Blogs
|
Single sign-on Technologies supported by the SAP NetWeaver Application Server as a Service Provider in Microsoft based environments
 
|
|
Single sign-on Technologies supported by the SAP NetWeaver Application Server as a Service Provider in Microsoft based environments
Today I have been asked by a colleague to provide some information for partners how they could achieve Single sign-on in a scenario where an ABAP system is accessed via Web-Dynpro and a .NET based Rich Client application that calls a web service in the ABAP backend. It turned out that though numerous publications have been published about this topic there seems still the need for a compact overview. Therefore I thought this would be a good topic for a blog.
If customers want to achieve Single sign-on to access the systems of their SAP System landscape they have different options. The options being available mainly depend on the underlying technology stack (ABAP or Java), the underlying NetWeaver release and the type of user agent (SAP NetWeaver Business Client, Browser, SAPGUI or Web Service Client) that is being used to access a SAP system. Let us first have a look which user agents can be used to consume services from a SAP NetWeaver Application Server:
The ABAP server offers the still widely used legacy type access through the RFC protocol (SAPGUI) or diag protocol used by external applications that are performing RFC calls. Both the SAP ABAP stack as well as the SAP Java stack support browser based access (SAP NetWeaver Business Client, WebDynpro, iViews, BSP pages and SAPGUI for HTML) and web service based access that can be called by any web service client.Customers that are running their client computers in a Microsoft Active Directory are usually looking for an option to leverage this infrastructure. Since “Single sign-on (SSO) is a method of access control that enables a user to authenticate once and gain access to the resources of multiple software systems” (Wikipedia) the ideal Single sign-on scenario they are looking for is shown in the following figure.
The "ideal" Single sign-on scenario
In this scenario a user logs on to his workstation using his Windows Domain credentials (1). During this process the user requests a Kerberos ticket that is issued by the Active Directory (AD) Domain Controller (DC) (2). This Kerberos ticket would then be used by any subsequent service call (3) and the user would be authenticated (4) by the SAP system without the need to enter username and password and would be able to retrieve the requested data (5).In reality this scenario can usually not be used because the SAP NetWeaver Application server does support Kerberos for Single sign-on only for two scenarios. One is the browser based access to systems that are based on the Java stack that is configured to use the SPNego Login Module. The other is the use of a Kerberos based SNC solution for SAPGUI.
Since Kerberos tickets can thus not be used for authentication by all user agents, Single sign-on can only be achieved if we use an additional ticket issuing instance that itself accepts Kerberos tickets and that issues tokens that are accepted by the SAP NetWeaver Application Server instead. A “real”-World scenario would therefore look like this:
The "real-world" Single sign-on scenario
In this scenario a user logs on to his workstation using his Windows Domain credentials. During this process the user requests a Kerberos ticket that is issued by the Active Directory (AD) Domain Controller (DC) (1). This Kerberos ticket would then be used to perform an authenticated access to a ticket issuing system that issues other tokens (2) such as SAML tokens or SAP Logon Tickets. The user would then finally access the SAP System using this token without the need to enter username and password and would be able to retrieve the requested data (4).So what are the authentications options (tokens) that are supported by the SAP NetWeaver Web Application Server? Let us have a look at the authentication options that are listed in the following table:
SAP Stack | User Agent | X.509 | Kerberos | SAP Logon Tickets | SAML 1.1 |
SAP NW AS ABAP | SAPGUI/RFC | Yes (1) | Yes(2) | Yes | No |
Web Browser/ SAP NW BC | Yes | No(3a) | Yes | Yes(4) | |
.NET Web Service | Yes | No(3b) | Yes | Yes(5) | |
SAP NW AS Java | WebBrowser / SAP NW BC | Yes | Yes | Yes | Yes(6) |
.NET Web Service | Yes | No(3b) | Yes | Yes(7) |
- In this case one need to deploy a 3rd party SNC product that is able to leverage the X.509 certificates from the user’s certificate store.
- In this case the SAP NetWeaver Application Server ABAP has to run on Windows. See SAP Note 150380
- Though Kerberos Authentication is only supported for browser based access on the Java stack this technology can be leveraged indirectly to achieve Single sign-on as follows:
(a) The authentication options offered by the Java stack can be leveraged for browser based access to a Web Application Server ABAP as well if users are redirected to a a Web Application Server Java in the event of a logon error. This scenario is described in the following SDN Whitepaper.
(b)Kerberos tickets can only be used using a workaround described in the following SDN Blog. A SAP Application Server based on the Java Stack has to be used as a ticket issuing instance - SAML Browser / Artifact Profile as of NW 7.1 ABAP
- WS-Security SAML Token Profile (HoK) as of NW 7.01 SP1 and NW 7.11 SP1 ABAP
- SAML Browser / Artifact Profile as of NW 04 JAVA
- WS-Security SAML Token Profile (HoK) as of NW 7.11 SP1 JAVA
From the table above we can conclude that we have basically three options to achieve Single Sign-On.
The first option is to use SAP Logon Tickets. This works well for browser based access where a SAP NetWeaver Portal is used that is configured to support Integrated Windows Authentication. Such a portal can also act as the ticket issuing instance for SAP Logon Tickets for .NET Web Service Clients though this scenario does not work out of the box using standard WCF bindings since the .NET client has to perform an additional service call to the SAP Logon Ticket issuing system. This scenario is described here in SDN.
The second option is to use SAML tokens. SAML tokens can be used for Single-Sign-On in browser based scenarios as well as in Web Services based scenarios. If a user agent in a SAML based scenario tries to access a SAP resource it will automatically being told to access the SAML ticket issuing instance that can be configured to accept Kerberos tickets. Since the Identity Providers (IdP) and Secure Token Service (STS) servers of both vendors are not available yet this scenario will be adopted once these infrastructure components are available.
The third option is the usage of X.509 certificates. These can automatically be issued to end users and distributed to their computers with the help of Microsoft Active Directory. Using automatic enrollment of user certificates Microsoft Active Directory provides a quick and simple way to issue X.509 certificates to users after they have successfully authenticated against Microsoft Active Directory. This scenario has been described in the SAP TechEd session SIM208.
In addtion to my TechEd session I have provided more details in the following blog.
A recommendation which technology one should choose in a specific scenario is out of the scope of this article. There are Pro’s and Con’s with all of them. Therefore I would like to point you to some articles that describe the topic in more depth.
- Unleash the Power of Single sign-on with Microsoft and SAP
http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b0d219f9-5c47-2a10-dc87-bdbb438d3be1?language=en - SIM203 Securing SOA Scenarios with SAML
http://www.sdn.sap.com/irj/scn/shop?rid=/media/uuid/700d36a2-0862-2b10-84a1-86eac99bf09f - Single sign-on of Windows-based Web Service Clients using SAP Logon Tickets
http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/4872 - Single Sign On to SAP NetWeaver Enterprise Search 7.2 Using Integrated Windows Authentication
http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00007511-5c0e-2d10-26bd-f30b7f433b9a - Configuring and troubleshooting SPNego -- Part 3
http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/8313
Andre Fischer
is working in the Solution Management Team of SAP NetWeaver Gateway
Please excuse the brevity of some descriptions but this was on purpose ...
Comment on this weblog
| Showing messages 1 through 50 of 50. | ||
|
|
||
| Titles Only | Main Topics | Oldest First |
- Single sign-on Technologies supported by the SAP NetWeaver Application Server
2011-02-25 01:08:28 kiran kumar vejendla Business Card [Reply]
Hi, This blog is very good but i would like to know whether SAML2.0 SSO support is already available with NW7.2 ABAP AS for browser based applications.
Best regards,
Kiran.- Single sign-on Technologies supported by the SAP NetWeaver Application Server
2011-02-25 02:49:33 ShivKumar Devara Business Card [Reply]
I would like to add to Dimitar, NW ABAP is supported for SAML 2.0 for browser based application from 7.02 SP 03. Logically speaking 7.2 is greater than 7.02, hence it should support.
Apart from SSO, if you are looking data security than I suggest you to go for X.509 certificates which supports both.
Regards
Shiva- Single sign-on Technologies supported by the SAP NetWeaver Application Server
2011-02-25 04:04:59 Tobias Hofmann Business Card [Reply]
Shiva,
"Logically speaking 7.2 is greater than 7.02, hence it should support."
That's not how SAP product releases are working. Given that 7.2 was released earlier than 7.02, it may be without SAML, as SAML was only introduced in EHP2 of 7.00 and wasn't part of the features of the 7.2 release.
To have SAML support in 7.2 you may wait for an EHP for 7.2 that includes SAML.
br,
Tobias
- Single sign-on Technologies supported by the SAP NetWeaver Application Server
2011-02-25 01:35:55 Dimitar Mihaylov
Business Card
[Reply]
Hi Kiran,
What product do you use on top of AS ABAP 7.2? If I'm not mistaken SAML 2.0 is not supported in ABAP 7.2. However SAML 2.0 is for sure supported in 7.02 - see http://help.sap.com/erp2005_ehp_05/helpdata/EN/17/6d45fc91e84ef1bf0152f2b947dc35/frameset.htm.
Regards,
Dimitar
- X.509
2010-09-08 04:07:53 James Lorenzana
Business Card
[Reply]
Hi Andre,
Quick question. In our case it is a X.509 V3 issued by TrustAlert when they try to login via SECUDe to SAP Web GUI / SAPGUI. Since this is a standard X.509, can we reuse the same certificate when users login to a federated portal with (AS JAVA, EP, EPC)?
Regards,
James- X.509
2010-09-08 09:47:11 Andre Fischer
Business Card
[Reply]
Hi James,
I would expect this to work.
You find more information about using X.509 Client Certificates on the AS Java here:
https://cw.sdn.sap.com/cw/docs/DOC-109468
Best Regards,
Andre
- Clarification on SAP logon tickets
2010-07-11 09:31:08 ShivKumar Devara Business Card [Reply]
Hi Andre,
For ABAP stack with user agent SAP GUI/RFC you mentioned SAP logon tickets are supported. But as per sap help link http://help.sap.com/saphelp_nw70ehp2/helpdata/en/e5/4344b6d24a05408ca4faa94554e851/frameset.htm, go to Authentication on the AS ABAP - Using logon tickets - prerequisite, it is mentioned that under step "End users need to configure their Web browsers to accept cookies". Could you please clarify on this.
Thanks
Shiva- Clarification on SAP logon tickets
2010-07-12 00:26:45 Andre Fischer
Business Card
[Reply]
Hi Shiva,
"End users need to configure their Web browsers to accept cookies" refers to browser based communication.
For SAPGUI/RFC nothing has to be configured on the client side.
Best Regards,
Andre
- Clarification on SAP logon tickets
2010-07-12 05:52:03 ShivKumar Devara Business Card [Reply]
Hi Andre,
Thanks for your quick response.
Actually I am under the impression that we can't configure SSO for ABAP using logon tickets when accessing from SAP GUI/RFC, if it is possible, could you please let me know some info on how to configure it.
Thanks
Shiva- Clarification on SAP logon tickets
2010-07-12 05:59:47 Gregor Wolf Business Card [Reply]
Hi Shiva,
a long time ago I've used SAP Logon Tickets to authenticate for an RFC connection. You can check out my Blog Single Sign On with External ID implemented in Ruby for more details.
Regarding the SAP GUI SSO using the logon ticket you can check out my ZAPP_INTEGRATOR project which uses the SAP logon ticket to make a browser based SSO using the SAP GUI for Windows.
Best regards
Gregor
- SSO for Web Services
2010-04-14 08:41:52 Wolfgang Janzen
Business Card
[Reply]
See also: http://wiki.sdn.sap.com/wiki/display/Security/Single+Sign+on+for+Web+Services
- SAML 2.0 and EP 701 ?
2010-04-06 12:36:04 Raoul Shiro Business Card [Reply]
Hi André,
Thank you very much for this eye opening presentation.
We are trying to implement SUN OpenSSO (based on SAML 2.0) with the SAP Enterprise Portal 701.
We are still in the configuration phase and are facing many issues.
I searched for some documentations about SAML 2.0 and SAP portals in sdn/Sap notes etc .. but I couldn't find any.
Do you know if SAML 2.0 is supported on EP 701 ?
Do you know if OpenSSO is widely used by others SAP customers ,
thank you !- SAML 2.0 and EP 701 ?
2010-05-13 09:23:05 Dimitar Mihaylov
Business Card
[Reply]
Hi Raoul,
As correctly pointed by Tobias EP 7.01 does not natively support SAML 2.0. However you still could enable it by using another AS Java 7.2 system. There are two sub-cases:
1. EP 7.01 should be an SAML 2.0 Service Provider (SP)
In this case there is an SAML 2.0 Identity Provider (IdP) which issues the assertions and the EP 7.01/AS Java 7.2 system should be able to consume them and authenticate the user. This could be achieved in the following way: The AS Java 7.2 is configured as SAML 2.0 SP and consumes the SAML 2.0 assertion issued by the IdP, after authenticating the user it issues an SAP Logon Ticket and redirects to the EP 7.01 which is configured to accept Logon Tickets issued by the AS Java 7.2 system. This way the only change at the EP 7.01 is to establish the trust to the AS Java 7.2 system and thus the risk of any technical issues with your existing setup is minimal.
2. EP 7.01 should be an SAML 2.0 Identity Provider (IdP)
This is the case where you would like to integrate content from a third party system which does not accept the SAP Logon Ticket issued by the EP but supports SAML 2.0 authentication. In this case the flow is in reverse order - after authentication at EP an SAP Logon Ticket is issued, when the user clicks at an iView which points to the 3rd party system the browser will be redirected to this system and then to the AS Java 7.2 which will act as Identity Provider. The AS Java 7.2 system is configured to accept SAP Logon Tickets from EP and could transparently authenticate the user and issue a SAML 2.0 assertion for the 3rd party system.
In both case the AS Java 7.2 system is used to convert the SSO tokens.
SAML 2.0 SP is available by default in AS Java 7.2.
SAML 2.0 IdP will be released in the next weeks and could be run on AS Java 7.2.
If you are interested in other details do not hesitate to ask me.
Regards,
Dimitar- SAML 2.0 and EP 701 ?
2010-06-28 11:19:53 Gary A. Craig Business Card [Reply]
Dimitar
Do you have any more details on your use case #2. I have that scenario and I'm trying to complete a solution.
Gary- SAML 2.0 and EP 701 ?
2010-06-28 11:43:51 Dimitar Mihaylov
Business Card
[Reply]
Hi Gary,
Yes, what details are you interested in? Here is again the setup:
[1] EP 7.01
[2] CE 7.2 with SAML 2.0 Identity Provider (IdP)
[3] 3rd party SAML 2.0 Service Provider
Just some days ago SAP SAML 2.0 IdP was released as part of SAP IDM 7.1 SP5 (http://www.sdn.sap.com/irj/sdn/nw-identitymanagement).
Trusts:
[i]: [2] should accept SAP Logon Tickets (MYSAPSSO2 cookie) issued by [1]
[ii]: [3] should accept SAML 2.0 assertions issued by [2]
- At EP [1] you should configure URL iView to the 3rd party system [3].
- [1] EP and [2] IdP should run in common DNS domain.
- At [2] you should configure authentication with SAP Logon Tickets as one of the default ones
The SSO (SAML 2.0 SP-initiated SSO)from [1] to [3] should work the following way:
1. The user logs into the EP
2. Domain cookie MYSAPSSO2 is set in the user browser
3. The user navigates in the EP and loads the iView to the 3rd party system
4. The browser access the 3rd party system (<iframe>)
5. The 3rd party system redirects to the SAML 2.0 IdP
6. The SAML 2.0 IdP authenticates the user automatically based on the MYSAPSSO2 cookie
7. The IdP issues an SAML 2.0 assertion and redirects back to the 3rd party system
8. The 3rd party system authenticates the user based on the SAML 2.0 assertion
In a similar way you may configure also SAML 2.0 IdP-initiated SSO scenario.
Let me know if this description is sufficient or what other details you are interested in.
Regards,
Dimitar- SAML 2.0 and EP 701 ?
2011-05-19 19:29:30 Gary A. Craig Business Card [Reply]
Dimitar,
Just wanted to let you know your solution worked superbly! I have implemented an IdP-initiated SSO with a third-party payroll provider.
I do have a scenario for another vendor that I have not been able to solve and was hoping you can point me in the right direction.
I need a custom attribute with a constant value. Like this.
<saml:Attribute Name=“clientId”>
<saml:AttributeValue xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>19941</saml:AttributeValue>
</saml:Attribute>
This is not something I want to put in LDAP for every user. Is there a solution to this?
Thank you,
Gary- SAML 2.0 and EP 701 ?
2011-05-20 00:04:06 Dimitar Mihaylov
Business Card
[Reply]
Hi Gary,
Currently the SAP IDP could issue attributes only when transient or persistent NameID formats are used for the subject in the assertion. In those cases the source for the SAML2 attributes could be either user attributes or group or role assignments. Unfortunately at the moment we do not provide an option for setting attributes with a constant value however we have it on our list and in some of the next SPs this will be possible. As a temporary workaround I would propose to you the following: create either a group or a role with name "19941" and assign it either to the "Everyone" group or role. Afterwards add Authorization Attribute with name "clientId" and Filter based on the group or role "19941". This is not the nicest solution but should resolve your issue until we provide support for constant attributes. Also I'm not sure about your scenario but I think it is more relevant if such constant attributes are set at the SP side and not at the IdP side because a malicious IdP could issue assertions with the same clientId which would be a security issue if accepted by the SP.
Regards,
Dimitar- SAML 2.0 and EP 701 ?
2011-06-08 10:09:37 Gary A. Craig Business Card [Reply]
sorry..wasn't seeing my posts.- SAML 2.0 and EP 701 ?
2011-06-22 07:23:06 Dimitar Mihaylov
Business Card
[Reply]
Hi,
I just want to update the forum in case others are following the topic. The issue was caused by a wrong configuration. The correct way to do it is to create a new group - e.g. "19941" and assign it as parent of built-in group "Everyone". Because every user is a member of group "Everyone" he/she will became member also of its parent group "19941".
Regards,
Dimitar
- SAML 2.0 and EP 701 ?
2011-06-08 10:08:00 Gary A. Craig Business Card [Reply]
Dimitar,
I tested your workaround and when using a group with member of Everyone the attribute is not created. When I put my user in as a member then attribute is created.
With Everyone debug log:
Condition for descriptor Condition Descriptor {
Type:GROUP,
Negation State:false,
Elements:[GRUP.PRIVATE_DATASOURCE.un:19941],
Logical Operator:OR
} evaluates false
With user as member:
Condition for descriptor Condition Descriptor {
Type:GROUP,
Negation State:false,
Elements:[GRUP.PRIVATE_DATASOURCE.un:19941],
Logical Operator:OR
} evaluates true
How can I get this to work without adding my users as members to the group and use Everyone.
Thanks, Gary
- SAML 2.0 and EP 701 ?
2011-06-08 10:07:01 Gary A. Craig Business Card [Reply]
Dimitar,
I tested your workaround and when using a group with member of Everyone the attribute is not created. When I put my user in as a member then attribute is created.
With Everyone debug log:
Condition for descriptor Condition Descriptor {
Type:GROUP,
Negation State:false,
Elements:[GRUP.PRIVATE_DATASOURCE.un:19941],
Logical Operator:OR
} evaluates false
With user as member:
Condition for descriptor Condition Descriptor {
Type:GROUP,
Negation State:false,
Elements:[GRUP.PRIVATE_DATASOURCE.un:19941],
Logical Operator:OR
} evaluates true
<Attribute Name="clientId">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">19941</AttributeValue>
</Attribute>
How can I get this to work without adding my users as members to the group and use Everyone.
Thanks, Gary
- SAML 2.0 and EP 701 ?
2011-06-08 09:59:44 Gary A. Craig Business Card [Reply]
Dimitar,
I tested creating the constant attribute as you described by creating a group with name 19941 and assigning to it the Everyone role. When I test, the attribute is not created. If I add the user explicitly to the group, then the attribute is created as needed. Am I missing something on how to use "Everyone". I'm not wanting to create a group will all users as members.
From the log using Everyone:
Condition for descriptor Condition Descriptor {
Type:GROUP,
Negation State:false,
Elements:[GRUP.PRIVATE_DATASOURCE.un:19941],
Logical Operator:OR
} evaluates false
From the log with user as member:
Condition for descriptor Condition Descriptor {
Type:GROUP,
Negation State:false,
Elements:[GRUP.PRIVATE_DATASOURCE.un:19941],
Logical Operator:OR
} evaluates true
<Attribute Name="clientId">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">19941</AttributeValue>
</Attribute>
Thanks for any help you can provide.
Gary
- SAML 2.0 and EP 701 ?
2010-06-28 11:52:56 Gary A. Craig Business Card [Reply]
As far as system #2, I'm looking to see if SAP IDM is required or just an option. It sounds like any NW 7.2 AS Java could work, correct?
Thanks for the information.
Gary- SAML 2.0 and EP 701 ?
2010-06-28 12:12:35 Dimitar Mihaylov
Business Card
[Reply]
Hi Gary,
The IDM solution consists of the following components:
1. Identity Center (IC)
2. Virtual Directory Server (VDS)
3. SAML 2.0 Identity Provider (IdP)
Each of them could be run separately from the others. This means that you can select to run IdP without IC or VDS. The only limitation is that you need IDM license even for the IdP.
For the IdP you need to deploy only IDMFEDERATION.SCA on AS Java 7.2. It is available for download from SAP Service Marketplace and you should be able to get it. See also SAP Note 1471322.
Regards,
Dimitar
- SAML 2.0 and EP 701 ?
2010-06-28 12:35:42 Gary A. Craig Business Card [Reply]
Thank you for the information and confirming that you must have some component (license) of SAP IDM in order to provide IdP.
Gary- SAML 2.0 and EP 701 ?
2010-06-28 12:48:27 Dimitar Mihaylov
Business Card
[Reply]
You are welcome. Two additional comments:
[1] CE 7.2 - you just need "pure" AS Java installation, no BPM or other components. I think the correct usage type for installation is [AS Java] or something similar. Of course it will work if you select also other usage type but this will consume more system resources.
[2] IDM license - as far as I know the IDM license is free of charge in certain cases but I do not know the details. Nevertheless you should be able to download and test the IdP functionality even without such license. No activation key is required to enable the IdP functionality - just deploy the IDMFEDERATION.SCA.
Dimitar
- SAML 2.0 and EP 701 ?
2010-04-07 05:42:55 Tobias Hofmann Business Card [Reply]
Hi,
you should really rethink the idea of using OpenSSO. After Orace/SUN, the future of OpenSSO is a little bit unclear.
And EP7 doesn't support SAML 2.0. You'll have to wait for NW 7.3
br,
Tobias
- Kerberos Support for Web Browser against ABAP
2010-04-02 05:57:48 Gregor Wolf Business Card [Reply]
Hi André,
I would love to see Kerberos Support for a Web Browser against an ABAP Stack. I think that this solution would be easier to deploy than X.509 certificates. Especially with the renaissance of the ABAP Stack for WebDynpro ABAP and the CRM WebUI which is based on BSP it would make a lot of sense. The way through the Java Stack to get a SSO Ticket is a poor workaround.
Best regards
Gregor- Kerberos Support for Web Browser against ABAP
2010-04-14 08:26:01 Wolfgang Janzen
Business Card
[Reply]
NWAS ABAP will provide support for SAML 2.0 (as Service Provider) - as of 7.02. Using any SAML 2.0 IdP which is capable of supporting Kerberos authentication (e.g. MS ADFS 2.0) will allow you to achieve the intended goal: to use web-based ABAP applications using Kerberos authentication (via SAML 2.0 IdP). This does not require any Public Key Infrastructure (PKI) to be set-up.- NWAS ABAP supporting SAML 2.0 (as SP)
2010-06-25 07:46:19 Wolfgang Janzen
Business Card
[Reply]
See also: http://www.sdn.sap.com/irj/sdn/security?rid=/library/uuid/30fe0e7b-b334-2d10-45b0-f35afb25a5bc ("Next Generation SSO for SAP Applications with SAML 2.0"), page 9, buttom line
- Kerberos Support for Web Browser against ABAP
2010-04-03 04:45:11 Sergio Ferrari Business Card [Reply]
I completely agree with Gregor and I support his request.
Thanks for this clear blog Andrè
- Kerberos Support for Web Browser against ABAP
2010-04-14 02:49:44 Andre Fischer
Business Card
[Reply]
There are currently no plans to support Kerberos authentication for browser based access for the ABAP stack.
If one uses the autoenrollment capabilities for X.509 certificates that are provided by Microsoft Active Directory a X.509 certificate is automatically stored in the users certificate store after the user has successfully authenticated using Integrated Windows Authentication.
From an end user point of view this is in the end Single sign-on based on Integrated Windows Authentication because the user does only have to authenticate once against AD and is then automatically authenticated (by the X.509 certificate) if he or she tries to access the ABAP System using browser based access.
Best regards,
André
- Kerberos Support for Web Browser against ABAP
2010-04-14 05:41:29 Tobias Hofmann Business Card [Reply]
Hi Andre,
are your really thinking that it is more likely that a company will configure and maintain a PKI just for the Intranet so that a user can authenticate with the certificate logon stack on an ABAP server and not using the Kerberos ticket???
X.509 certificates ... no, this is not an SSO for the end user. Normally he'll have to select the certificate in the browser when accessing a X.509 enabled authentication.
And if it's really bad configured (service market place from SAP: yes, there the certificate based authentication is really bad realised) the user will die trying to access the server.
Please SAP, take a look at what your customers are using, and it's not X.509 certificates, it's AD and Kerberos. Please implement Kerberos SSO for the ABAP stack.
Add some value to the customers: Kerberos for ABAP.
br,
Tobias- Kerberos Support for Web Browser against ABAP
2010-05-13 09:07:10 Dimitar Mihaylov
Business Card
[Reply]
Hi Tobias,
Just recently we have released a completely re-worked version for AS Java - http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/18567. It is not using any third party APIs and could easily be ported to ABAP (there is a prototype). There could be some chance that the decision is re-considered and SPNEGO/Kerberos for ABAP is made available.
Regards,
Dimitar- Kerberos Support for Web Browser against ABAP
2011-01-29 02:10:51 Guillaume Garcia Business Card [Reply]
Hi,
Any recent news about this prototype turning to reality...?
Thanks.
Best regards,
Guillaume- Kerberos Support for Web Browser against ABAP
2011-01-29 08:18:59 Dimitar Mihaylov
Business Card
[Reply]
Hi Guillaume,
The final implementation is available in ABAP 7.03 but cannot be released due to missing integration with other components - e.g. ICF, etc. Currently we are checking if we can release it as an add-on solution for already shipped releases - which might be more relevant for you. I'll keep you updated on the progress -e.g. when we are ready and in case you would like to try the add-on solution.
Regards,
Dimitar- Kerberos Support for Web Browser against ABAP
2011-01-30 04:39:32 Guillaume Garcia Business Card [Reply]
Fantastic!
Keep us posted, please. :)
Best regards,
Guillaume
- Kerberos Support for Web Browser against ABAP
2011-01-29 08:29:06 Gregor Wolf Business Card [Reply]
Hi Dimitar,
that are great news. If you're looking for beta testers count me in too.
Best regards
Gregor- Kerberos Support for Web Browser against ABAP
2011-01-29 08:46:49 Dimitar Mihaylov
Business Card
[Reply]
Hi Gregor,
Sure :). As soon as we are ready I will post information here.
Regards,
Dimitar
- Distribute X.509 DN Mapping from CUA
2010-04-02 05:50:12 Gregor Wolf Business Card [Reply]
Hi André,
thank you for this great overview. I especially liked the link to the SIM208 TechEd session. There you've mentioned that I can use Transaction EXTID_DN or the BSP Application /sap/bc/bsp/sap/certmap/ to assign the X.509 Distinguished Name to a User.
At Siteco we do successfully use the Central User Administration to maintain all the users for ERP, CRM, SCM and BW from one central place. Can it also be used to centrally maintain the mapping? Or do we have to introduce SAP Identity Management?
Best regards
Gregor- Distribute X.509 DN Mapping from CUA
2010-05-26 06:35:40 Andre Fischer
Business Card
[Reply]
Hi Gregor,
Central User Administration cannot be used to distribute mapping information stored in USEREXTID.
There is however the option to use a BADI implementation together with the report RSUSREXT.
BADI support is available for recent support package levels for 7.00, 7.01, 7.10 and 7.11 as specified in SAP Note 1254821.
The recommended way as a long term solution would be to implement SAP IdM.
Best Regards,
Andre
- Kerberos SSO
2010-04-01 01:56:35 Nelis Lamprecht Business Card [Reply]
Nice blog although your comment "2. In this case the SAP NetWeaver Application Server ABAP has to run on Windows." for SAPgui and Kerberos is a bit misleading. SSO using Kerberos works just fine on Linux and Unix based ABAP systems too when authenticating to a Windows domain. Just thought I'd point that out ;)- Kerberos SSO
2010-04-01 05:00:48 Andre Fischer
Business Card
[Reply]
Hi Nelis,
it is true that it can be configured.
There is however the question whether it is supported.
My statement refers to SAP Note 150380 "Is MIT Kerberos 5 supported for use with SNC ?"
https://service.sap.com/sap/support/notes/150380
Another solution is to use products that are certified for the BC-SNC interface. A list of certified products is available here:
http://www.sap.com/ecosystem/customers/directories/SearchSolution.epx
- Kerberos SSO
2010-12-29 01:33:08 Neeraj Jain Business Card [Reply]
Hi Andre,
Is there any blog available on SDN on "How to configure SSO using Kerberos on Linux/Unix machine"?
Regards,
Neeraj
- Very clear and informative
2010-04-01 01:07:34 Guillaume Garcia Business Card [Reply]
Hi,
Thanks for putting all this together. Although information is available on SDN about these many different aspects, it is nice to have such a blog as a reference! I'm glad you did it. :)
Best regards,
Guillaume
- SAML 2.0
2010-03-31 07:40:16 Marinus van Aswegen Business Card [Reply]
It would be nice to see a some SAML 2.0 scenarios since MS and SAP now support it.
- SAML 2.0
2010-04-14 08:34:06 Wolfgang Janzen
Business Card
[Reply]
You need to differentiate between SAML 2.0 for web-applications (browser-based, NWAS as SAML 2.0 Service Provider) and SAML 2.0 Token (NWAS as WS Provider supporting WS-Security: SAML 2.0 Token Format). Regarding release coverage, you also need to specify whether you intend to use NWAS ABAP or NWAS Java.
SAP NetWeaver Identity Management (IdM) plans to include an SAML 2.0 Identity Provider (IdP) with the next version (coming soon).
- SAML 2.0
2010-03-31 13:59:00 Tobias Hofmann Business Card [Reply]
Hi,
is SAML 2.0 not only available for NW 7.3 or does 7.1/7.2 already support SAML 2.0?
br,
Tobias- SAML 2.0
2010-05-13 08:51:51 Dimitar Mihaylov
Business Card
[Reply]
Hi Tobias,
SAML 2.0 Service Provider support is or will be available in AS Java 7.2/7.3 and AS ABAP 7.02/7.3.
SAML 2.0 Identity Provider functionality will be released as part of SAP IdM and will require at least AS Java 7.2 to run on it.
Regards,
Dimitar
- SAML 2.0
2010-04-09 02:30:55 Andre Fischer
Business Card
[Reply]
SAP plans to add IdP capabilities together with SAML 2.0 support as part of SAP IdM in the near future.
Best Regards,
Andre
| Showing messages 1 through 50 of 50. |