cancel
Showing results for 
Search instead for 
Did you mean: 

I need some light regarding SUP/SMP SSO

Marçal_Oliveras
Active Contributor
0 Kudos

Hi,

I want to configure SSO with SUP 2.1.3 (next months I will have SMP but now I would like to know with SUP, I don't know if there are any differences).

I know there are a lot of documents regarding on how to do this, but it's still not clear to me if they are talking about login only to SUP or if doing that you are able to call the SAP backend using the same credentials instead of a hardcoded user.

So my landscape has the following components:

- Mobile Devices

- SUP 2.1.1

- Active Directory were the users have they windows password (the only now they know)

- Enterprise Portal which is referencing to AD, so all the users present in AD are also in EP.

- Different SAP Backends (ECC, CRM…)

Now my question is, should my SUP security configuration be configured to use users from AD or from EP? I would like to use AD but then I'm not sure if AD can provide the tokens/tickets to log on to the backend system.

And then I would know the tasks to be performed in order to achieve this. I know I have to create the security configuration pointing to the user store and assign it to the domain and package, but what do I have to do in the AD/EP? Do I have to create a new group in AD and assign the mobile devices users to this group? Do I have to create certain roles in AD? And then assign these roles to the newly created group?

I'm sorry because last days I've been coming with so many questions. I think the documentation is good but to fully understand it you need some more knowledge than mine (in this case about LDAP, AD, EP and SSO…).

Accepted Solutions (0)

Answers (2)

Answers (2)

amey_baisane
Participant
0 Kudos

HI Marçal,

The LDAPLogin module which is currently available with SUP/SMP is does not provide the SSO token. So you have to use the HTTPLoginAuthenticationModule from SUP/SMP

Kind Regards,

Amey

midhun_vp
Active Contributor
0 Kudos

Following are the available security profiles we can use in SMP.

•          No Security Provider

A NoSec provider offers pass-through security for Unwired Server, and is intended for use in development environments or for deployments that require no security control. Do not use this provider in production environments— either for administration, or device user authentication.

•          LDAP Security Provider

(Not applicable to Online Data Proxy) The LDAP security provider includes authentication, attribution, and authorization providers. Add an LDAP provider to a security configuration to authenticate administrator logins (on the "admin' security configuration on the "default" domain) or device user logins (any custom security configuration for that purpose).

•          NTProxy Security Provider

(Not applicable to Online Data Proxy) NTProxy — sometimes known as native Windows login — is an Unwired Server provider that integrates with existing Windows login security mechanisms. Add an LDAP provider to a security configuration to authenticate administrator logins (on the "admin" security configuration on the "default" domain) or device user logins (any custom security configuration for that purpose).

•          SAP SSO Token Security Provider

The SAPSSOTokenLoginModule has been deprecated and will be removed in a future release. Use HttpAuthenticationLoginModule for SAP SSO2 token authentication.

•          Certificate Security Provider

Use the Unwired Server CertificateAuthenticationLoginModule authentication provider to implement SSO with an SAP enterprise information system (EIS) with X.509 certificates.

•          HTTP Authentication Security Provider

Use HttpAuthenticationLoginModule provider to use Basic authentication to enable automatic application registration. This provider is required when registration is set to automatic. It can also be used to enable SSO into SAP servers in place of the deprecated SAPSSOTokenLoginModule.

Ref:

http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc01703.0213/doc/html/aba13...

You can use AD if it is available in your enterprise. You can create the users in AD same as SAP users and keep it as a login provider.

- Midhun VP

Marçal_Oliveras
Active Contributor
0 Kudos

Hi Midhun,

I already know the security profiles available. I just want to know the following:

  1. Changes to be done in LDAP (Active directory) to create a group of users for SUP admin purposes. I want to stop using supAdmin and use my Active Directory user but I don't know exactly what to ask to the AD administrators to have my user in a group that allows me to administer SUP
  2. Again, changes in LDAP to create a grup for SUP mobile apps users. The same than 1, I don't have AD knowledge and I'm not sure what to ask to the administrators. Do they have to create a group? Do they have to create roles and assign them to the group? Which roles? How?
  3. If I use LDAP security provider, will I be able to access to SAP backend? Or should I use HttpAuthenticationLoginModule against SAP Portal to get the SSO Token?

Thanks.

Former Member
0 Kudos

Hi Mithun,

i am trying ti implement SSO in smp 3.0  but do not know how to proceed. can you suggest some how to guide or some good link for that.i tried with x.509 certificate but getting error. If you can help me in x.509 certificate based implementation that will be grt.

BR,

saurabh

midhun_vp
Active Contributor
0 Kudos

Can you create a new thread with the issue you are facing.

Regards,

Midhun VP

Former Member
0 Kudos

Hi,

Please follow the below link to configure sso using x509 certificate

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/603dca31-5456-2f10-7585-aef409aa5...

Regards,

lekhak Patil