on 09-09-2015 5:31 AM
Dear Experts,
We have SAP Fiori apps configured in our landscape. We have SAP Netweaver
7.4 as Front End Gateway server. And we have SAP ECC 6.0 EHP6 as backend server
for Fiori apps.
The Fiori URLs are exposed to Internet via SAP Web dispatcher on DMZ,
for our employees.
Now our need is to allow our employee to use their Domain ID ( Active
Directory user id) to use the SAP Fiori application.
My questions are:
1. Do i need to use SAP SSO for this scenario to be configured?
2. If so, then do i need to add any AS JAVA between SAP Web dispatcher and
Gateway server?
Any documents related to this would be highly appreciable please...
Kind Regards,
Mohammad Anoarul Islam
Hi Mohammad,
I hope all is well and enjoy the blessings of Ramdhan.
Have you implemented the process and documented it.
Please let me know if you could share the documentation.
Cheers,
Usman
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If you want to connect AS ABAP to AD for Fiori user authentication, you can do this without needing a Java stack.
Thanks
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks a lot Tim Alsop,
Actually my requirement is to allow our employee to use their AD user id to work with SAP FIORI application from Internet. (out side of our Domain)
I have configured SAP Webdispathcer in DMZ , i have SSL certificate for https://fiori.dewa.gov.ae , this URL is configured on SAP Web dispatcher server. SAP Web Dispatcher is connected to SAP FIORI Front End server which is SAP Nw 7.4 SPS08 and the back end server is SAP ECC 6.0 EHP6.
Please suggest me how can i achieve this goal...
thanks in advance please...
Regards,
Mohammad Anoarul Islam
It is possible to do what you want, as shown below:
Web browser <--- Internet ---> Firewall <---> Web dispatcher <---> SAP NW Gateway <---> Active Directory
For above you need to buy a product from a SAP partner.
If you want to use AS JAVA with SAP SSO product, then you need to buy SAP SSO product from SAP.
Thanks
Tim
Thanks once again Tim for your meaningful suggestion.
May i ask to eleborate more about:
1. "For above you need to buy a product from a SAP partner".-- Please mention me the product name and partnet from where we can buy
2. If I want to use AS JAVA with SAP SSO , then how configuration will be, any documents for the same thing will be highly appreciaable please....
mostly we may prefer option-2.
Thanks ....
Mohammad Anoarul Islam
Hello Mohammad,
Using SAP SSO will allow you to implement this scenario. In addition you will have the options to enable multi-factor authentication for external access and SSO for mobile devices. The AS Java system where SAP SSO is deployed has to be exposed to Internet as well but it is not 'between' the Web Dispatcher and the GW server. It is behind the Web Dispatcher and next to the GW server. A similar setup is shown in scenario 3 of the following blog: http://scn.sap.com/community/sso/blog/2015/05/22/stronger-security-for-your-business-data-at-risk, where SAP Web Dispatcher = Reverse Proxy, SAP SSO = Portal / IDP, Gateway = ERP
Regards,
Dimitar
Additional resources:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Dimitar Mihaylov,
Thanks a lot for your reply. I have seen the reference URL and scenario 3.
What I understood is to install SSO on SAP AS Java and expose to internet. with SSO i can connect AD with AS Java system. Our employee will browse FIORI URL but how the URL will reach to FIORI Gateway server ?
I am new to SSO , any related docs i can read please...
thanks once again ...
Regards
Mohammad Anoarul Islam
Hello Mohammad,
In addition to the guides provided by Dimitar, Please, find the documentaton how to connect AD with your AS Java:
Configuring the UME to Use an LDAP Directory as Data Source - Identity Management - SAP Library
Regards,
Donka Dimitrova
Hello Donka Dimitrova,
thanks a lot for the sharing the guide.
But our scenario is different.
We want our employee to use SAP FIORI Lunchpad Apps from Internet ( like from mobile, Tab etc..)
The flow will be like as follow:
Internet<----(https)----> SAP WebDispacther( on DMZ) <-----Firewall-----> SAP FIORI Front Server (NW 7.4 SPS8 ABAP)
Hope you will suggest an option to achieve this...
Regards,
Mohammad Anoarul Islam
Hello Mohammad,
I wanted only to provide info about the topic "connecting AD with AS JAVA".
My colleague Dimitar Mihaylov already proposed a proper document to you regarding your scenario. In his post to you Dimitar mentioned a very good document describing recommended by SAP architecture for Fiori implementation and specially securing Fiori scenarios for mobile usage with our SAP Single Sign-On product.
This is from his post above:
".....A similar setup is shown in scenario 3 of the following blog: http://scn.sap.com/community/sso/blog/2015/05/22/stronger-security-for-your-business-data-at-risk, where SAP Web Dispatcher = Reverse Proxy, SAP SSO = Portal / IDP, Gateway = ERP"
Regards,
Donka Dimitrova
Hello Mohammad,
The AS ABAP (Fiori Front End Server) cannot be configured to authenticated users directly with AD username/password. That's the reason to include AS Java (SAP SSO) in the scenario. The AD credentials are checked by the AS Java system and after successful authentication an SAML 2.0 assertion is issued. The SAML 2.0 assertion is used to authenticate to the Fiori Front End Server. For the end user this is transparent and he only needs to provide his AD credentials.
Using SAP Authenticator you can achieve also Mobile SSO for Android and iOS devices using the setup described above.
If you need further details or would like to see the scenario working we can have a web conference. Just contact me via email at dimitar.mihaylov<AT>sap.com.
Best regards,
Dimitar Mihaylov
User | Count |
---|---|
76 | |
9 | |
8 | |
7 | |
6 | |
5 | |
5 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.