on 11-23-2015 8:06 AM
Hi SSO expert,
I have a case for SAP Fiori setup. And the landscape should include:
I read though below blogs and link which are quite useful, but still...there are some question I didnt come across yet with some special requirment of my case.
http://scn.sap.com/docs/DOC-50394
http://scn.sap.com/docs/DOC-50394#comment-632927
http://scn.sap.com/thread/3692840
Condition:
C1. access from external network is required (which mean NO windows AD authentication possible...I believe)
C2. the login have to be same as Windows AD login AND PW (<-- main issue...is it feasible?)
Question:
Q1. can i get rid of AS JAVA in my landscape?
Q2. since the Frontend Apps server is ABAP only, that mean the user account must be created manually in it, and NO other option, right?
Q3. as i know, Fiori frontend apps server --> via Trust RFC --> ERP backend....so that mean same user account/name should be maintained in both
severs, right?
Q.4 What's the approach to achieve C2? If not possible, any advise to revise the landscape plan?
Please try suggesting me base on the condition.
Regards
Gary
Hello Gary,
Using SAP Single Sign-On product (license required) it is very easy to implement SSO for SAP Fiori (for PC or for mobile access). For example you can choose to use the SAML scenario. It is possible to configure the MS AD as user store for the SAML IdP and then users who try to authenticate from outside corporate network will have to use their MS AD User&Password for authentication. Using this scenario it will be possible also to implement Mobile SSO for SAP Fiori Client (supported out of the box with the mobile application SAP Authenticator).
You can also improve the security for the external access by implementing risk-based authentication and configuring the system to prompt users for two-factor authentication (OTP) in addition to their MS AD User&Password only when they try to authenticate to SAP Fiori from outside corporate network.
You can also chose the X.509 client certificate scenario and for this scenario it will be also possible to configure the MS AD as user store and users will be prompted again for their MS AD User&Password.
Q1/A1: For both scenarios the AS JAVA is necessary and you will not be able to "get rid of AS JAVA".
Q2/A2: If you are using the SAP IDM product it is possible to provision the users and their roles automatically to the AS ABAP server.
Q3/A3: Yes, the user needs to be available in the back end AS ABAP system and also in the SAP NW Gateway system.
Q4/A4: As I already mentioned both scenarios SAML and X.509 allow integration with AS AD and for both the user credentials will be checked against the MS AD.
See some details about SSO for Fiori and risk-based authentication:
Mobile Single Sign-On for SAP Fiori with SAP Authenticator
Risk-Based Authentication for Your Critical Business Processes
We also offer an implementation guide for Mobile SSO for Fiori, that you can use also to implement SSO for Fiori via the Browser for PC. Just skip the mobile device part and configure basic authentication instead of OTP authentication if you want to enable users to authenticate with their MS AD User& Password. For the last one you have to make sure that MS AD is configured as User store for AS JAVA. See the guide here: Mobile SSO for SAP Fiori - Step-by-Step Guide
If you want more details how the solution is working using SAP Single Sign-On product, we can organize a conference call and I can also demonstrate the solution to you and your team. If you find necessary just send me a message on <donka.dimitrova at sap.com>.
Regards,
Donka Dimitrova
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Donka,
Thanks very much it is very detail.
BTW, I would like to calrify again that I cannot "get rid of AS JAVA".
Is it based on the case that i choose to use product SAP Netweaver Single Sign-On only?
(or actually i have no other choice...lol ?)
And is it because SAP Netweaver SSO have to be setup in AS JAVA? (install secure login server, etc..I read this before "http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/c040f4a9-0387-3010-9081-dbce2724215d&override..."
If yes, is it recommended (or necessary) to setup a standalone NW AS JAVA to support "SAP Single Sign-On" product feature?
####
Acutally, I remember it should be able to make SAP ABAP Webgui SSO workable with something like below (long time ago i cant remember all step):
t-code: STRUSTSSO2
create cert
CA sign request
Mapping X.509 Certificates in Table USREXTID
I'm thinking, for SAP Fiori scenario, can it be done as the same?
(assume that i don't have to relate to AD user account anymore; or i just enable SNC SSO for Intranet while X.509 for Extranet access)
###
Regards
Gary
Hello Gary,
Yes, the AS JAVA server is necessary for the two scenarios, descibed by me, because both components the Secure Login Server (X.509) and the SAML IdP are running on AS Java server. It is not necessary to install a dedicated AS Java for this purpose. These components could be installed on an existing for the company AS Java server.
In general for Fiori SSO scenario it is possibe to use the SSO technologies supported by AS ABAP for Web UI and this includes X.509 client certificates (as I alraedy mentioned).
SNC is configured when you use SAP GUI for Windows. When you implement SAP GUI for HTML, you configure SSL.
Regards,
Donka
Hello Gary,
Actually there is one more variant based on SAML technology and this variant doesn't require an AS Java server.
You can achieve SAML SSO with MS AD User&Password using our SAP Cloud Identity service. The user will authenticate against SAP Cloud Identity and the User&Password will be checked at the MS AD and if they are correct the SAP Cloud Identity IdP will issue a SAML assertion that could be used for authentication with SAP Fiori.
SAP Cloud Identity is a service running in the cloud. See more details about the SAP Cloud Identity integration with the on premise user store here in this blog:
Regards,
Donka Dimitrova
User | Count |
---|---|
84 | |
25 | |
12 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.