on 11-07-2013 2:57 PM
Dear All,
This is the first time i ever have an opportunity to work on NWBC. My company wants to implement SSO using NWBC for HTML and not interested in using any AS JAVA components or SAP Netweaver SSO product.
Requirement/Background:
We are going live with HR/PAYROLL and ESS/MSS. The requirement is that users will use NWBC for HTML to login into backend system(ECC 6.0 EHP5 on Windows /SQL 2008) and print their payslip and do all allowed activities in ESS/MSS functionality.
( I realised from EHP5 we do not require Portal to implement ESS/MSS)
AIM:
Company wants to implement single sign on using NWBC for HTML to achieve the above requirement.At the moment users have to change their password every 30 days in production system.Since most of the users logs in only once in a month to print their payslips ,there is always a chance for them to forget their password or system will prompt to change the password due to 30 day password change restriction, therefore we will get thousands of calls related to password reset every month end. To avoid this we want to implement SSO.
Note: If we can achieve SSO then we can disable or make changes to the password expiry parameter
My Thoughts:
Based on the requirement all i can think of is to authenticate the users at desktop level (AD) and then by clicking on the NWBC link they should be able to login into the backend system automatically, based on the roles assigned to them , they will be able to perform their activities.We can apply the password restrictions at AD level and users only have to remember one password.
I would really appreciate if any one can guide me through in achieving this. We are open for any suggestions.
Thank You
Raj
Hello Raj
We too are looking to deploy ESS/MSS via the HTML version of NWBC. I have found that later version of ABAP stacks now support SAML 2.0. Our company is already running Active Directory Federation Services (ADFS) which provides the critical Identity Provider (IdP) capability. So, no need to purchase Netweaver SSO!
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/46/631b92250b4fc1855686b4ce0f2f33/content.htm
Until now I've only done basic testing in our sandbox based on using the email address for the federated ID and can report that it does work!! Note that we would probably prefer to go with some HR data that does not change like "central person ID" - I think that will required a BADI to do the lookup in SAP HR -- I found an SCN post that talks to it, but have not investigated.
Would be very intersted in collaborating further with you on the overall concept if you are intersted as this only "as time allows" project!!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Eric,
Thank you for replying to the post with very useful information and iam happy to collaborate with you and share the experience and knowledge. It is good to know that you have already configured and successfully tested the SSO. I would really appreciate if you can share your documentation with me
I have read through the SAML 2.0 link and it definitely had helped me a lot in identifying existing options in configuring SSO.
1) You want to protect authentication information with encryption or with opaque IDs. for this i need the following
1 )Service provider.... Initial thoughts are to use AS ABAP, if i think about the performance then i might have to deligate this on to seperate system and do not know what are the options in this route.
2) Identity provider..... we do not have any identity provider,i have to explore more on this option, i would like to know how to configure ADFS which you have mentioned . I will need to dig into this
3) Client Agent..... Not sure what this is
4) Opaque ID...... Not sure what this is
I will spend rest of the week in reading and exploring all the above and hopefully come back with a constructive approach and will let you all know. Meanwhile, you can forward me any information you think would help me.
Thank You
Regards
Raj
Service Provider -- yes, this must be the AS ABAP as it is providing the service you want (ESS/MSS)! No reason to worry about performance whatsoever....delegation is getting complicated (if even possible). I am making the assumption your AS ABAP Basis release is high enough.
Identify Provider - yes, this is the magic. In our company, ADFS was already up and running by the team that manages Active Directory as they needed it for other (non SAP) SSO requirements. I don't have much visibility to the setup they did.
When I first started to SAML setup I also tried to dig into the various details, but realized quickly (similar to the points made by Damean) that it would require learning very low level protocols/etc. My suggestion for 'tire kicking" to prove the concept is to use an attribute that is on SU01 and inside of AD --- email address would be the easy one.
The high level steps were:
1. Importing metadata XML from ADFS into AS ABAP and choosing email address as the federation ID
2. Exporting metadata XML from AS ABAP to ADFS
3. ADFS creating 'claim rules' to use email address
I can also share that the support I got from SAP was VERY helpful (even related to providing a few steps that our ADFS folks needed help with!) to get this going.
Dear Eric,
Thank You for the reply.
Am i correct in saying that i can configure Service Provider and SAML 2.0 just by following the documentation provided in SCN? or (do i )have you used any other sources to configure these. I will pass ADFS part to our infrastructure team .
It is good to hear that SAP had helped you when you needed.
All users have same id in both AD and SAP. I think this makes my life bit easier.However i can fall on email address if i need to.
The high level steps you mentioned were they part of configuration or steps to be followed after config.
My boss will come next week from holiday ,after discussing with him i will get back to you . i think i will create a sandbox system and play with it.
Thank You
Regards
Raj
Definitely recommended doing it in a sandbox. We actually have a test AD domain as well.
Yes, the procedure was fairly simple - I actually attended the SAML hands-on session a few weeks ago at TechEd hoping to learn some more details but the exercise was just a matter of pushing buttons to establish the "trust" between the IdP and the SP (via the metadata files). If this is the first time your AD folks would be exploring SAML, then there could be some learning curve for them. We've done about 10 SAML setups thus far and it does seem like each SP has a few unique elements.
As I reviewed the support ticket we had, the only challenges we faced were
1. The link to download the metadata xml from ABAP SP - I had to use this directly : https://<host>:<port>/sap/saml2/sp/metadata?sap-client=<client>
2. The ADFS team made some mistake on the claim rules - SAP helped, but I think it was more of an accident on their side.
If your ID is the same then you are good - because the character limitation on the SAP side and our network ID standard incorporting the person's last name we have a few users that do not match, hence using email address. When we move out of the sandbox we will investigate some custom code to be able to use an HR attribute that does not change!
Dear Eric,
Want to update you on the situation.
I have met infrastructure manager yesterday and learned that we already have ADFS and aswell shibboleth in place for other purposes..hurrah.. .So now all that pending is to build SAP sandbox and iam preparing a build sheet .I will update you after i stood up sandbox.
Just a quick question, apart from ADFS( Identity provider) and SAP sandbox(Service provider) do i need to install any other products to configure ?
Thanks for your support
Regards
Raj
No other products - only need to ensure the ABAP Basis SP is at the required minimal level to support SAML.
Feel free to send me a mail (I assume you can see it on my profile) if you'd like to go into additional detail (especially regarding the bigger picture ESS/MSS goals, as I think I have the same!).
Hi All,
Finally,today i have completed the configuration and also tested it successfully.
I would like to thank everyone for your inputs.
Special thanks to Eric.
Solution: Please follow the links provided by Eric in this post.
Regards
Raj
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Jiji,
The solution is simply follow links provided by Eric.However following are the steps
SAP
1) Relevant RZ10 Parameters
login/create_sso2_ticket = 2
login/accept_sso2_ticket = 1
login/ticketcache_entries_max = 1000
login/ticketcache_off = 0
login/ticket_only_by_https = 0
icf/set_HTTPonly_flag_on_cookies = 3
icf/user_recheck = 1
http/security_session_timeout = 1800
http/security_context_cache_size = 2500
rdisp/plugin_auto_logout = 1800
rdisp/autothtime = 60
2)Activate HTTP for your production client using sicf_sessions transaction.
3) SAML configuration using SAML2 transaction, one of the important step is to import ADFS metadata into SAP system.
ADFS
1) After making the settings in SAML2, Download SAP system metadata and import it into ADFS
2) On ADFS service configure a relying party trust
3)Add and ADFS claim, that maps SAMAccountName to NameID
4) On the relying Party trust select properties->Advanced set the encryption to SHA1
ADFS side is configured by infrastructure team, so i have just copied the steps that he had performed, It is better you leave this part to your infrastructure team.From above steps they should get an idea.
From SAP side, it is pretty simple, just follow the screens in SAML2 transaction.
Note: There are multiple networks in our organisation so technically this configuration had helped to use same network(desktop) password to logon to SAP instead of two different passwords means it is not sso but login twice using the same password. Serves our purpose.
Regards
Raj
Dear Jiji,
The solution is simply follow links provided by Eric.However following are the steps
SAP
1) Relevant RZ10 Parameters
login/create_sso2_ticket = 2
login/accept_sso2_ticket = 1
login/ticketcache_entries_max = 1000
login/ticketcache_off = 0
login/ticket_only_by_https = 0
icf/set_HTTPonly_flag_on_cookies = 3
icf/user_recheck = 1
http/security_session_timeout = 1800
http/security_context_cache_size = 2500
rdisp/plugin_auto_logout = 1800
rdisp/autothtime = 60
2)Activate HTTP for your production client using sicf_sessions transaction.
3) SAML configuration using SAML2 transaction, one of the important step is to import ADFS metadata into SAP system.
ADFS
1) After making the settings in SAML2, Download SAP system metadata and import it into ADFS
2) On ADFS service configure a relying party trust
3)Add and ADFS claim, that maps SAMAccountName to NameID
4) On the relying Party trust select properties->Advanced set the encryption to SHA1
ADFS side is configured by infrastructure team, so i have just copied the steps that he had performed, It is better you leave this part to your infrastructure team.From above steps they should get an idea.
From SAP side, it is pretty simple, just follow the screens in SAML2 transaction.
Note: There are multiple networks in our organisation so technically this configuration had helped to use same network(desktop) password to logon to SAP instead of two different passwords means it is not sso but login twice using the same password. Serves our purpose.
Regards
Raj
Hi raj,
one this not mentioned here (i wonder why ) is to use X.509 certs. Setting up a certification authority can also by done by using ADCS which is part of an Enterprise Windows Server license. You can enroll client authentication certificates to your users and they can use them within the browser to use SSO. It is required to configure ABAP backend for X.509 SSO (set ICM to use SSL; icm/https_verify_client; VUSREXTID etc.) but this can be done without additional software.
Regards,
Carsten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Raj,
this is no answer to your question. Primarily, I'm happy to hear that NWBC meets you expectations.
We of course do recommand SAP NetWeaver Single Sign On. And with SSO 2.0 you can integrate the Secure Login Client very easily into NWBC to benefit from SSO features.
Regards,
Sandra
Videos:
http://scn.sap.com/docs/DOC-47065
SSO 2.0 Documentation:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sandra,
Thank You for your reply.
As it stands now iam in process of configuring SSO using ADFS. Hope this fullfills our requirement and implement it successfully. If i come across any unseen issues and are not solvable then we have no option but to think of alternatives and then may be Secure Login Client.
Regards
Raj
Raj
I think I have went down this same rabbit hole before; so I thought of sharing what I learn.
How hard would it be to create a front-end app that could read uid and pwd from AD \ LDAP; and then feed it back to the website for authentication. Well, it sure sounds simple; but let just say that it's very special branch of knowledge by itself; that requires tons of upfront investment in understanding how the security protocol works (blame it on the hackers of the world that makes life miserable).
If you really, really, really insist on zero upfront cost (I presume that's Capital Cost; not including your hours) ..You could try the Open source SAML software such as "Shibboleth" and OpenSSO. It's the "near" equivalent of SAP Netweaver Single Sign On (previously known as SECUDE); other commercial equivalent in this space include PingFederate, Quest etc.
But beware of the implementation effort & headache.
Regards
Damean
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Damean,
Thank you very much for sharing your experience and letting me know the level of difficulty in achieving this. I would really appreciate if you can tell me whether you have been successful in configuring !!
Yes we really, really, really insist on no upfront capital and i do agree with you on the fact that this is special branch of knowledge and iam making my first steps into this world.
Regards
Raj
Dear Raj,
More details about the authentication process from NWBC to the server you will be able to find here: NWBC and Authentication.
Please, notice that the scenario you are thinking about: "authenticate the users at desktop level (AD) and then by clicking on the NWBC link they should be able to login into the backend system automatically" requires SPNEGO with Kerberos where you need SAP NetWeaver Single Sign-On.
I hope this will help you.
Kind regards,
Donka Dimitrova
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Raj,
Once a user is authenticated against the AD a solution has to take care about the SecurityTokens and to recognize who is the logged user and to map it to a UserID from the SAP systems. You need a solution that deals with this Kerberos-based authentication. This solution is available via the Secure Login of the SAP NetWeaver SSO product.
Kind regards,
Donka Dimitrova
Dear Donka,
Thank you for your constructive responses. Yes i have realised that i can achieve my goal by implementing SAP Netweaver Product.But i was asked to find methods to implement the solution without using SAP Netweaver SSO product and with zero cost. .It is very hard to believe that i can not implement it without SAP N/W SSO product and i strongly think there must be a method, but it is not striking in my head at the moment. Let me know if you can think of any alternatives.
Thanks
Raj
Hi Raj,
Hope http://scn.sap.com/community/netweaver-business-client/blog/2013/06/07/authentication-and-single-sig... will help you.
Thanks,
Dhivya
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.