SSO without EP

Former Member · ‎02-25-2008

Hi

Is it possible to implement Single Sign-On without Enterprise Portal installed? Which will be the method for SSO without EP installed

Thanks in advance

tim_alsop · ‎02-25-2008

Hello SAP Basis (Surely this isn't your real name?)

If you can explain your requirements I can tell you how to implement SSO. For example, what operating systems are you using to run SAP on, what versions of SAP are you using, do you have need for SSO via browser only, or are you also looking for SAP GUI SSO ? Do you have Active Directory, and do you want to use AD as the authentication server for users when they logon to SAP ?

Thanks,

Tim

Former Member · ‎02-25-2008

Hi Tim

Thanks for your reply.

Operating system used for SA Server is AIX. Versions of SAP are 6.20 and 7.00. I want to do SSO via browser only. and I do not have active directory.

Thanks once again

tim_alsop · ‎02-25-2008

Hi,

Any SSO implementation requires authentication, so you need an authentication server to implement SSO. Do you have any more info so I can understand what you want to use for authentication of users when you implement SSO ?

Also, if you don't have Active Directory, then how do you logon to workstations where browser is located ? Do you use Novell eDirectory instead ?

Thanks,

Tim

Former Member · ‎02-25-2008

Hi Tim

I will provide you details

Thanks once again

Former Member · ‎02-25-2008

Hi Tim

There is no Active directory installed not we will be using Novell AD. Is it necessary to have a authentication Server and if it is not available then is is not possible to implement SSO?

Thanks once again

tim_alsop · ‎02-25-2008

Hi,

If you don't have any authentication server, then how do your users logon to their workstation ? Are they using local accounts ?

Anyway, the answer to your question depends on the scope of your SSO requirement - please see explanation below:

When user logs onto their workstation they will typically be entering a userid and password, and authenticating themself to the Windows network (this is the first authentication required by user). If they then open a browser and logon to a SAP application (e.g. SRM) then they will need to authenticate again (second authentication). If the user logs onto SRM again in another browser instance, or they logon to another SAP application via browser, and using another browser instance on same workstation, then this can be done easily to avoid a third authentication.

If you want to setup SSO such that first authentication is ONLY authenticaiton required then you need to use the same authentication server used during the initial workstation logon when authenticating users to SAP applications.

I look forward to your feedback on above so that I can help further.

Thanks,

Tim

Former Member · ‎02-25-2008

Thanks Tim

Please give me couple of days I will get back to you on this.

Thanks once again for your reply

Former Member · ‎02-27-2008

Tim

We are having Sap AS installed on AIX Operating system. Users are authenticated by windows Active directory while loging on to workstation. And both GUI and web based SSO is to be implemented. Can you please tell me which will be the best suited mettoh to implement SSO. Will Kerberos will help here?

Thanks

tim_alsop · ‎02-29-2008

SAP Basis,

In my experience, and view, the use of Kerberos is best for this set of requriements. If you search this forum and look for keywords such as AIX (or just UNIX or Linux), SNC, SAP GUI, SSO, Kerberos ... you will find a very large number of people who have used same. You might also find my responses in a few of the threads :-).

It is also worth noting, that you can also implement the same method of authentication with SAP GUI and also with your web browser. e.g. user logs onto workstation, signs onto SAP via browser or via SAP GUI and gets authenticated to SAP system as same/consistent user, without any need to enter a userid or password again, and without any need for the software to transmit the users password.

I find it is also common for companies to strategically choose Kerberos when they use Active Directory as an authentication server, since this also allows them to support non-SAP applications and services, e.g. SSO for SSH, Telnet, applications on Apache Web servers, IIS applications, .NET etc. etc. In summary, the solutions being discussed on this forum which use Kerberos for SAP SSO and SAP security are not propriatory to SAP, and the same technology/approach can be used for non-SAP requirements that you may have.

I hope this helps ?

Thanks,

Tim

Former Member · ‎02-25-2008

SAP supports a variety of technology options to implement Single Sign-on (SSO).

See [http://help.sap.com/saphelp_nw04s/helpdata/en/f8/9636eedafe8b4589cd6e9e4e73fd3c/frameset.htm] for an overview.

There are certainly options (e.g. client certificates via SNC or SSL) which don't require an Enterprise Portal installation.

As Tim already said: it's hard to give a specific recommendation without knowing your detailed requirements.

OS platform and authentication service are not the only thing that are important, but also security requirements,

which SAP components and SAP UI technologies need to be supported, required user mappings, etc.

By the way, a company-wide PKI is not a pre-requisite for using client certificates for SSO.

Peter