cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO with active directory

Go to solution
Former Member

on ‎01-03-2008 12:28 PM

0 Kudos

Hi All,

I have to implement SSO for the R/3, BW and EP servers with Active directory.

I am using ECC 5, BW 3.5 and EP6

Please tell me main or overview of steps that i will have to do.

What steps will be different for the above diff servers.

I will appreciate any.

Thanks in advance

Tajinder

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

JPReyes
Active Contributor
‎01-03-2008 12:36 PM
0 Kudos

Hi Tajinder,

You'll find all about SSO here,

http://help.sap.com/saphelp_nw04/helpdata/en/e5/4344b6d24a05408ca4faa94554e851/frameset.htm

A bit of reading for you.

Regards

Juan

Show replies
Show replies
Former Member
‎01-03-2008 1:29 PM
0 Kudos

Hi Juan,

Thanks for the reply.

Actually I have to implement SSO so that users only have to log on with their Windows User ID and dnt have to put ID or password for any SAp server.

The above link doesnt show anything about active directory. wht settings i have to do on active directory.

These are helpful documents on to make diff. servers to accept logon tickets.

But i have to know abt Active directory too.

And the LDAP connector that will be used to connect SAP servers with Active directory.

Please suggest more

Thanks

Tajinder

JPReyes
Active Contributor
‎01-03-2008 2:51 PM
0 Kudos

Hi Tajinder,

As far as i know, no changes are required at the Active Directory side, all you need is a user with read access to the AD structure, all the rest of the configuration is done in the SAP side.

Regards

Juan

Former Member
‎01-04-2008 7:46 AM
0 Kudos

Hi Tajinder

I think you have to check out spnego, it is a wizard to set up SSO based on windows kerberos tickets. There is a wizard, the config is pretty simple in theory, but if rather tricky in real life. Have a look at these (and the related notes):

968191 - SPNego: Central Note

994791 - SPNego-Assistent

As Juan mentioned, all you need from AD is a user with read permissions.

In your case i suggest you implement SSO from your AD to the EP (with spnego). So you just have to setup SSO with SAPLOGON tickets to the backend systems (BW, R/3 and so on). It is even possible to create SAPGui links from EP. We already implemented that scenario and it works.

Best regards, Michael

Answers (2)

Answers (2)

Former Member
‎01-07-2008 6:21 AM
0 Kudos

Hi,

Prashant , Thanks for your reply.

I already have SSO implemented between EP and backed R/3 system. I want to configure SSO now with windows (Active Directory)

And Micheal .. thanks for your reply.

Its pretty good notes.

I have a question

Is there any other way to configure SSO with Active directory other than Kerberos Authentication?

If there is please let me know abt that too.

Our users access BW through EP only. But they access R/3 through GUIs. So how to implement GUI links through EP.

And since our SSO is already working between EP and R/3, BW, Do i have to also do settings on R/3 and BW or it will work if I only implement SSO with AD and EP.

I really appreciate all your help.

Thanks

Tajinder

Show replies
Show replies
Former Member
‎01-07-2008 7:26 AM
0 Kudos

Hi again

Is there any other way to configure SSO with Active directory other than Kerberos Authentication?

There are 3rd party vendors which supply snc libraries or complete single sign on solutions like Secude, SecureIntegration or Wikima. But this will cost you plenty and is not easier to implement than kerberos authentication. But if you want, just look around and let them offer you a solution. They also have hard token solutions, like encrypted usb sticks or key cards.

But they access R/3 through GUIs. So how to implement GUI links through EP.

Just create a transaction iview in your portal pointing to transaction SESSION_MANAGER in your R/3. You can test this already, the user has to logon to the EP (no matter if it is SSO, or just common password logon) and then click on the iview.

Generally for the SSO solutions, it is recommended that the users have the same logon name across systems.

Best regards, Michael

Former Member
‎01-07-2008 11:56 AM
0 Kudos

Hi Micheal,

Thanks for your help.

I will keep the thread open for a few days incase i have another question n then i will close it.

I will be happy to award points to all of you.

Thanks

Tajinder

Former Member
‎01-04-2008 1:42 PM
0 Kudos

Step 1 - Setting the logon method as Single Sign on

1.1 Log in to your Portal as a System Administrator.

1.2 Choose System Administration --> System Configuration --> System Landscape

1.3 Find the system you want to assign Single Sign on to and open it

1.4 Choose User Management as Property Category

1.5 Set Logon Method to SAPLOGONTICKET

What we have done now is to set the system you want to use as a Single Sign On logon method. Do this to each system you want to connect.

Step 2 - Create a Portal Certificate

1.1 Log in to the Visual Administrator

1.2 Choose Server --> Services --> KeyStorage --> TicketKeystore

1.3 Delete SAPLogonTicketKeypair-cert and SAPLogonTicketKeypair

1.4 Choose Create (Create button in the Entry field) and

type in the following information:

a. mark Store Certificate

b. Common Name: Your <SID> (just for example EPR)

c. Entry Name: SAPLogonTicketKeypair

d. Store Certificate: Mark it

e. Key Length: 1024

f. Algorithm: DSA

g. Press Generate

Now you will have two entries in the TicketKeyStore:

SAPLogonTicketKeypair

SAPLogonTicketKeypair-cert

Step 3 - Export the Portal certificate

3.1 Choose Server --> Services --> KeyStorage --> TicketKeystore

3.2 Choose SAPLogonTicketKeypair-cert and press Export (Export button in the Entry field)

a. Fill in a name of the Certificate

To keep track of your certificate, call it the SID of the Portal (i.e) EPR

b. Choose either X.509 or Base64 Encoded Format

Step 4 - Import the Portal certificate to the Backend System

4.1 Log in to the Backend System HR6-HT3

4.2 Run transaction STRUSTSSO2

4.3 Press Import Certificate (Button in the Certificate field)

a. Open the generated certificate from step 3 with the right file format that you choosed in step 3.4

4.5 Press Add to Certificate List button (Button in the Certificate field)

4.6 Press Add to ACL button (Button in the Certificate field)

a. Enter the <SID> of your Portal (i.e) EPR

b. Enter Client 000

4.7 Press Save

Step 5 - Export the Backend certificate to your Portal

5.1 You are still in the transaction STRUSTSSO2. Doubleclick the Owner Certificate and choose Export and store in on the file system

5.2 Log into Visual Administrator

Choose Server --> Services --> KeyStorage --> TicketKeystore and press Load and choose the Certificate

5.3 Set the Backend System as "ACL" in the Portal

Choose Server --> Services --> Security --> Provider --> Ticket

Choose the Authentication tab and add the following on the com.sap.security.core.server.jass.EvaluateTicketLoginModule:

&#65533;› trustedsys<Number>=<ABAP_SID>, <CLIENT> (for example, HR6, 500)

&#65533;› trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (for example, CN= HR6)

&#65533;› trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (for example, CN=HR6)

You have set up a trusted relationship between your portal and the backend system. To do so with several systems, run this guide again from step 4.

Please Reward Points if useful.

Thanks & Regards,

Prashant.

Show replies
Show replies
JPReyes
Active Contributor
‎01-04-2008 2:44 PM
0 Kudos

Hi Prashant,

Great Copy & Paste job...

Juan

Ask a Question