cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO via x.509/SAML for free possible?

Go to solution
Former Member

on ‎04-08-2015 9:24 PM

0 Kudos

I know SAP releases the SSO products but is it possible to achieve SSO via x.509/SAML certificates for free? Or are the SSO products absolutely required for this?

Would really appreciate some insight, thanks!

Joe

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-09-2015 5:27 AM
0 Kudos

Hi Joe,

although you do not mention a specifc product, looking at the SAP systems as a consumer, at least X.509 based auth will work with most of them if using the HTTPS protocol. For SAML it depends on the product. In both cases you will need a system to create the tokens.

BTW: this is more related to general security than the SAP SSO product. You can find this discussed in the product documentation of the product you want to enable.

Kind regards,

Patrick

Show replies
Show replies
Former Member
‎04-09-2015 1:18 PM
0 Kudos

Thanks Patrick -- we're trying to SSO enable SAP ECC 6.04/NW 7.01. I've heard it's possible to SAML enable the web portal for free but that SSO enabling SAP Logon (thick client) will require SAP's products. Is this true?

tim_alsop
Active Contributor
‎04-10-2015 2:33 PM
0 Kudos

You can't use SAML to authenticate users who have SAP GUI / SAP Logon on their workstation, unless you authenticate them via a web browser first, maybe using a SAML token, and you have an IdP, and then you need to launch SAP GUI from the web browser using Javascript. In this case, the SSO2 logon ticket is taken by SAP GUI and sent to AS ABAP and accepted as a token to know who the user is. This logon ticket is sent unprotected to the ABAP system and can be intercepted, so this is not the most secure solution.

Also regarding SAML, you can install ADFS on your Active Directory domain and use that as the IdP in which case you can configure browser based authentication to AS ABAP using SAML without buying an SSO product from SAP or from an SAP partner. The SAP SSO product includes an IdP on Java, but if you use ADFS you don't need this functionality.

Thanks

Tim

Former Member
‎06-01-2015 3:32 PM
0 Kudos

My client has same question with SAP NW 7.4 JAVA as Service Provider.

Is Single sign-on  to SAP JAVA free using the third party IDP authentication? If so what needs to be configured other than "Configuring AS JAVA as Service Provider"? please suggest.


our Scenario: User start the Browser, launch the MAINSTREET application (IDP Dashboard );authenticates at the OCTA IDP; User clicks on SAP NW 7.4 JAVA portal weblink on the Identity provider dash board; user gets authenticated automatically (through SSO) to the SAP NetWeaver Portal system and let the user login to the Portal with out asking username/password.

Goal: Connect without having to enter any logon credentials to the Portal and from the portal  giving Enterprise Portal customers connect to the ABAP systems .



Thanks, Sridhar

Former Member
‎06-12-2015 4:07 PM
0 Kudos

Hey Joe,

Yes, for sure you can do X.509 SSO in SAP without paying for anything.  It's not that hard to setup in ABAP or JAVA.  The trick is that the End-Users need a user cert in their browsers that Identify them.  Then you can map off of that in SAP.  SAP does require HTTPs for this to work though.  It's a decent amount of work, but it can be done, I've done it.

--NICK


Former Member
‎06-12-2015 4:50 PM
0 Kudos

Hi Sridhar

Please check this SDN blog

http://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0+and+ABAP+Systems+Supporti...

With NWBC 5.0, you can use Desktop think client with SAML2 SSO ( as Service provider). You can invoke desktop NWBC client using
URL prefix like sap-nwbc://https://host:port/nwbc

I hope this helps.

Santosh Lad

Former Member
‎06-15-2015 5:56 PM
0 Kudos

Hi Santosh, I configured AS JAVA as SP (Single sign-on solution)using third party IDP. appreciate your suggestion.

regards, Sridhar

Answers (0)

Ask a Question