cancel
Showing results for 
Search instead for 
Did you mean: 

SSO Implementation Strategy for Java-only implementations.

Former Member
0 Kudos

Hello,

We are currently setting up an SSO POC for our company.  For connections that use the SAPGUI and AS ABAP the documentation explains quite clearly how set up the various scenarios.  But I couldn't find out how to implement a connection via a web broswer to a Java-only NW installation.  Can anyone advise please?

Also is there any particular advantage in using X509 cetrificates over Kerberos tokens in a Microsoft AD domain?

Many thanks oin advance for your help!

Accepted Solutions (1)

Accepted Solutions (1)

donka_dimitrova
Contributor
0 Kudos

Hello Paul,

Here you will be able to find more details about the authentication technologies supported for SAP NetWeaver AS JAVA:

User Authentication and Single Sign-On - SAP NetWeaver Security Guide - SAP Library

Regarding the difference between Kerberos and X.509, when we are talking about SSO, is that the SSO based on Kerberos is available only when the user is in the intranet.

Regards,

Donka

Former Member
0 Kudos

Hi Donka,

Thank you for your rapid reply!  So I see that the browser holds the ticket in a cookie.  To authenticate the broswer, does the user first have to sign on to an AS Java, or the AS Java with Secure Login Server installed?  In the documentation it looks like the user has to log onto an AS ABAP and from here Secure Login Client authenticates the SAP GUI and browser, but for the browser I think I must have missed something.

donka_dimitrova
Contributor
0 Kudos

Hello Paul,

The Secure Login Server coming with the SAP Single Sign-On product offers standard short term X.509 client certificates that could be used for secure authentication to any SAP or non-SAP application that supports X.509 client certificates for authentication. This is why you can configure SSO based on X.509 client certificates using the Secure Login Server also for the applications running on AS JAVA. The authentication flow will be the following - the user will have to authenticate to the Secure Login Server in order to get the required for him X.509 client certificate. There are many different authentication methods supported for the Secure Login Server like LDAP, SPNEGO,UME, ABAP, etc.

Here is one blog that describes for example configuring SPNEGO for authentication to the Secure Login Server:

SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates

This is how to configure X.509 client certificate for AS JAVA:

Using X.509 Client Certificates on the AS Java - User Authentication and Single Sign-On - SAP Libra...

Regards,

Donka Dimitrova

Former Member
0 Kudos

Hi Donka,

Thank you very much for your help, I know where I'm going now

Former Member
0 Kudos

HI Donka,

We followed your SPNEGO tutorial, thank you it is really well done.  So when we log on to our SLS server we sign in and get the X509 certificate.  Now we tried using SPNEGO on another NW Java AS to accept the certificate that was generated by the SLS installation, but haven't managed to get it working.  Withing the context of the tutorial, is there any guidance as to what we should do next?

Thank you,

Paul

donka_dimitrova
Contributor
0 Kudos

Hello Paul,

The tutorial is explaining only how to configure the SPNEGO authentication for the Secure Login Server.

If you want to implement SPNEGO for AS JAVA, you have to look at this documentation:

Using Kerberos Authentication on SAP NetWeaver AS for Java - User Authentication and Single Sign-On ...

If you want to use the X.509 client certificates for authentication to AS JAVA, you have to use the documentation, I already mentioned in my previous post:

Using X.509 Client Certificates on the AS Java - User Authentication and Single Sign-On - SAP Librar...

Regards,

Donka

Former Member
0 Kudos

Hello Donka,

Thank you so much for all your help, we have successfully completed our POC and are preparing for the rollout phase.  It would have taken a lot longer without the information you provided to us!

sebastian_peroni
Explorer
0 Kudos

For NWAS JAVA only you don't really need SLS, bout it can be used anyway.

Java systems already comes with LDAP mapping for UME, or SPNEGO  scenarios for user athentication process.

So, you can set the SSO/Auth.Delegation in your AS JAVA directly (such as EP) or through an AS JAVA with SLS.

In the second case (use a SLS), you can set a SecureLogin Web Profile, with SPNEGO authentication, get a Certificate and the redirect to your AS JAVA (ej: EP). In the target JAVA just need to create a SLL port and certificate with your SLS CA as Trusted CA.

As I said, its seems complex when you can do it directly on Target JAVA systems without SLS.

Best Regards!

Former Member
0 Kudos

Hi Sebastian,

Yes in the end we didn't use SLS because we didn't have a need to generate X509 certificates. SPNEGO was enough for us to authenticate using the Kerberos token. 

We've just got to work out how users get their Kerberos tokens when connecting remotely using Direct Access, it appears that this is an option with Direct Access

Answers (1)

Answers (1)

0 Kudos

Hi,

we're using SLS, but we prefer the saml2.0 solution via identity federation (is a part of the SLS) instead of x.509 certificates. Single Logout is a very helpful feature!

Best regards

Kai

donka_dimitrova
Contributor
0 Kudos

Hello Kai,

SAP Single Sign-On product offers Secure Login Server (SLS) that is a "lightweight PKI" and issues short term X.509 Client certificates. The service itself accepts SAML for authentication but always issues X.509 certificates.

SAP Single Sign-On product offers also a standard SAML Identity Provider that could be used for identity federation and issues standard SAML 2.0 assertions.

Regards,

Donka Dimitrova

0 Kudos

Hello Donka,

exactly . But why use X.509 certificates for java stacks, if saml2.0 is already supported by them? By using saml2.0 it's very easy to update user attributes, assigned groups and permissions during logon. And closing all user sessions in a landscape by using SLO is security benefit (session hijacking). Thats why we decided to use saml2.0 instead of x.509 certs for java stacks.

regards

Kai

donka_dimitrova
Contributor
0 Kudos

Hello Kai,

When there are Windows based UIs like SAP GUI for Windows, SNC is a must and SAML is not possible. Customers have to use Kerberos or X.509 in order to do the SSO or they have to exchange a SAML assertion for an X.509 client certificates with the Secure Login Server in order to get the required X.509 for the SAP GUI for Windows scenarios with the SNC.

Regards,

Donka

0 Kudos

Hi Donka,

i thought we're talking about SSO Implementation for Java Stacks and not ABAP.

Kai.