cancel
Showing results for 
Search instead for 
Did you mean: 

[enquiry] SAP Fiori setup with SSO enable

former_member146669
Participant
0 Kudos

Hi SSO expert,

I have a case for SAP Fiori setup. And the landscape should include:

  1. SAP WebDispatcher     (DMZ) (for URL redirection)
  2. Frontend Apps Server (SAP NW Gateway) (prefer ABAP only , and it is standard, right?) and in DMZ with same machine of SAP webdispatcher if possible.
  3. Backend Server (SAP ERP 6.07 ) (ABAP only)

I read though below blogs and link which are quite useful, but still...there are some question I didnt come across yet with some special requirment of my case.

http://scn.sap.com/docs/DOC-50394

http://scn.sap.com/docs/DOC-50394#comment-632927

http://scn.sap.com/thread/3692840

Condition:  

C1. access from external network is required (which mean NO windows AD authentication possible...I believe)

C2. the login have to be same as Windows AD login AND PW  (<-- main issue...is it feasible?)

Question:

Q1. can i get rid of AS JAVA in my landscape? 

Q2. since the Frontend Apps server is ABAP only, that mean the user account must be created manually in it, and NO other option, right?

Q3. as i know, Fiori frontend apps server --> via Trust RFC --> ERP backend....so that mean same user account/name should be maintained in both     

       severs, right?

Q.4 What's the approach to achieve C2?   If not possible, any advise to revise the landscape plan?

Please try suggesting me base on the condition.

Regards

Gary

Accepted Solutions (1)

Accepted Solutions (1)

donka_dimitrova
Contributor
0 Kudos

Hello Gary,

Using SAP Single Sign-On product (license required) it is very easy to implement SSO for SAP Fiori (for PC or for mobile access). For example you can choose to use the SAML scenario. It is possible to configure the MS AD as user store for the SAML IdP and then users who try to authenticate from outside corporate network will have to use their MS AD User&Password for authentication. Using this scenario it will be possible also to implement Mobile SSO for SAP Fiori Client (supported out of the box with the mobile application SAP Authenticator).

You can also improve the security for the external access by implementing risk-based authentication and configuring the system to prompt users for two-factor authentication (OTP) in addition to their MS AD User&Password only when they try to authenticate to SAP Fiori from outside corporate network.

You can also chose the X.509 client certificate scenario and for this scenario it will be also possible to configure the MS AD as user store and users will be prompted again for their MS AD User&Password.

Q1/A1: For both scenarios the AS JAVA is necessary and you will not be able to "get rid of AS JAVA".

Q2/A2: If you are using the SAP IDM product it is possible to provision the users and their roles automatically to the AS ABAP server.

Q3/A3: Yes, the user needs to be available in the back end AS ABAP system and also in the SAP NW Gateway system.

Q4/A4: As I already mentioned both scenarios SAML and X.509 allow integration with AS AD and for both the user credentials will be checked against the MS AD.

See some details about SSO for Fiori and risk-based authentication:

Mobile Single Sign-On for SAP Fiori with SAP Authenticator

Risk-Based Authentication for Your Critical Business Processes

We also offer an implementation guide for Mobile SSO for Fiori, that you can use also to implement SSO for Fiori via the Browser for PC. Just skip the mobile device part and configure basic authentication instead of OTP authentication if you want to enable users to authenticate with their MS AD User& Password. For the last one you have to make sure that MS AD is configured as User store for AS JAVA. See the guide here: Mobile SSO for SAP Fiori - Step-by-Step Guide

If you want more details how the solution is working using SAP Single Sign-On product, we can organize a conference call and I can also demonstrate the solution to you and your team. If you find necessary just send me a message on <donka.dimitrova at sap.com>.

Regards,

Donka Dimitrova

former_member146669
Participant
0 Kudos

Dear Donka,

Thanks very much it is very detail.

BTW, I would like to calrify again that I cannot "get rid of AS JAVA".

Is it based on the case that i choose to use product SAP Netweaver Single Sign-On only?

(or actually i have no other choice...lol ?)

And is it because SAP Netweaver SSO have to be setup in AS JAVA? (install secure login server, etc..I read this before "http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/c040f4a9-0387-3010-9081-dbce2724215d&override..."

If yes, is it recommended (or necessary) to setup a standalone NW AS JAVA to support "SAP Single Sign-On" product feature?

####

Acutally, I remember it should be able to make SAP ABAP Webgui SSO workable with something like below (long time ago i cant remember all step):

t-code: STRUSTSSO2

create cert

CA sign request

Mapping X.509 Certificates in Table USREXTID

I'm thinking, for SAP Fiori scenario, can it be done as the same?

(assume that i don't have to relate to AD user account anymore; or i just enable SNC SSO for Intranet while X.509 for Extranet access)

###

Regards

Gary

donka_dimitrova
Contributor
0 Kudos

Hello Gary,

Yes, the AS JAVA server is necessary for the two scenarios, descibed by me, because both components the Secure Login Server (X.509) and the SAML IdP are running on AS Java server. It is not necessary to install a dedicated AS Java for this purpose. These components could be installed on an existing for the company AS Java server.

In general for Fiori SSO scenario it is possibe to use the SSO technologies supported by AS ABAP for Web UI  and this includes X.509 client certificates (as I alraedy mentioned).

SNC is configured when you use SAP GUI for Windows. When you implement SAP GUI for HTML, you configure SSL.

Regards,

Donka

donka_dimitrova
Contributor
0 Kudos

Hello Gary,

Actually there is one more variant based on SAML technology and this variant doesn't require an AS Java server.

You can achieve SAML SSO with MS AD User&Password using our SAP Cloud Identity service. The user will authenticate against SAP Cloud Identity and the User&Password will be checked at the MS AD and if they are correct the SAP Cloud Identity IdP will issue a SAML assertion that could be used for authentication with SAP Fiori.

SAP Cloud Identity is a service running in the cloud. See more details about the SAP Cloud Identity integration with the on premise user store here in this blog:

Regards,

Donka Dimitrova

Answers (0)