cancel
Showing results for 
Search instead for 
Did you mean: 

single sign on different domains

former_member182675
Contributor
0 Kudos

Hi Friend

Need youradvise

We have 2 different domains without trust between the domain

SAP system is inDoaminA

Usersisin Domain B.

And we want to configure SSO for the users in domain B to the SAP system in domain A

Please help me what is the best way to configure the SSO.

And if you have documentation

Regards

Naor

Accepted Solutions (1)

Accepted Solutions (1)

donka_dimitrova
Contributor
0 Kudos

Hello Naor,

You can achieve SSO for SAP systems using the SAP Single Sign-On product (license required).

If you want to implement SSO for scenarios that include SAP GUI for Windows, SAP Business Client for Windows etc. You can choose between Kerberos SSO and X.509 Client Certificates SSO.

More details you will be able to find here in the implementation guide:

http://help.sap.com/download/sapsso/secure_login_impl_guide_en.pdf 

Here you will be able to find also some other content specially about the Kerberos SSO scenario:

Kerberos/SPNEGO for SAP AS ABAP in a Multi Domain Environment.

If you want to implement SSO for scenarios that include web application, you can benefit also from implementing the SAML based SSO or to implement Kerberos SSO or X.509 Client Certificates:

See the details here:

Identity Provider for SAP Single Sign-On and SAP Identity Management - SAP Library

Regards,

Donka Dimitrova

former_member182675
Contributor
0 Kudos

Dear Donka,

Thanks for your help.

But the different domains is the main issue here, do you know what is the best way to do it ?

What about that:

https://wiki.scn.sap.com/wiki/display/Basis/How+to+setup+SNC+connection+between+SAProuters

Regards

Naor

donka_dimitrova
Contributor
0 Kudos

Hello Naor,

When you implement Kerberos based SSO scenario using the SAP Single Sign-On product, SAP backend system needs to trust the AD. There is no requirement for the SAP backend system to be in the same domain. You just have to make sure that the service user is created properly in the MS AD where the users are because they have to be able to find their service.

Regards,

Donka Dimitrova


former_member182675
Contributor
0 Kudos

HI

So the trust between the domain is not must for the SSO.

I can used SapRouter for this ?

How to setup SNC connection between SAProuters - Basis Corner - SCN Wiki

Thanks

Naor

donka_dimitrova
Contributor
0 Kudos

Hello Naor,

SAProuter is a software application that provides a remote connection between the customer's network and SAP. This remote connection enables

  • secure unattended root cause analysis of messages;
  • secure delivery of SAP support services.

You can use SAProuter,

  • to establish an indirect connection if the network configuration does not allow the communicating programs to reach each other directly due to
    • lack of official IP addresses
    • firewall system restrictions
  • to improve network security by
    • password-protecting your connection and your data from unauthorized access from beyond your network boundaries
    • allowing access only from a specified SAProuter;
  • to improve performance and stability by reducing the load on the SAP System within a local area network (LAN) when communicating with a wide area network (WAN).
  • to control and log network connections.;

There is no need for an SAProuter to implement SSO for your corporate scenarios. If you know a specific requirement from your side that explicitly requires SAProuter, Please, clarify.

Regards,

Donka Dimitrova

former_member182675
Contributor
0 Kudos

Dear Donka

So the solution for my case is to use Kerberos based SSO scenario using the SAP Single Sign-On product,

andit will work without domain trust, is thiscorect?

Regards

Naor

donka_dimitrova
Contributor
0 Kudos

Hello Naor,

All the possible SSO scenarios available for your use case have been described in my very first answer.

Regards,

Donka Dimitrova

former_member182675
Contributor
0 Kudos

Dear Donka

My system is EHP6 FOR SAP ERP 6.0

SAP_BASIS - 731 SP09

So the SNCWIZARD T-code does not exist.

There is another way to do it without SNCWIZARD ?, maybe from Strust ?

Naor

former_member182675
Contributor
0 Kudos

Dear Donka

We don't have license for SAP Single Sign-On product, we have another option ?


Naor

donka_dimitrova
Contributor
0 Kudos

Hello Naor,

As a member of the product management team of the SAP Single Sign-On product, I am recommending the solutions available with our product.

Also, do not forget that this community is for content and questions about SAP Single Sign-On product capabilities

Regards,

Donka Dimitrova

former_member182675
Contributor
0 Kudos

Hi Donka

Thanks for your help, we will check the SAP Single Sign-On product.

Can you help me with administration guide or Step by step for the SSO configuration ?  (all the guide I find

is with spnego with java system and I dont want to use java system only solution with Abap system)

My system i

s EHP6 FOR SAP ERP 6.0

SAP_BASIS - 731 SP09

Sothe NCWIZARD T-code does not exist.

It's different domain and we need SSO to the Abap system.


Regards

Naor

donka_dimitrova
Contributor
0 Kudos

Hello Naor,

Once you get license for the SAP Single Sign-On product, you will be able to implement Kerberos SSO for your SAP systems.

See here some helpful materials (mentioned also in my fist post):

scenario:

Single Sign-On with Kerberos

Kerberos/SPNEGO for SAP AS ABAP in a Multi Domain Environment.

Regards,

Donka Dimitrova

former_member182675
Contributor
0 Kudos

Dear Donka

Ialready checkmaterials but still I have a missing information.

Forexample thisvideo - SAP Single Sign-On: Kerberos-based single sign-on to Application Server ABAP - YouTube

Idontunderstand where is the part of the Single Sign-On product,  because I have there just SAP parameter and SNC configuration (SNCWizard) and AD configuration.

Also for this Kerberos/SPNEGO for SAP AS ABAP in a Multi Domain Environment.

AD configuration and Keytab from SPnago

Did I missingsomthing?

Can you give me more information, I try to find SAP Note but still Ihave missinginformation

I want to thanks you for your help.

Regards

Naor

donka_dimitrova
Contributor
0 Kudos

Hello Naor,

I will be glad to do a session with you and your team and to explain the SAP Single Sign-On capabilities and also to discuss the scenario that you want to implement. If you are ok to have such session just send me a message on donka.dimitrova at sap.com.

Regads,

Donka Dimitrova

Answers (0)