cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO with NWBC for HTML

Go to solution
Former Member

on ‎11-07-2013 2:57 PM

0 Kudos

Dear All,

This is the first time i ever have an opportunity to work on NWBC. My company wants to implement SSO using NWBC for HTML and not interested in using any AS JAVA components or SAP Netweaver SSO product.

Requirement/Background:

We are going live with HR/PAYROLL and ESS/MSS. The requirement is that users  will use NWBC for HTML to login into backend system(ECC 6.0 EHP5 on Windows /SQL 2008)  and print their payslip and do all allowed activities in ESS/MSS functionality.

( I realised from EHP5 we do not require Portal to implement ESS/MSS)

AIM:

Company wants to implement single sign on using NWBC for HTML to achieve the above requirement.At the moment users have to change their password every 30 days in production system.Since most of the users logs in only once in a month to print their payslips ,there is always a chance for them  to forget their password or system will prompt to change the password due to 30  day password change restriction, therefore we will get thousands of calls related to password reset every month end. To avoid this we want to implement SSO.

Note: If we can achieve SSO then we can disable or make changes to the password expiry parameter

My Thoughts:

Based on the requirement all i can think of is to authenticate the users at desktop level (AD) and then by clicking on the NWBC link they should be able to login into the backend system automatically, based on the roles assigned to them , they will be able to perform their activities.We can apply the password restrictions at AD level and users only have to remember one password.

I would really appreciate if any one can guide me through in achieving this. We are open for any suggestions.

Thank You

Raj

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-13-2013 6:44 PM
0 Kudos

Hello Raj

We too are looking to deploy ESS/MSS via the HTML version of NWBC.  I have found that later version of ABAP stacks now support SAML 2.0.  Our company is already running Active Directory Federation Services (ADFS) which provides the critical Identity Provider (IdP) capability.  So, no need to purchase Netweaver SSO!

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/46/631b92250b4fc1855686b4ce0f2f33/content.htm

Until now I've only done basic testing in our sandbox based on using the email address for the federated ID and can report that it does work!!  Note that we would probably prefer to go with some HR data that does not change like "central person ID" - I think that will required a BADI to do the lookup in SAP HR -- I found an SCN post that talks to it, but have not investigated. 

Would be very intersted in collaborating further with you on the overall concept if you are intersted as this only "as time allows" project!! 

Show replies
Show replies
Former Member
‎11-14-2013 10:08 AM
0 Kudos

Dear Eric,

Thank you for replying to the post with very useful information and iam happy to collaborate with you and share the experience and knowledge. It is good to know that you have already configured and successfully tested the SSO. I would really appreciate if you can share your documentation with me

I have read through the SAML 2.0 link and it definitely had helped me a lot in  identifying  existing options in configuring SSO.

1) You want to protect authentication information with encryption or with opaque IDs. for this i need the following

1 )Service provider.... Initial thoughts are to use AS ABAP, if i  think about the performance then i might have to deligate this on to seperate system and do not know what are the options in this route.

2) Identity provider..... we do not have any identity provider,i have to explore more on this option, i would like to know how to configure ADFS which you have mentioned . I will need to dig into this

3) Client Agent..... Not sure what this is

4) Opaque ID...... Not sure what this is

I will spend rest of the week in reading and exploring all the above and hopefully come back with a constructive approach and will let you all know. Meanwhile, you can forward me any information you think would help me.

Thank You

Regards

Raj

Former Member
‎11-14-2013 4:24 PM
0 Kudos

Service Provider -- yes, this must be the AS ABAP as it is providing the service you want (ESS/MSS)!  No reason to worry about performance whatsoever....delegation is getting complicated (if even possible).  I am making the assumption your AS ABAP Basis release is high enough.

Identify Provider - yes, this is the magic.  In our company, ADFS was already up and running by the team that manages Active Directory as they needed it for other (non SAP) SSO requirements.  I don't have much visibility to the setup they did.

When I first started to SAML setup I also tried to dig into the various details, but realized quickly (similar to the points made by Damean) that it would require learning very low level protocols/etc.  My suggestion for 'tire kicking" to prove the concept is to use an attribute that is on SU01 and inside of AD --- email address would be the easy one. 

The high level steps were:

1. Importing metadata XML from ADFS into AS ABAP and choosing email address as the federation ID

2. Exporting metadata XML from AS ABAP to ADFS

3. ADFS creating 'claim rules' to use email address

I can also share that the support I got from SAP was VERY helpful (even related to providing a few steps that our ADFS folks needed help with!) to get this going.

Former Member
‎11-15-2013 9:06 AM
0 Kudos

Dear Eric,

Thank You for the reply.

Am i correct in saying that i can configure Service Provider and SAML 2.0 just by following the documentation provided in SCN? or  (do i )have you used any other sources to configure these. I will pass ADFS  part to our infrastructure team .

It is good to hear that SAP had helped you when you needed.

All users  have same id in both AD and SAP. I think this makes my life bit easier.However i can fall on email address if i need to.

The high level steps you mentioned were they part of configuration or steps to be followed after config.

My boss will come next week from holiday ,after discussing with him i will get back to you . i think i will create a sandbox system and play with it.

Thank You

Regards

Raj

Former Member
‎11-15-2013 2:39 PM
0 Kudos

Definitely recommended doing it in a sandbox.  We actually have a test AD domain as well.

Yes, the procedure was fairly simple - I actually attended the SAML hands-on session a few weeks ago at TechEd hoping to learn some more details but the exercise was just a matter of pushing buttons to establish the "trust" between the IdP and the SP (via the metadata files).  If this is the first time your AD folks would be exploring SAML, then there could be some learning curve for them.  We've done about 10 SAML setups thus far and it does seem like each SP has a few unique elements.

As I reviewed the support ticket we had, the only challenges we faced were

1. The link to download the metadata xml from ABAP SP - I had to use this directly : https://<host>:<port>/sap/saml2/sp/metadata?sap-client=<client>

2. The ADFS team made some mistake on the claim rules - SAP helped, but I think it was more of an accident on their side.

If your ID is the same then you are good - because the character limitation on the SAP side and our network ID standard incorporting the person's last name we have a few users that do not match, hence using email address.  When we move out of the sandbox we will investigate some custom code to be able to use an HR attribute that does not change!

Former Member
‎11-21-2013 10:38 AM
0 Kudos

Dear Eric,

Want to update you on the situation.

I have met infrastructure manager yesterday and learned that we already have ADFS and aswell shibboleth in place for other purposes..hurrah.. .So now all that pending is to build SAP sandbox and iam preparing a build sheet .I will update you after i stood up sandbox.

Just a quick question, apart from ADFS( Identity provider) and SAP sandbox(Service provider) do i need to install any other products to configure ?

Thanks for your support

Regards

Raj

Former Member
‎11-21-2013 11:54 AM
0 Kudos

No other products - only need to ensure the ABAP Basis SP is at the required minimal level to support SAML. 

Feel free to send me a mail (I assume you can see it on my profile) if you'd like to go into additional detail (especially regarding the bigger picture ESS/MSS goals, as I think I have the same!).

Former Member
‎11-22-2013 10:48 AM
0 Kudos

Hi Eric,

I cant find your email address from your Vcard !!

Regards

Raj

Former Member
‎11-22-2013 1:13 PM
0 Kudos

Ah, I now see there is a privacy settings tab!!

Please check again

Answers (6)

Answers (6)

Former Member
‎02-18-2014 12:54 PM
0 Kudos

Hi All,

Finally,today i have completed the configuration and also tested it successfully.

I would like to thank  everyone for your inputs.

Special thanks to Eric.

Solution: Please follow the links provided by Eric in this post.

Regards

Raj

Show replies
Show replies
Former Member
‎06-30-2015 6:05 PM
0 Kudos

Dear Raj,

Regarding the subject, do you have prepared any documents.

we are in a similar situation what you mentioend here, and we are stuck from where to start.

So could you please provide the steps you have taken to make it possible.

or can you send the detaild procedure to my id .

thanks

Jijin

Former Member
‎07-01-2015 10:39 AM
0 Kudos

Dear Jiji,

The solution is simply follow links provided by Eric.However following are the steps

SAP

1) Relevant RZ10 Parameters

login/create_sso2_ticket = 2 

     login/accept_sso2_ticket = 1 

     login/ticketcache_entries_max = 1000 

     login/ticketcache_off = 0 

     login/ticket_only_by_https = 0 

     icf/set_HTTPonly_flag_on_cookies = 3 

     icf/user_recheck = 1 

     http/security_session_timeout = 1800 

     http/security_context_cache_size = 2500 

     rdisp/plugin_auto_logout = 1800 

     rdisp/autothtime = 60

2)Activate  HTTP for your production client using sicf_sessions transaction.

3) SAML configuration using SAML2 transaction, one of the important step is to import ADFS metadata into SAP system.

ADFS

1) After making the settings in SAML2, Download SAP system metadata and import it into ADFS

2) On ADFS service configure a relying party trust

3)Add and ADFS claim, that maps SAMAccountName to NameID

4) On the relying Party trust select properties->Advanced set the encryption to SHA1

ADFS side is configured by infrastructure team, so i have just copied the steps that he had performed, It is better you leave this part to your infrastructure team.From above steps they should get an idea.

From SAP side, it is pretty simple, just follow the screens in SAML2 transaction.

Note: There are multiple networks in our organisation so technically this configuration had helped to use same network(desktop) password to logon to SAP instead of two different passwords means it is not sso but login twice using the same password. Serves our purpose.

Regards

Raj

Former Member
‎07-01-2015 10:39 AM
0 Kudos

Dear Jiji,

The solution is simply follow links provided by Eric.However following are the steps

SAP

1) Relevant RZ10 Parameters

login/create_sso2_ticket = 2 

     login/accept_sso2_ticket = 1 

     login/ticketcache_entries_max = 1000 

     login/ticketcache_off = 0 

     login/ticket_only_by_https = 0 

     icf/set_HTTPonly_flag_on_cookies = 3 

     icf/user_recheck = 1 

     http/security_session_timeout = 1800 

     http/security_context_cache_size = 2500 

     rdisp/plugin_auto_logout = 1800 

     rdisp/autothtime = 60

2)Activate  HTTP for your production client using sicf_sessions transaction.

3) SAML configuration using SAML2 transaction, one of the important step is to import ADFS metadata into SAP system.

ADFS

1) After making the settings in SAML2, Download SAP system metadata and import it into ADFS

2) On ADFS service configure a relying party trust

3)Add and ADFS claim, that maps SAMAccountName to NameID

4) On the relying Party trust select properties->Advanced set the encryption to SHA1

ADFS side is configured by infrastructure team, so i have just copied the steps that he had performed, It is better you leave this part to your infrastructure team.From above steps they should get an idea.

From SAP side, it is pretty simple, just follow the screens in SAML2 transaction.

Note: There are multiple networks in our organisation so technically this configuration had helped to use same network(desktop) password to logon to SAP instead of two different passwords means it is not sso but login twice using the same password. Serves our purpose.

Regards

Raj

Former Member
‎07-01-2015 10:43 AM
0 Kudos

oops i got parameter values wrong in previous message, the following are correct

login/ticket_only_by_https = 1

icf/user_recheck = 0

Former Member
‎11-28-2013 6:41 AM
0 Kudos

Hi raj,

one this not mentioned here (i wonder why ) is to use X.509 certs. Setting up a certification authority can also by done by using ADCS which is part of an Enterprise Windows Server license. You can enroll client authentication certificates to your users and they can use them within the browser to use SSO. It is required to configure ABAP backend for X.509 SSO (set ICM to use SSL; icm/https_verify_client; VUSREXTID etc.) but this can be done without additional software.

Regards,

Carsten

Show replies
Show replies
Former Member
‎11-28-2013 10:16 AM
0 Kudos

Hi Carsten,

Thank you for letting me know about this option. I would really appreciate if you can direct me to any documentation that helps me to read and possibly configure if i need to.

Thank You

Raj

sandra_thimme
Product and Topic Expert
Product and Topic Expert
‎11-20-2013 10:00 AM
0 Kudos

Hi Raj,

this is no answer to your question. Primarily, I'm happy to hear that NWBC meets you expectations.

We of course do recommand SAP NetWeaver Single Sign On. And with SSO 2.0 you can integrate the Secure Login Client very easily into NWBC to benefit from SSO features.

Regards,

Sandra

Videos:

http://scn.sap.com/docs/DOC-47065

SSO 2.0 Documentation:

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/70412b93-c972-3010-6a94-da49f9ba5...

Show replies
Show replies
Former Member
‎11-21-2013 10:43 AM
0 Kudos

Hi Sandra,

Thank You for your reply.

As it stands now iam in process of configuring SSO using ADFS. Hope this fullfills our requirement and implement it successfully. If i come across any unseen issues and are not solvable then we have no option but to think of alternatives and then may be Secure Login Client.

Regards

Raj

Damean
Active Contributor
‎11-13-2013 6:14 PM
0 Kudos

Raj

    I think I have went down this same rabbit hole before; so I thought of sharing what I learn.

  How hard would it be to create a front-end app that could read uid and pwd from AD \ LDAP; and then feed it back to the website for authentication. Well, it sure sounds simple; but let just say that it's very special branch of knowledge by itself; that requires tons of upfront investment in understanding how the security protocol works (blame it on the hackers of the world that makes life miserable).

   If you really, really, really insist on zero upfront cost (I presume that's Capital Cost; not including your hours) ..You could try the Open source SAML software such as "Shibboleth" and OpenSSO.  It's the "near" equivalent of SAP Netweaver Single Sign On (previously known as SECUDE); other commercial equivalent in this space include PingFederate, Quest etc.

   But beware of the implementation effort & headache.

 

Regards

Damean


Show replies
Show replies
Former Member
‎11-14-2013 9:53 AM
0 Kudos

Hi Damean,

Thank you very much for sharing your experience and letting me know the level of  difficulty in achieving this. I would really appreciate if you can tell me whether you have been successful in configuring !!

Yes we really, really, really insist on no upfront capital  and i do agree with you on the fact that this is special branch of knowledge and iam making my first steps into this world.

Regards

Raj

donka_dimitrova
Contributor
‎11-11-2013 3:02 PM
0 Kudos

Dear Raj,

More details about the authentication process from NWBC to the server you will be able to find here: NWBC and Authentication.

Please, notice that the scenario you are thinking about: "authenticate the users at desktop level (AD) and then by clicking on the NWBC link they should be able to login into the backend system automatically" requires SPNEGO with Kerberos where you need SAP NetWeaver Single Sign-On.

I hope this will help you.

Kind regards,

Donka Dimitrova

Show replies
Show replies
Former Member
‎11-11-2013 3:19 PM
0 Kudos

Hi DOnka,

Thank you for your reply.

Can i not achieve my scenario without using SPNEGO with Kerberos where you need SAP NetWeaver Single Sign-On. ?

Regards

Raj

donka_dimitrova
Contributor
‎11-12-2013 2:33 PM
0 Kudos

Dear Raj,

Once a user is authenticated against the AD a solution has to take care about the SecurityTokens and to recognize who is the logged user and to map it to a UserID from the SAP systems. You need a solution that deals with this Kerberos-based authentication. This solution is available via the Secure Login of the SAP NetWeaver SSO product.

Kind regards,

Donka Dimitrova

Former Member
‎11-13-2013 9:54 AM
0 Kudos

Dear Donka,

Thank you for your constructive responses. Yes i have realised that i can achieve my goal by implementing SAP Netweaver Product.But i was asked to find methods to implement the solution without using SAP Netweaver  SSO product and with zero cost. .It is very hard to believe that i can not implement it without SAP N/W SSO product and i strongly think there must be a method, but it is not striking in my head at the moment. Let me know if you can think of any alternatives.

Thanks

Raj

Dhivya
Active Participant
‎11-11-2013 9:48 AM
0 Kudos

Hi Raj,

Hope http://scn.sap.com/community/netweaver-business-client/blog/2013/06/07/authentication-and-single-sig... will help you.

Thanks,

Dhivya

Show replies
Show replies
Former Member
‎11-11-2013 10:35 AM
0 Kudos

HI Dhivya,

Thank you for your reply.

I have already been to this page.it is informatiive but unable to draw information regards to my requirement " SSO using NWBC for HTML".

Regards

Raj

Ask a Question