cancel
Showing results for 
Search instead for 
Did you mean: 

SAP Portal 7.3 SPNego and NWBC SSO with ECC

Former Member
0 Kudos

Wanted your expert opinion on something. We have using NWBC 4 and got Portal 7.3 in our landscape. We have established SPNego for IE single single on for Portal. We also have SNC entries with SAPGui to manage ECC SSO using SAPGui.

We want to extend NWBC to ECC SSO. But this been a massive hunt for right solution.

SAP Netweaver SSO is obvious solutions, but seems it involves some licence cost. Other option was to redirect NWBC to Portal and then back using redirect app as described in this note.

Question is, what is best way forward, and if we can achieve NWBC ECC SSO with this redirect method. With all the effort we put in we are able to see web page of /nwbc page instead of launching ECC on NWBC 4.0.

Thanks a lot for your time.

Note 1250795 - Redirect appliction NWBC.pdfNote 1250795 - Redirect appliction.pdf

Regards,

Sudhir

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

There are 2 versions of NWBC, the desktop (native) one and the HTML one. The latter is a WDA application, so any SSO you have in place that works with WDAs will work for NWBC for HTML. The NWBC for Desktop is more tricky and the only working solution I'm aware of is based on NWSSO 2.0.

Regarding the pricing of NWSSO you should talk to your company's SAP representative. The last information I have seen was that it is sold in chunks of 100 (internal users) or 300 (external users).

tim_alsop
Active Contributor
0 Kudos

Samuli Kaski wrote:

The NWBC for Desktop is more tricky and the only working solution I'm aware of is based on NWSSO 2.0.

The NWSSO 2.0 product is not the only product available which supports NWBC Desktop or NWBC HTML.

Former Member
0 Kudos

Tim Alsop wrote:

The NWSSO 2.0 product is not the only product available which supports NWBC Desktop or NWBC HTML.

Ones that are not based on capturing the user name and password, meaning the same functionality that is provided by Password Manager in NWSSO 2.0? That should be considered as a fallback option. There is native support for NWBC Desktop in Secure Login Client of NWSSO 2.0.  NWSSO 2.0 can handle both the DIAG SSO and the HTTP(S) SSO, both are required in order to enable SSO for NWBC Desktop. There are also requirements for NWBC, at least 4.0 PL5 is required.

tim_alsop
Active Contributor
0 Kudos

I am not talking about using password capture. I am talking about using cryptography to authenticate the user when they logon using NWBC HTML or NWBC desktop products. So, NWSSO 2.0 is just one option available. There are other products which are commercially available that can do the same without resorting to password capture methods.

Former Member
0 Kudos

Thanks for your reply Samuli.

We are using NWBC for Windows. Thats where it gets tricky.

Former Member
0 Kudos

Gday Tim,

Appreciate your reply. One can always invest further in "products" to get working. But having invested in SAP Portal, ECC , SPNego and then moving to NWBC (as suggested by SAP).. it already too much for small/medium customers. Additional licence cost for these tools/maintenance is little too harsh. So trying my best to find a solution which we can manage within means of available resources/services we have.

Regards,

Sudhir

tim_alsop
Active Contributor
0 Kudos

Why don't you use the redirect method ? You can redirect the /nwbc service (configured in SICF) to Java stack, where user is authenticated and SSO2 ticket issued, and then redirect them back to the /nwbc service so that the SSO2 ticket can be accepted. This works well.

Former Member
0 Kudos

We tried that. But we can only pass a Url for redirect. So it takes you to NWBC for HTML instead of taking you back to ECC on NWBC. Unable to pass url to take you back to Url .. using redirect service.

Not sure if i am missing something obvious here.

Cheers

Former Member
0 Kudos

Redirect to a URL with the schema sap-nwbc://https:// to access ECC with NWBC Desktop. See the attached link for details. I'm not saying it will work as I think more is involved then simply generating the Logon Ticket but generating the URL shouldn't be a problem.

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4c/5bde0c97817511e10000000a42189b/frameset.htm

fredrik_borlie
Contributor
0 Kudos

I also have tried to get SSO working into NWBC.

Using the SAP Netweaver Portal as the logon point and storing roles in PCD/UME gave me Single Sign on out of the box.

Using SAP Web Application Server we have not yet solved the SSO.

We tried to apply SPNEGO Redirect, however, the logon windows got strangefully redirected to the HTML-version and the desktop client was never initiated.

We are waiting for the SAML-server to be ready for configuration  to test that option out.

Check this good thread for more inspiration:

0 Kudos

Hi Fredrik/Sudhir,

There is a requirement, for me to use the web HTML NWBC and setup SSO for it. Can you please help/guide me through the process of how you did that or if you have a link that would be great.

I have spnego/kerberos authentication setup for NW 7.3 Portal through which we SSO into backened SAP ERP 6.0 with NW 7.02 SP10.


Additionally, I was able to setup the redirect the nwbc to my sap portal (kerberos authentication-ticket issuer), but I am not sure how to re-direct it back to the web HTML NWBC from the portal. I looked at Note # 1250795 - Redirect appliction but din't help me much.

Any help is appreciated. Thanks in advnace.

Dhee

Former Member
0 Kudos

Assuming you have configured SAP Logon Tickets from portal to the backend system, you will have to launch NWBC for HTML from the portal. In case you have problems defining an iView for launching NWBC for HTML, see my document.

0 Kudos

Hi Samuli,

Thanks for the prompt response. However, the requirement is for a customer to click on NWBC web URL that is emailed to them automatically via workflow and is SSO'd into the URL via kerberos authentication. I was hoping I could use the SAP Portal's redirect option mentioned in http://scn.sap.com/docs/DOC-4015, since I already have SPNego setup on our SAP Portal.

Thanks again for your response. Additionally, your solution did work to setup a iView, to launch the WDA ABAP URL from the SAP Portal, however, it wasnt able to SSO. Am I missing something here?

I already have the SAP Logon tickets setup configured, and I know that because the SSO to the backened systems via the transaction iViews are working.

Thanks
Dhee

Former Member
0 Kudos

You can use the redirect implementation but you will have to redirect to the iView for launching NWBC for HTML, otherwise the Logon Ticket won't be used since the iView is bound to the portal system object where you have configured use of Logon Tickets. Another option is to generate the portal URL using the NavigationTarget parameter so that the iView defined for NWBC for HTML is launched. If you want to get fancy you can even create a custom AppIntegrator iView that does a redirect to NWBC for HTML.

That's weird, it works for me including SSO.

0 Kudos

Hi Samuli,

I was able to get this working. I was doing a preview on the iView I created and it kept failing. However, once I attached it to the role and launched it from there, it worked like a charm. Thank you.

After configuring the SSO to SAP GRC AC 10 NWBC from enterprise portal.the GRC landing page opens up fine as ever I want in a new portal window or within the iview with SSO enabled as per the logged in user. However, clicking on any of the hyperlinks – Work Inbox, Access Request etc – results in the error : "Page not found. Refresh the page or try again later. If the problem persists, contact your Portal administrator for assistance. ". Attached screenshot for your reference, Any suggestions or solutions you may have?

Thanks
Dhee

Former Member
0 Kudos

Is that a Service Map? If it is, I think OBN is used and that won't work as indicated by SAP note 1620576:

The embedding of NWBC for HTML in the SAP NetWeaver Portal is not supported:
NWBC for HTML can be integrated in external portals in an embedded mode - that is, without a navigation frame - using the addition "/~canvas;window=embedded". If it is integrated in an SAP NetWeaver Portal, problems occur in particular with object-based navigation (OBN), for example, as it used in power worklists (POWL).

You should look into using NWBC for Desktop to access the portal, that way users will have unified UI.

0 Kudos

Hi Samuli,

Thanks for pointing out the note.

I am working on options for Kerberos authentication SSO for desktop NWBC via SAML 2.0 with out NW SSO 2.0 and instead use the Identiy provider that we have in house. Currently we use the SAP Portal as an SSO solution for the backened systems and would like launch NWBC from here as well.

Looks like SAP Portal cannot launch the desktop NWBC version from my research and though I am able to launch the NWBC HTML from here there is no use because the embedded URL's don't work and not supported.

Can NW SSO 2.0 solve this issue of launching the desktop NWBC from the SAP Portal? I am confused how NW SSO 2.0 is different from any other Identiy provider in this scenario?

Thanks

Dhee

Former Member
0 Kudos

NWBC for Desktop can be launched from the portal as long as you build the URL correctly, see this link for details. In order to have SSO in case of NWBC for Desktop, NWSSO (v2+) is the way to go. NWSSO is not an IdP. As I wrote, I don't think launching NWBC (be it Desktop or HTML) from the portal is the way to go. You should use NWBC for Desktop to access portal and solve the SSO requirements by using a SSO product such as NWSSO.

0 Kudos

Thank you. I am able to launch the NWBC desktop from the Portal but SSO doesnt work right now. It prompts me for a user name and password. I am working with our infrastructure team, to set up IDP for SAML2.0 option, so that when I launch the NWBC desktop from the SAP Portal, it SSO's using the SAML 2.0. Do you think this will work?

I agree, NWSSO is the way to go with NWBC, but I am looking at other options of acheiving what we need so our management can make a decision on which to go.

Thanks

Dhee

Former Member
0 Kudos

That's the expected behavior. I think someone on SCN posted a blog/document on enabling SSO in NWBC for Desktop using SAML. I found at least this reply to a discussion thread, maybe you want to contact the person directly. You should however know that SAML is not officially supported by SAP in the context of NWBC or SAP GUI, see this reply for details.

0 Kudos

Ok, I will try it out and update you. I did ask him for how de did it but never heard back.

Thanks again.


Dhee

0 Kudos

Hi Samuli,

I was able to setup the IDP and SAML for SSO. However, I ran into few issues. I was hoping if you would have any insights or suggestions.

Web Version #

HTTP is working via OKTA (SAML-Identity Provider) SSO as expected.

HTTPS fails on the first attempt and prompts me for a user name/password, but if I refresh the same web browser, HTTPS also works on the second attempt.

Any suggestions how to get past this issue?

Desktop client Version#

Whenver I access web dynpro app via the client version, I get a security warning from the NWBC client, as my SAP server and Identity provider are on two different domains. I know reading through the blogs and as per note # 1378659 & http://help.sap.com/saphelp_nw73ehp1/helpdata/en/c5/18826ad1e944dfb39aa1d0fe3a188a/content.htm?frame...

there is a way to bypass this security warning in the older versions of NWBC client. However, we are at the latest version NWBC 4.0 and the solution to bypass the security warning doesn't work. I did open an OSS message with SAP for this issue and they are suggesting this to be a consulting issue. The URL that I am calling from the NWBC client is the my Identity provider's SSO URL.

In case I use SAP's nwbc sicf HTTP URL from the nwbc desktop client instead of the IDP's SSO URL, it looks like the authentication takes place via the SAML assertions, but the client pop-up just hangs with a blank screen.

Any suggestions on this issue? Thanks in advnace.

Thanks

Dhee

Former Member
0 Kudos

Try to enable all logon procedures for the ICF service in question. Have you added the IdP URL into the trusted / intranet security zone in IE?

0 Kudos

Thanks Samuli, the first issue regarding the HTTPS has been solved after enabling all logon procedures for the ICF services in SICF.

Yes, I did add the IdP URL into the trusted/intranet security zone in IE and it still doesnt work. Attached is the screenshot of the exact error.

I also added the entry to the HTTP_WHITELIST table in the backened abap as mentioned in the help.sap site in table in addition to the whitelist.ini.

Let me know if you can think of anything else.

Former Member
0 Kudos

Either define the IdP URL as a connection or set the global configuration setting AllowTemporaryConnections to true.

0 Kudos

I tried both options and none of them worked. However, while I am using the IdP URL as a connection, Navigate to url in the trace shows that the /TicketIssuer? is being appended to the actual IdP URL.

When I try the SAP system's SICF service URL, https://<sapserver>:44301/nwbc in the connection settings, the NWBC screen goes blank.

Former Member
0 Kudos

You should configure the NWBC connection to point to your AS ABAP and define the ICF service (or alias in this case) to use SAML authentication. If NWBC still gives the security warning, you should be able to suppress it with AllowTemporaryConnections. Make sure you set the setting in the admin template NwbcOptions.xml.template.

0 Kudos

When I meant sapserver in the url in my previous post, It is the AS ABAP connection. Sorry for the confusion.

Additionally, I still get the same blank screen when I set the AllowTemporaryConnections to True in the NwbcOptions.xml.template.

I am not sure what do you mean by (alias in this case)?

https://<AS ABAP hostname fqdn>:44301/nwbc

https://<AS ABAP hostname fqdn>:44301/sap/bc/nwbc

None of these URL's work.

Also, on a different note, I configured NWBC-SSO on another AS ABAP system via the SAP portal's redirect application suggested by you in your previous posts. Its the exact same behaviour in this case too. It just stops at a blank screen. However, if I close the pop-up window and click on the connection again, it does SSO in the AS ABAP via the redirect portal app and works as expected.

But this is not the case for the SAML SSO. Am I missing something.

Thanks for your support in this issue. You have been a great help so far.

Former Member
0 Kudos

In this case the ICF external alias is /nwbc, I assume you have configured it to use SAML? Can you use Fiddler to see what URLs are being accessed and in what order? Do you get the blank screen before redirecting to the IdP or after returning from it? I think you should create a new discussion thread regarding your problem since it's off topic for this discussion thread. On a related note this discussion thread was originally created in the wrong space, this space is for topics regarding the NWSSO product. Create a new discussion thread in the space and name it accordingly (e.g. "SAML based SSO in context of NWBC for Desktop").

0 Kudos

Hi Samuli,

I created a new thread and answered your questions there.

SAML based SSO in context of NWBC 4.0 Desktop

Thanks

Dhee

Answers (2)

Answers (2)

Former Member
0 Kudos

Hello Sudhir,

We are using NWBC 4.0.There is Kerberos authentication between Portal and Windows.

When we click on the Portal link from NWBC it asks for Portal UserID&Pwd for login.

Is there any possibility of accessing Portal from NWBC without prompting of userid?

All the SCN threads that i looked are related to implementation of authentication with ABAP.

Thanks and Regards,

Pradeep

donka_dimitrova
Contributor
0 Kudos

Hello Sudhir,

Here in this blog:

you will be able to find how to implement single sign-on with Kerberos for NWBC in your company.

Best regards,

Donka Dimitrova

Former Member
0 Kudos

Dheerendra/All,

Have you or anyone else implemented or aware of a working solution

with "SAP SSO, SAP GUI and Okta IDP"?

As per our understanding SLS 2 and SL Web Client do not support

SAML based authentication with 3rd party IDPs.

An indirect approach would be to use a customized appln to perform

the authentication and a redirect to the SL Webclient.

We are testing this option and facing error after authentication

by Okta (Error – Template SAML 2.0 App is misconfigured etc)

Another option would be to setup a separate AD which would be

synced from Okta and we could use SSO for SAP GUi with Kerberos

In addition we will be using NWBC which should work with the solution

we choose for SAP GUI (and eventually Fiori).


Any thoughts and input is appreciated.

Thanks

Hari

Former Member
0 Kudos

Also any pointers on pricing model for using NW SSO?

Cheers