open firewall, I would like to know if this solution is feasible.
So my question is; If I have setup SSO using Kerberos in the scenario where active directory users' domain & SAP server domain have no trust; Will accessing SAP servers through SAP Router for SSO will work?
03-03-2013 8:05 AM
Hi,
SAP router is securing communication at network transport layer, and has nothing to do with user authentication.
Why can't you setup one-way trust between domain used by SAP servers, and domain which users authenticated ? If you don't then a user's credentials cannot be trusted. The use of trust is very important for security reasons, so I am not understanding why your company thinks trust is against policy. Can you explain this policy and reasons ?
Thanks,
TIm
03-03-2013 8:07 AM
It looks like you already asked about trust in previous thread - see http://scn.sap.com/thread/3305817