Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO using active directory by SNC or X.509, or Integrated Windows Authentic

Former Member

‎02-06-2008 8:20 PM

0 Kudos

Hello Experts,

Our Landscape:

We have both SAP and Non-SAP systems in our landscape and we are evaluating to implement SSO.

We have Active Directory used by SAP UME for authentication for Network Login.

Objective:

We want to implement SSO from Active Directory when the users logged into their network systems to SAP (Integrated ESS, and Non-SAP Apps.

Analysis:

After a thorough evaluation we identified X.509, SNC, and Integrated Windows Authentication will fit for our requirements, but we are not sure.

Questions

I would appreciate if somebody can help me whether our analysis is correct or not. Also If somebody can give me a high-level overview of these sso mechanisms, that would be great.

Please share your experiecnes. I would definetly award points. Thanks.

10 REPLIES 10

tim_alsop
Active Contributor

‎02-06-2008 9:05 PM

0 Kudos

Sunita,

There are many ways to implement SSO, and to support widest range of applications often companies use a product which remembers the password for the user so that when the user logs onto a particular application the correct password is transparently inserted into the logon screen. This can work for some, but is certainly not the most secure solution. You could use this approach for SAP and many other applications since most applications require a user to logon using a userid and password.

With SAP, there are various ways to implement SSO. In this forum you will find many companies who have asked about IWA (Integrated Windows Authentication) which is the name given to the solution which was first introduced by Microsoft in IIS when they released Windows 2000 about 8 years ago ... Anyway, when IWA is used a user logs onto their workstation and authenticates with a domain, and their domain credentials are used to authenticate them to the web server. The common browser such as IE and Firefox support IWA using the Kerberos protocol, so that a user logged onto a workstation can be securely authenticate to a web application running on a web server. For SAP, there are various ways to implement the same, and they all involve installing a login module in SAP NetWeaver Java stack which implements IWA, and therefore allows SSO for users accessing SAP applications via the browser.

The SNC interface is included in SAP GUI and SAP FrontEnd software (e.g. SAP RFC, SAP LPD etc.) and SAP Application Servers (back to release 3.1i) and is used in a client-server environment, not for web environments. When using SNC a cryptographic library that supports the GSS-API standard is required on the workstation and SAP server and this is used to authenticate the user to the SAP application. It is common for companies to use Kerberos libraries for SNC so that they can use the same technology as they are using for Windows logon to domain, and utilise the existing credentials to log the user onto the SAP applications via SAP GUI.

Regarding x.509 - this is often used when digital certificates are involved/required for electronic signatures, but can also be used for authentication, and therefore useful for SSO. Typically for SSO authentication a user must have a certificate and private key, and so if you use smart cards on your workstations you might find x.509 is appropriate. SAP software uses x.509 for digitally signing SSO2 cookies, which are used in a web environment for SSO, so after a user has completed initial authentication the cookie can be used to verify their authenticated identity.

I could write more, but I don't want to confuse you. Please let me know if you have any questions.

Thanks,

Tim

Former Member
In response to tim_alsop

‎02-07-2008 1:58 AM

0 Kudos

Oh Tim, Thanks-a-lot for your help. Thanks-a-lot for spending time for composing that long text.

I forgot to mention you that we dont want to use Portals. We simply want to use Active Directory (login to their desktops) and enabling SSO to SAP GUI (when they click on logonpad, it shouldnt prompt for login screen) and some Non-SAP systems. Which do you think is best for us?. Is SNC and IWA are different?.

Please give us a high-level overview of configuring IWA or SNC. We dont want to use x.509 certs.

Thank you very much, I appreciate it your help.

Sunita.

Edited by: sunita on Feb 7, 2008 3:00 AM

tim_alsop
Active Contributor
In response to tim_alsop

‎02-07-2008 8:03 AM

0 Kudos

Sunita,

If you are logging on to SAP using SAP GUI (e.g. not using web browser or portal) then you can implement an IWA experience for the user - e.g. user logs onto their PC, authenticates with Active Directory account and then runs SAP GUI, logs onto a SAP system and is not asked for userid and/or password. Instead, the Kerberos credentials issued by Active Directory during the Windows workstation logon are used to authenticate the user to SAP. This is implemented using the SNC interface along with a Kerberos library that is certified by SAP, for use with SAP products. You can also add data integrity and encryption of the session between SAP GUI and SAP system (ABAP) if you want to improve network security, but a lot of customers use this approach just for Single SignOn.

To get a library/product for above you can contact me offline. I work for a company called CyberSafe who sell solutions to customers to do just what I have described above, so we are very familiar with the need for SSO both with SAP applications and non-SAP applications, especially when Active Directory is being used for authenticating users. You can get my email address from my SDN business card. Of course, if you have more questions, I can also answer them in this SDN forum.

Thanks,

Tim

Former Member

‎02-07-2008 8:51 AM

0 Kudos

Hello Sunita,

to clarify the situation around X.509 certificates:

This is a proven technology option for SSO to SAP that is used by many SAP customers. It is not dependent on the availability of a company-wide PKI or Smartcards. Most companies just use it for SSO, not in combination with digital signature functionality (though that is an extension option). In fact, many customers are using it exactly just for what you have described: secure single sign-on to your SAP applications via SAPGUI using Active Directory as authentication authority (with either Windows logon info or Kerberos ticket). In the SSO use case, a large portion of the perceived complexity of PKI solutions does not apply, and thus the implementation is fairly easy.

As to single sign-on for other applications: that depends on what technology options your other applications support. Most applications of course support logging in via user name and password, and that why most enterprise SSO solutions can do an automatic password feed into the login screen to cover the breadth of the application landscape. But other, more secure mechanisms are often supported as well (certificates, Kerberos, ...).

Peter

Former Member
In response to Former Member

‎02-07-2008 3:16 PM

0 Kudos

Hello Tim and Peter,

I apologize for not mentionting my SAP servers are running on AIX. I thought it wont make any difference. So, if my SAP servers are running on AIX, whats the easiest method to configure SSO, when the users login to their desktops through Active Directory, and when then click on SAP logon pad to launch sap gui, they shouldnt be prompted for login....

Please let me know a high level overview on how to configure SSO for SAP GUI through Active Directory when SAP servers are running on AIX.

Thanks-a-lot, I appreciate your help.

Kind Regards,

Sunita.

tim_alsop
Active Contributor
In response to Former Member

‎02-07-2008 3:21 PM

0 Kudos

Sunita,

To do what you require, you need a product which includes libraries for SAP on AIX and on FrontEnd workstations where SAP GUI is running - these libraries are provided by my company as I mentioned in my last post. We support SAP on AIX, HP/UX, Solaris, Windows, or Linux.

If you would like to see a demo and discuss how our product works, please contact me using the email address in my business card.

The vendor which Peter works for provides an SNC product which will also do what you want, but it uses x.509 certificates - our product uses Kerberos protocol, which is the protocol used by Active Directory to authenticate users to the domain. I am sure Peter will be able to answer any questions about his product if you contact him.

Thanks,

Tim

Former Member
In response to Former Member

‎04-28-2010 3:33 PM

0 Kudos

Sunita, your problem is resolved or still looking for solution?

Former Member
In response to Former Member

‎09-02-2012 9:20 AM

0 Kudos

Dear Zaki, Tim n Peter,

I just red this blog and I need to configure SSO between SAP R/3 and Windows 2008 Domain.

I would appriciate if you provide me any documents which has steps to configure.

Thanks and Regards

Ahsan.

Former Member
In response to Former Member

‎06-01-2015 1:48 PM

0 Kudos

Dear Sunita,

Do u have a doc to share for SAP NWBC + AD integeration. SNC + X.509 certificates, SNC + Kerberos or Logon Tickets

Former Member
In response to Former Member

‎07-09-2015 9:01 AM

0 Kudos

Hello Manjesh,

Have you find any document? if it is can you please share.

@Sunita,

can you please provide SAP NWBC + AD integeration. SNC + X.509 certificates, SNC + Kerberos or Logon Tickets.

Regards,

Jai