on 07-19-2016 9:03 AM
Hello,
We are currently setting up an SSO POC for our company. For connections that use the SAPGUI and AS ABAP the documentation explains quite clearly how set up the various scenarios. But I couldn't find out how to implement a connection via a web broswer to a Java-only NW installation. Can anyone advise please?
Also is there any particular advantage in using X509 cetrificates over Kerberos tokens in a Microsoft AD domain?
Many thanks oin advance for your help!
Hello Paul,
Here you will be able to find more details about the authentication technologies supported for SAP NetWeaver AS JAVA:
User Authentication and Single Sign-On - SAP NetWeaver Security Guide - SAP Library
Regarding the difference between Kerberos and X.509, when we are talking about SSO, is that the SSO based on Kerberos is available only when the user is in the intranet.
Regards,
Donka
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Donka,
Thank you for your rapid reply! So I see that the browser holds the ticket in a cookie. To authenticate the broswer, does the user first have to sign on to an AS Java, or the AS Java with Secure Login Server installed? In the documentation it looks like the user has to log onto an AS ABAP and from here Secure Login Client authenticates the SAP GUI and browser, but for the browser I think I must have missed something.
Hello Paul,
The Secure Login Server coming with the SAP Single Sign-On product offers standard short term X.509 client certificates that could be used for secure authentication to any SAP or non-SAP application that supports X.509 client certificates for authentication. This is why you can configure SSO based on X.509 client certificates using the Secure Login Server also for the applications running on AS JAVA. The authentication flow will be the following - the user will have to authenticate to the Secure Login Server in order to get the required for him X.509 client certificate. There are many different authentication methods supported for the Secure Login Server like LDAP, SPNEGO,UME, ABAP, etc.
Here is one blog that describes for example configuring SPNEGO for authentication to the Secure Login Server:
SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
This is how to configure X.509 client certificate for AS JAVA:
Regards,
Donka Dimitrova
HI Donka,
We followed your SPNEGO tutorial, thank you it is really well done. So when we log on to our SLS server we sign in and get the X509 certificate. Now we tried using SPNEGO on another NW Java AS to accept the certificate that was generated by the SLS installation, but haven't managed to get it working. Withing the context of the tutorial, is there any guidance as to what we should do next?
Thank you,
Paul
Hello Paul,
The tutorial is explaining only how to configure the SPNEGO authentication for the Secure Login Server.
If you want to implement SPNEGO for AS JAVA, you have to look at this documentation:
If you want to use the X.509 client certificates for authentication to AS JAVA, you have to use the documentation, I already mentioned in my previous post:
Regards,
Donka
For NWAS JAVA only you don't really need SLS, bout it can be used anyway.
Java systems already comes with LDAP mapping for UME, or SPNEGO scenarios for user athentication process.
So, you can set the SSO/Auth.Delegation in your AS JAVA directly (such as EP) or through an AS JAVA with SLS.
In the second case (use a SLS), you can set a SecureLogin Web Profile, with SPNEGO authentication, get a Certificate and the redirect to your AS JAVA (ej: EP). In the target JAVA just need to create a SLL port and certificate with your SLS CA as Trusted CA.
As I said, its seems complex when you can do it directly on Target JAVA systems without SLS.
Best Regards!
Hi Sebastian,
Yes in the end we didn't use SLS because we didn't have a need to generate X509 certificates. SPNEGO was enough for us to authenticate using the Kerberos token.
We've just got to work out how users get their Kerberos tokens when connecting remotely using Direct Access, it appears that this is an option with Direct Access
Hi,
we're using SLS, but we prefer the saml2.0 solution via identity federation (is a part of the SLS) instead of x.509 certificates. Single Logout is a very helpful feature!
Best regards
Kai
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Kai,
SAP Single Sign-On product offers Secure Login Server (SLS) that is a "lightweight PKI" and issues short term X.509 Client certificates. The service itself accepts SAML for authentication but always issues X.509 certificates.
SAP Single Sign-On product offers also a standard SAML Identity Provider that could be used for identity federation and issues standard SAML 2.0 assertions.
Regards,
Donka Dimitrova
Hello Donka,
exactly . But why use X.509 certificates for java stacks, if saml2.0 is already supported by them? By using saml2.0 it's very easy to update user attributes, assigned groups and permissions during logon. And closing all user sessions in a landscape by using SLO is security benefit (session hijacking). Thats why we decided to use saml2.0 instead of x.509 certs for java stacks.
regards
Kai
Hello Kai,
When there are Windows based UIs like SAP GUI for Windows, SNC is a must and SAML is not possible. Customers have to use Kerberos or X.509 in order to do the SSO or they have to exchange a SAML assertion for an X.509 client certificates with the Secure Login Server in order to get the required X.509 for the SAP GUI for Windows scenarios with the SNC.
Regards,
Donka
User | Count |
---|---|
83 | |
24 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.