Solved: Single Sign On with ABAP WebDynpro

conrad_thonger · ‎03-20-2014

Greetings,

I have a puzzle that I'm hoping that someone has dealt with in the past.

We are working on impementing Single Sign On in our environment and we are mostly successful in our task.

In our portal, we are using authentication with LDAP via SPNGO. In our SAP GUI, we are using SNC names with Kerberos.

Where I'm having a problem is the ABAP WebDynpro that is accessed via URL without having first logged into the SAP GUI. If a transaction is called from within the GUI (which then opens a browser to show the Web Dynpro), the user is connected with no issue because they are already logged into SAP and have an SAP Logon Ticket.

When they call the WebDynpro from a browser using the server name and an alias set in our ICM configuration, they are required to log in using their SAP account.

Is there some setting that I can put in the WebDynpro configuration which would either behave like our portal to use LDAP to look up the user or like the GUI to use SNC to authenticate? I'm sure it must be possible but I am stumped as to what I need to configure to make it happen.

Thanks in advance,

Conrad Thonger

Former Member · ‎03-20-2014

Unless you are using the NWSSO product, this isn't the correct space. If you license NWSSO, you can configure SPNEGO for ABAP to achieve your requirement. You could also access your WDAs through portal.

Former Member · ‎03-20-2014

Unless you are using the NWSSO product, this isn't the correct space. If you license NWSSO, you can configure SPNEGO for ABAP to achieve your requirement. You could also access your WDAs through portal.

conrad_thonger · ‎03-20-2014

Greetings Samuli,

I apologize for being in the wrong space. I'll see about moving my question to a more appropriate space once I find it. It can be a challenge to find the right space in which to ask questions.

Thank you for the suggestion about accessing them through the portal. I may ask our developers to see how easy that would be to implement as that would leverage our existing environment.

Conrad Thonger

Former Member · ‎03-20-2014

Moved to the security forum..

If I understand your requirement and my memory serves me, the start of a WYDA from a SAPGui transaction (such as SOAMANAGER) is not a logon ticket. It is a re-entry ticket to the same SID (like opening a new session or calling an internal RFC as yourself) so no authentication is required. Only difference is that it goes back via the message server and you might land on a different app server if started that way.

In the case of the user starting the WYDA directly, you can therefore configure the logon procedure independently of the SAPGui based start (meaning it won't break it) and if that scenario is portal based navigation or imbedded app in a frame, then a real SAP logon ticket issued by the portal is probably the easiest and fastest way to go.

Many customers already have SAML infrastructure in place for non-SAP applications now, so you should also first consider that before you go the logon ticket route because it means that you are not only limited to SAP.

Cheers,

Julius

martin_voros · ‎03-20-2014

Hi,

just to add to Julius' response. ABAP application server does not support Kerberos as authentication method. THe most common methods used for HTTP based apps are username/password, SAP Logon ticket and SAML. So in your case SAML is not configured and a user does not have a logon ticket. Therefore ABAP AS asks for username/password. One option would be to always go through portal that generates logon ticket that can be used to authenticate user on backend system. Another option is to try to introduce SAML into your landscape. Identity provider (IdP) can still use Kerberos for authentication but you will use SAML for backend authentication. When users hit a WD app they get redirected to IdP. IdP uses Kerberos to authenticate users and then redirects them back to backend system. Here SAML token is used to authenticate users. AD can work as SAML provider (you might need some extra license though) or you should be able to find an open source IdP with support for Kerberos. SAML solution will require some extra effort to implement.

Cheers

Former Member · ‎03-20-2014

AS ABAP supports Kerberos assuming the requirements listed in SAP note 1798979 are met. In addition to the technical requirements, licenses for NWSSO are required. SAP has implemented additional license checks in SPNEGO for ABAP.

Former Member · ‎03-20-2014

Oh! Thank you for that information - I was not aware of that support!

@ Conrad: It is backported to 7.02 if your SP (and kernel) is high enough. If that is the case and an option for you, then it is best to move your question again to the SAP NW SSO forum or keep it here and invite the NW SSO mods to comment so that other folks who search can also find it.

Cheers,

Julius

martin_voros · ‎03-20-2014

Hi,

thanks for this update. Lately, I am generally impressed with SAP. They really invested in Netweaver platform and brought some nice features. This is not the first time that I got corrected that new version actually supports some new feature. Nice work SAP.

Cheers

Former Member · ‎03-21-2014

Hi Conrad,

there is not much I can add to what Samuli already said. If you want to get more info about the SAP NW SSO capabilities you can have a look at the NW SSO summary page that provides some more info on the product and capabilities.

Besides supporting what you want, it can be used with NWBC and other SAP tools as well. EVen if the software does not directly support Kerberos, the product can be used as it can act as sort of a bridge baseed on short lived X.509 certificates which are created based on a Kerberos authentication.

Regards,

Patrick