Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO For SAP GUI

Go to solution
Former Member

‎02-26-2008 9:47 AM

0 Kudos

Hi ,

Currently SAP is working on WIN2003/SQL .Authentication of windows users is made from LDAP .

SAP version is ECC 6.0 but we are not using portal .

I wanted to know which is the best method to configure SSO for SAP GUI .

Also we are planning for following things in future .

We might migrate to linux/oracle

Also we might use portal in future .

Also we might be using CUA in future .

I wanted to know keeping in mind the future things which would be the best method to configure SSO for current set up.Currently SSO configaration is of high priority .

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎02-26-2008 10:09 AM

0 Kudos

Hello

"Best" is difficult to determine, even with the requirements you stated. There are a number of additional decision criteria you need to decide upon, e.g. your current and future security needs, flexiblity to use other authentication mechnisms, user mapping needs, ability to provide access to partners, other SAP UI technologies in plan (e.g. Widgets), future plans for SOA.

For SAPGUI, you can use SNC, and there are multiple technology options to implement htis. One of them is the use SNC with client certificates. Provides broadest support of SAP UI technology (incl. SAPGUI, web browser, and more). It can be easily combined with Windows / LDAP authentication - a company PKI is not needed.

Peter

2 REPLIES 2

Go to solution
Former Member

‎02-26-2008 10:09 AM

0 Kudos

Hello

"Best" is difficult to determine, even with the requirements you stated. There are a number of additional decision criteria you need to decide upon, e.g. your current and future security needs, flexiblity to use other authentication mechnisms, user mapping needs, ability to provide access to partners, other SAP UI technologies in plan (e.g. Widgets), future plans for SOA.

For SAPGUI, you can use SNC, and there are multiple technology options to implement htis. One of them is the use SNC with client certificates. Provides broadest support of SAP UI technology (incl. SAPGUI, web browser, and more). It can be easily combined with Windows / LDAP authentication - a company PKI is not needed.

Peter

Go to solution
tim_alsop
Active Contributor

‎02-26-2008 10:25 AM

0 Kudos

Hello SAPChizel,

If you are using SAP on Windows 2003 at moment, and getting SSO with SAP GUI using Windows Authentication, this is likely to be using the SNC library provided by SAP, which uses Kerberos protocol. As I am sure you know, the authentication of users when they logon to their workstation is done using Kerberos protocol with the Active Directory domain controller. The LDAP protocol is not used, but often people refer to Active Directory as an LDAP server since it also supports LDAP protocol when appropriate, but not for Windows authentication, and not when used with SAP GUI and SNC.

If you are moving to Linux and want to implement same as you are used to with SAP on Windows, then you need to use a third party product that is providing an SNC library, so you can enjoy the exact same benefits as you get on Windows SAP implementation. The third party product I would recommend is one from CyberSafe, as this also uses Kerberos and therefore fits very well with your current implementation on Windows. The CyberSafe product is available on many operating systems, so you can change operating system without having to select a different product, e.g. you might start to use Linux on x86, but in future you might be using Linux on Power chipset, or you might decide to use HP-UX or Solaris or AIX ...

For your portal plans in future, you can provide similar capability that you are familiar with using SNC with SAP GUI, but you need to install a login module in SAP J2EE Engine, and you can setup Integrated Windows Authentication. This means when a user logs onto workstation and uses Kerberos to authenticate themselves, their credentials can be used to log them onto the portal via the Kerberos protocol support already built into popular web browsers. You can combine this with x.509 certificates for confidentiality via SSL if you wish, but passwords will not be transmitted across network so SSL is not essential.

Regarding CUA - both SNC and web solutions I have mentioned above are fully compatible with CUA, since CUA will make sure your ABAP user store is updated on each system in your landscape. You can even use the ABAP user store for portal, and still benefit from SSO and central management of users with CUA.

Let me know if you have any questions.

Thanks,

Tim