How to use SSO on integrated ITS

Former Member · ‎08-20-2007

Hi, is there anyone you have some good documentation on how to best or easiest establish SSO on a webgui using the integrated ITS on 2004s?

Currently we have configured the wingui for SSO using NTLM.

We are not using a j2ee.

Best regards

Flemming

Former Member · ‎08-20-2007

"Best" of course depends on your specific requirements: required coverage of SAP platforms and applications, security needs, flexibility of user authentication, ... One good option is to use certificates and SNC/SSL for single sign-on to SAP. Advantage: it applies to a broad set of SAP technologies (incl. SAPGUI, web browser via ITS, ...), it's platform independent, it's secure, and you have flexibility what user authentication mechanism to use (incl. Windows logon info).

There are SAP manuals on how to use SNC.

Disclaimer: I work for SECUDE International, a company that provides single sign-on solutions for SAP, based on SNC/SSL.

tim_alsop · ‎08-20-2007

Flemming,

The SNC interface is not supported with Integrated ITS. Instead you need to use the authentication methods supported by JAVA JAAS interface on J2EE engine for SSO purposes. The method which is most common is to configure an authentication stack in J2EE engine and then configure the Integrated ITS application (e.g. webgui) so that it redirects to the J2EE engine when authentication is required. The result is that the J2EE engine auth stack will issue an SSO2 ticket after authenticating the user and this ticket can be used for SSO purposes.

If you are using Active Directory to authenticate a user when they logon to the workstation before opening browser, then I recommend using SPNEGO login module to authenticate user to J2EE engine and provide true SSO experience for user. This will not require any third party products, but if you want to consider a third party product which is SAP certiified, please contact me using my email address in SDN address book and I can explain in more detail the options available to you.

Take care,

Tim

Former Member · ‎08-23-2007

Thank you for your reply.

We also thought about the spnego but on this system we are not using j2ee(not installed) it's a pure abap system.

Is there any way of configuring integrated ITS SSO without the j2ee?

I don't think it will be a problem always to use the Active Directory to authenticate.

Regards

Flemming Grand

tim_alsop · ‎08-23-2007

Flemming,

If you want SSO with Integrated ITS then you need J2EE engine so you can use a non-default method of authentication. The J2EE engine does not need to be installed on same system, but it helps it if is. You can redirect the login to another j2ee engine on your network, and after authenticating the user you will be redirected back to the ABAP application with an SSO2 ticket in cache.

Regards,

Tim

tim_alsop · ‎09-03-2007

Flemming,

I wondered if I can be of any more assistance with this ? Are you clear on how to use j2ee engine and redirect the initial request ?

PS. If I have provided useful answers, please can you award points ?

Thanks,

Tim

Former Member · ‎09-05-2007

Hi Tim

Thank you for your reply which excatly is what we need.

We have tryed to configure Single Sign On to Java on our BW system according to note 994791.

We are following the guidelines in the Users Guide of the SPNEGO Wizard

attached to the note and the description in "SPNego configuration with

Active Directory as UME Datasource" attached to the same note.

The system is "born" as a BW version 3.1 system and upgraded to NW2004s.

The Java part and portal is installed subsequently.

The system is as such "born" with abap as UME datasource, and according

to note 728383 no change is possible.

If we anyway try to change the datasourceconfiguration

to "Datasourceconfiguration_ads_readonly_db_with_krb5.xml" as described

in the userguide, the J2EE engine does not start.

The description is obviously only ment for systems wirh DB_only

datasource.

What do we do when we have abap as the datasource?

Best Regards

Flemming Grand

tim_alsop · ‎09-05-2007

Flemming,

I am afraid I cannot help you with the SAP SPNEGO login module issue that you described. The main reason is that I represent a company (CyberSafe) that has developed an alternative to this login module, which uses Kerberos for SSO. We sell and support this as a commercially available solution, and many SAP customers are using it instead of any login module from SAP. One of the many differences with our solution is that we do not require any changes to the datasource. We use UME, and which ever datasource is configured already. When the SAP user id has been determined an SSO2 login ticekt is issued for this SAP user id. The determination of the SAP user id is done using the same name mapping table used for SAP GUI SNC SSO (e.g. USRACL) or by removing the realm from the authenticated principal name, then converting this to upper case.

I hope you manage to get your SSO working, but if you would like to consider our solution as an alternative, please feel free to contact me using my SDN business card email address.

Thanks again,

Tim

WolfgangJanzen · ‎09-05-2007

Unfortenatlely, the WebAS ABAP does <u>not</u> provide support for SPNEGO authentication (itself). There are many postings in this forum on that topic - maybe you just <a href="https://forums.sdn.sap.com/search.jspa?objID=f208&q=SPNEGO+ABAP">search for the keywords "SPNEGO ABAP"</a>.

WebAS ABAP supports X.509 client certificates (SSL).

For SPNEGO you either require an external ITS (-> PAS) or a WebAS Java (-> JAAS); in both cases you need to configure your WebAS ABAP to trigger a http redirect to an URL where the SPNEGO authentication is performed which should then result in the creation of a SAP logon ticket and another http redirect (back to the URL which has been originally called, targeting at WebAS ABAP).