on 04-08-2015 9:24 PM
I know SAP releases the SSO products but is it possible to achieve SSO via x.509/SAML certificates for free? Or are the SSO products absolutely required for this?
Would really appreciate some insight, thanks!
Joe
Hi Joe,
although you do not mention a specifc product, looking at the SAP systems as a consumer, at least X.509 based auth will work with most of them if using the HTTPS protocol. For SAML it depends on the product. In both cases you will need a system to create the tokens.
BTW: this is more related to general security than the SAP SSO product. You can find this discussed in the product documentation of the product you want to enable.
Kind regards,
Patrick
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You can't use SAML to authenticate users who have SAP GUI / SAP Logon on their workstation, unless you authenticate them via a web browser first, maybe using a SAML token, and you have an IdP, and then you need to launch SAP GUI from the web browser using Javascript. In this case, the SSO2 logon ticket is taken by SAP GUI and sent to AS ABAP and accepted as a token to know who the user is. This logon ticket is sent unprotected to the ABAP system and can be intercepted, so this is not the most secure solution.
Also regarding SAML, you can install ADFS on your Active Directory domain and use that as the IdP in which case you can configure browser based authentication to AS ABAP using SAML without buying an SSO product from SAP or from an SAP partner. The SAP SSO product includes an IdP on Java, but if you use ADFS you don't need this functionality.
Thanks
Tim
My client has same question with SAP NW 7.4 JAVA as Service Provider.
Is Single sign-on to SAP JAVA free using the third party IDP authentication? If so what needs to be configured other than "Configuring AS JAVA as Service Provider"? please suggest.
our Scenario: User start the Browser, launch the MAINSTREET application (IDP Dashboard );authenticates at the OCTA IDP; User clicks on SAP NW 7.4 JAVA portal weblink on the Identity provider dash board; user gets authenticated automatically (through SSO) to the SAP NetWeaver Portal system and let the user login to the Portal with out asking username/password.
Goal: Connect without having to enter any logon credentials to the Portal and from the portal giving Enterprise Portal customers connect to the ABAP systems .
Thanks, Sridhar
Hey Joe,
Yes, for sure you can do X.509 SSO in SAP without paying for anything. It's not that hard to setup in ABAP or JAVA. The trick is that the End-Users need a user cert in their browsers that Identify them. Then you can map off of that in SAP. SAP does require HTTPs for this to work though. It's a decent amount of work, but it can be done, I've done it.
--NICK
Hi Sridhar
Please check this SDN blog
With NWBC 5.0, you can use Desktop think client with SAML2 SSO ( as Service provider). You can invoke desktop NWBC client using
URL prefix like sap-nwbc://https://host:port/nwbc
I hope this helps.
Santosh Lad
User | Count |
---|---|
78 | |
10 | |
7 | |
6 | |
6 | |
6 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.