on 01-03-2008 12:28 PM
Hi All,
I have to implement SSO for the R/3, BW and EP servers with Active directory.
I am using ECC 5, BW 3.5 and EP6
Please tell me main or overview of steps that i will have to do.
What steps will be different for the above diff servers.
I will appreciate any.
Thanks in advance
Tajinder
Hi Tajinder,
You'll find all about SSO here,
http://help.sap.com/saphelp_nw04/helpdata/en/e5/4344b6d24a05408ca4faa94554e851/frameset.htm
A bit of reading for you.
Regards
Juan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Juan,
Thanks for the reply.
Actually I have to implement SSO so that users only have to log on with their Windows User ID and dnt have to put ID or password for any SAp server.
The above link doesnt show anything about active directory. wht settings i have to do on active directory.
These are helpful documents on to make diff. servers to accept logon tickets.
But i have to know abt Active directory too.
And the LDAP connector that will be used to connect SAP servers with Active directory.
Please suggest more
Thanks
Tajinder
Hi Tajinder
I think you have to check out spnego, it is a wizard to set up SSO based on windows kerberos tickets. There is a wizard, the config is pretty simple in theory, but if rather tricky in real life. Have a look at these (and the related notes):
968191 - SPNego: Central Note
994791 - SPNego-Assistent
As Juan mentioned, all you need from AD is a user with read permissions.
In your case i suggest you implement SSO from your AD to the EP (with spnego). So you just have to setup SSO with SAPLOGON tickets to the backend systems (BW, R/3 and so on). It is even possible to create SAPGui links from EP. We already implemented that scenario and it works.
Best regards, Michael
Hi,
Prashant , Thanks for your reply.
I already have SSO implemented between EP and backed R/3 system. I want to configure SSO now with windows (Active Directory)
And Micheal .. thanks for your reply.
Its pretty good notes.
I have a question
Is there any other way to configure SSO with Active directory other than Kerberos Authentication?
If there is please let me know abt that too.
Our users access BW through EP only. But they access R/3 through GUIs. So how to implement GUI links through EP.
And since our SSO is already working between EP and R/3, BW, Do i have to also do settings on R/3 and BW or it will work if I only implement SSO with AD and EP.
I really appreciate all your help.
Thanks
Tajinder
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi again
Is there any other way to configure SSO with Active directory other than Kerberos Authentication?
There are 3rd party vendors which supply snc libraries or complete single sign on solutions like Secude, SecureIntegration or Wikima. But this will cost you plenty and is not easier to implement than kerberos authentication. But if you want, just look around and let them offer you a solution. They also have hard token solutions, like encrypted usb sticks or key cards.
But they access R/3 through GUIs. So how to implement GUI links through EP.
Just create a transaction iview in your portal pointing to transaction SESSION_MANAGER in your R/3. You can test this already, the user has to logon to the EP (no matter if it is SSO, or just common password logon) and then click on the iview.
Generally for the SSO solutions, it is recommended that the users have the same logon name across systems.
Best regards, Michael
Step 1 - Setting the logon method as Single Sign on
1.1 Log in to your Portal as a System Administrator.
1.2 Choose System Administration --> System Configuration --> System Landscape
1.3 Find the system you want to assign Single Sign on to and open it
1.4 Choose User Management as Property Category
1.5 Set Logon Method to SAPLOGONTICKET
What we have done now is to set the system you want to use as a Single Sign On logon method. Do this to each system you want to connect.
Step 2 - Create a Portal Certificate
1.1 Log in to the Visual Administrator
1.2 Choose Server --> Services --> KeyStorage --> TicketKeystore
1.3 Delete SAPLogonTicketKeypair-cert and SAPLogonTicketKeypair
1.4 Choose Create (Create button in the Entry field) and
type in the following information:
a. mark Store Certificate
b. Common Name: Your <SID> (just for example EPR)
c. Entry Name: SAPLogonTicketKeypair
d. Store Certificate: Mark it
e. Key Length: 1024
f. Algorithm: DSA
g. Press Generate
Now you will have two entries in the TicketKeyStore:
SAPLogonTicketKeypair
SAPLogonTicketKeypair-cert
Step 3 - Export the Portal certificate
3.1 Choose Server --> Services --> KeyStorage --> TicketKeystore
3.2 Choose SAPLogonTicketKeypair-cert and press Export (Export button in the Entry field)
a. Fill in a name of the Certificate
To keep track of your certificate, call it the SID of the Portal (i.e) EPR
b. Choose either X.509 or Base64 Encoded Format
Step 4 - Import the Portal certificate to the Backend System
4.1 Log in to the Backend System HR6-HT3
4.2 Run transaction STRUSTSSO2
4.3 Press Import Certificate (Button in the Certificate field)
a. Open the generated certificate from step 3 with the right file format that you choosed in step 3.4
4.5 Press Add to Certificate List button (Button in the Certificate field)
4.6 Press Add to ACL button (Button in the Certificate field)
a. Enter the <SID> of your Portal (i.e) EPR
b. Enter Client 000
4.7 Press Save
Step 5 - Export the Backend certificate to your Portal
5.1 You are still in the transaction STRUSTSSO2. Doubleclick the Owner Certificate and choose Export and store in on the file system
5.2 Log into Visual Administrator
Choose Server --> Services --> KeyStorage --> TicketKeystore and press Load and choose the Certificate
5.3 Set the Backend System as "ACL" in the Portal
Choose Server --> Services --> Security --> Provider --> Ticket
Choose the Authentication tab and add the following on the com.sap.security.core.server.jass.EvaluateTicketLoginModule:
� trustedsys<Number>=<ABAP_SID>, <CLIENT> (for example, HR6, 500)
� trustediss<Number>=<ISSUER_DISTINGUISHED_NAME> (for example, CN= HR6)
� trusteddn<Number>=<SUBJECT_DISTINGUISHED_NAME> (for example, CN=HR6)
You have set up a trusted relationship between your portal and the backend system. To do so with several systems, run this guide again from step 4.
Please Reward Points if useful.
Thanks & Regards,
Prashant.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
80 | |
9 | |
9 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.