- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Supported ways of achieving SSO to NWBC?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Supported ways of achieving SSO to NWBC?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2012 3:12 PM
Hi,
I am currently investigating what possibilities exist for achieving Single Sign On to NWBC and important criteria is that it is supported by SAP.
As far as I can see this is not straightforward, and I'm finding it difficult to make a recommendation.
What are the experiences people have had providing SSO to NWBC?
Here are some thoughts I have about the alternatives.
Since NWBC uses HTTP as the base protocol, all authentication will have to use standard HTTP authentication mechanism.
(ref http://help.sap.com/saphelp_nw70ehp3/helpdata/en/4c/5bdec897817511e10000000a42189b/frameset.htm). This means SNC (use for SAP GUI SSO) is not a candidate.
In my case, the first application will be a custom NWBC cockpit, but the principles should be possible to apply for all NWBC usage.
There are already several SAP NW Portal with SPNEGO Kerberos in the landscape, so they can also be utilized for this purpose.
Alternative 1: Use SAML for authentication on ABAP AS
New versions on ABAP AS supports SAML as a service provider (ref. http://help.sap.com/saphelp_nw70ehp2/helpdata/en/4a/b6df333fec6d83e10000000a42189c/frameset.htm )
This requires that you have an SAML identity provider in your landscape. If you don't already have one, SAP NW Single Sign On 1.0 can be setup for this purpose (as far as I understand). (Not sure how well SAP NW ABAP AS works with Microsoft AD Federation Services)
Drawback of this alternative is that you need to have a SAML identity provider.
Alternative 2: Use X.509 certificate for authentication on ABAP AS
Requires the roll-out of a full-blown PKI solution. Big undertaking and not relevant in my case.
Alternative 3: Use error page configuration in ICF ABAP to redirect to a Portal for login and then back again
Same method as described in SSO to BSP.
Instead of custom developed JSP code on the portal, it is possible to use this partner software http://ecohub.sap.com/catalog/#!solution:trustbrokeradapter
(ref http://scn.sap.com/thread/1962162)
Drawback of this alternative is the custom or 3rd party solution required for redirecting back again after the portal login.
Alternative 4: Custom Single Sign On component on SAP NW Java which redirects to the NWBC
In this alternative, the url to the custom single sign on component is used in the NWBC client.
The custom single sign on component will be responsible to perform the authentication, before redirecting to the NWBC client.
We looked into this approach and had some problems due to url-encoding of parameters to the sso component.
(which could be solved by a hack)
The major drawback is the effort required for the customer single sign on component and that the portal now is a SPOF (single point of failure) for all NWBC usage.
Alternative 5: Integrate NWBC cockpit as an iView in the portal
In this alternative, the url to the portal is used in the NWBC client.
I'd prefer having one portal that is used for all NWBC uses, each cockpit/area with its own role.
(If you have other roles, they will also show up in NWBC. Not always what you'd like).
However, I don't see a suitable iView type for an NWBC component. You can use URL iView or one of the SAP integration iViews, but they are not tailored for NWBC usage.
Drawback is that you should have a new portal line and that you may experience problems when running NWBC in an iView (not sure if those problems would be supported).
Any advice and experience would be very welcome
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2012 3:52 PM
Hi Parnas,
I have some additional information, which help you perhaps:
1. You mentioned in "Alternative 1" SAP NW SSO. It is correct that SAP NW SSO includes an identity provider
2. In "Alternative 2" you mention that a customer need a full blown PKI. The product SAP NW SSO provides certificates out of the box without a full blown PKI. So it creates automatically a certificate and provide it to the browser and to SAP GUI
An advice is very difficult. It is depending on your system landscape.
SAML -> no client software needs to distributed -> this is a nice solution if all your back end systems support this standard already. An integration of non-SAP applications is possible and this is working also cross domains.On the client side you can use different OS systems. SAML is a stanadard for Web single sign-on (SAP Portal, Web Dynpro for ABAP, Java, other Web applications). It is not supporting SAP GUI for Windows.
X.509 via SAP NW SSO-> This standard is already available a longer time. So there is a broader support and you can use it for SAP GUI and Web applications. An integration of non-SAP applications is possible and this is working also cross domains. On the client side you can use different OS systems.
SPNego for Java+SAP Logon TIckets-> THis is working if the first request will be send to a SAP NW Java server (to create a SAP Logon Ticket out of SPNego). But you will run into issues with SNC encryption (SAP Logon Tickets + SNC Client Encryption + NWBC). The solution is included by SAP NetWeaver.
So most customers are choosing SAP NW SSO with X.509 certificates for internal hetrogenous landscapes (--> this is my view as a solution manager for SAP NW SSO). But you can also mix the technologies based on your use cases (for an external SAP Portal for your customers SAML would be the right solution, because you don't want to deploy something)
Don't forget to think about the encryption of the SAP GUI network communication ....
Regards
Matthias
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2012 3:52 PM
Hi Parnas,
I have some additional information, which help you perhaps:
1. You mentioned in "Alternative 1" SAP NW SSO. It is correct that SAP NW SSO includes an identity provider
2. In "Alternative 2" you mention that a customer need a full blown PKI. The product SAP NW SSO provides certificates out of the box without a full blown PKI. So it creates automatically a certificate and provide it to the browser and to SAP GUI
An advice is very difficult. It is depending on your system landscape.
SAML -> no client software needs to distributed -> this is a nice solution if all your back end systems support this standard already. An integration of non-SAP applications is possible and this is working also cross domains.On the client side you can use different OS systems. SAML is a stanadard for Web single sign-on (SAP Portal, Web Dynpro for ABAP, Java, other Web applications). It is not supporting SAP GUI for Windows.
X.509 via SAP NW SSO-> This standard is already available a longer time. So there is a broader support and you can use it for SAP GUI and Web applications. An integration of non-SAP applications is possible and this is working also cross domains. On the client side you can use different OS systems.
SPNego for Java+SAP Logon TIckets-> THis is working if the first request will be send to a SAP NW Java server (to create a SAP Logon Ticket out of SPNego). But you will run into issues with SNC encryption (SAP Logon Tickets + SNC Client Encryption + NWBC). The solution is included by SAP NetWeaver.
So most customers are choosing SAP NW SSO with X.509 certificates for internal hetrogenous landscapes (--> this is my view as a solution manager for SAP NW SSO). But you can also mix the technologies based on your use cases (for an external SAP Portal for your customers SAML would be the right solution, because you don't want to deploy something)
Don't forget to think about the encryption of the SAP GUI network communication ....
Regards
Matthias
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2012 11:40 AM
Thanks for the input Matthias, appreciate your guidance.
Btw think I found a new alternative not covered yet.
Alternative: Use role upload functionality between ABAP PCFG roles and Portal PCD roles
If you want to use the Portal system in NWBC, all roles and navigation structure must be in the Portal PCD. For some customer it is strategic to configure roles and navigation structure in ABAP (PCFG) and not in the Portal.
In this case you should be able to use the role upload functionality between ABAP and Portal
(ref. http://help.sap.com/saphelp_nw04s/helpdata/en/41/5e4d40ecf00272e10000000a155106/frameset.htm).
Regards
Dagfinn
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2012 12:24 PM
Hi Dagfinn,
yes you link is very important to sync the roles between ABAP and SAP Portal. You can save here some time! But how this helps you regarding SSO and NWBC?
Best Regards
Matthias
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2012 7:36 AM
Hi Matthias,
In this case you would use the Portal system connection from NWBC. Since the SAP NW Portal already supports web SSO (Spnego kerberos), end-users will not need to log on.
Regards
Dagfinn
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2012 9:25 AM
Hi Dagfinn,
I think the "ABAP PCFG roles and Portal PCD roles" functionality is important for all SSO alternatives if you are using an SAP Portal. Because this is about role management and this is independent from SSO.
So this sync tool is interesting also for SPNego, User/Password, SAML, certificate authentication.
1. question: which SSO technology is the best for your landscape --> authentication
2. question: If you are using a SAP Portal, do you want to sync the permisson concept -> authorization
Perhaps that helps but I am not an expert for authorizations.
Regards
Matthias
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2012 12:59 AM
Hi Dagfinn,
Interestingly, I am beginning to look at the same thing myself. I am aware that one of the customers here in Australia used their SAP Portal as a ticket issuer (so I expect something like your option 3) and they are live with this option. Whilst we are still some way from a decision on this, my starting point would be to use the same technique (as we don't have a SAML identity provider) and deploying x.509 certificates might be non-trivial. We already have a portal with Kerberos SSO authentication running.
That said, it would be interesting to rank all these alternatives in relation to speed in achieving the SSO into NWBC - and whether there is a marked difference in the end-user experience to accomplish this (to illustrate, SAML authentication into the SCN doesn't work too quickly, but then there are many other factors that might contribute to that). I am thinking x.509 certificates would provide the best performance. Unsure whether the Portal redirection versus SAML would perform better.
Regards
John
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2012 8:32 AM
Hi John/Dagfinn,
It seems to me like this is a fairly big "missing piece" in NWBC... I mean the ability to provide SSO seems like it should be there and if customers are told they can run NWBC instead of NW Portal in their landscape and then find out that SSO is such a pain to do... I don't know it just seems strange to me. Many customers will run both NWBC and Portal.
Ideally I guess you wound want the equivalent of the SPNego Logon Module for the ABAP stack, that way it could use the Kerberos token sent by the browser... I guess that doesn't exist - but would it be possible to build? I guess anything is possible right.
Thanks for your post and comments.
Simon
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2012 11:49 AM
Hi John,
related to your comment:
deploying x.509 certificates might be non-trivial
If you are talking about the deployment of the certificates to the end clients? The option X.509 via "SAP NW SSO" provides the certificate automatically to the end user client. So for example if a user authenticates in the morning via his MS AD user, he gets automatically a certificate provided to SAP GUI and the Web browser.
Also many third party PKI's provide the certifcate to the end user client, but the administrative effort for a full blown PKI is higher (-> certificate lifecycle). A full blown PKI has of course also advantages, if the customer needs long term certificates for other scenarios.
Regards
Matthias
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2012 11:55 AM
Hi,
A sound architecture principle for a large landscape is that each application server takes care of its own Single Sign On. This helps reduce security issues that can exploit the trust mechanism, and it reduces dependencies between application servers.
I believe that many customers already have the building blocks for implementing SAML on ABAP AS.
Most customers have Active Directory as their domain controller and it is my understanding that with the Active Directory Federation Services it also works as a SAML identity provider. If you are looking for a SAML capability across your entire IT landscape, this should be a good solution both technical and organisational. SAP NW Single Sign On 1.0 is as mentioned before is an other alternative.
Performance-wise, I don't think SAML should have a high overhead in a customer landscape where the load is reasonable. You'll typically get 3 extra HTTP redirects (depending on scenario), but as long as your SAML identity provider response time is good this should barely be noticeable for the end-user.
Simon Kemp:
Ideally I guess you wound want the equivalent of the SPNego Logon Module for the ABAP stack, that way it could use the Kerberos token sent by the browser... I guess that doesn't exist - but would it be possible to build? I guess anything is possible right.
Agree. Technical is definitively possible, but will require some work on the application server level and should not be undertaken as a customer project. Hopefully, someone in SAP is working on it.
Regards
Dagfinn
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2013 2:24 PM
Hello all
I'm just getting into NWBC at our shop - primary driver being to move our ESS/MSS solution to a non-portal approach. The big challenge is SSO.
As luck would have it, we have Active Directory Federation Services (ADFS) in our environment and are using it for SAML 2.0 authentication with some cloud apps (i.e. not internal).
- Does anyone have any experience/lessons learned with using ADFS for NWBC SSO?
- Does anyone know about a feature in Microsoft IE that allows the passing of authentication credentials to the trusted sites? Below is a screenshot that can be fond under Tools->Options->Security->Local Intranet->Custom Level->Scroll down to 'user authentication' --- reason I am asking is that the IT team that looks after ADFS is currently feeling like SAML is for external/cloud apps, not internal sites. They are questioning why this does not work for SAP (of course like it does for other apps). I don't even know what this is called?!!
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2012 2:20 PM
Hi Dagfinn / Simon,
I agree that this is a missing piece. It seems that SAP are expecting all users to adopt SAML rather than Kerberos, but as you point out, in some environments the Identity Provider is not yet available. Adding a new system (NetWeaver SSO), redirecting from an AS Java, or having to sync all roles to the Portal all feel like workarounds to what should be a simple and standard part of an ABAP solution.
By the way, I'm actually surprised at how many customers are actually using X.509 certificates for their users without their applications teams being aware. It's always worth checking the certificate store on the user's browser, you just never know what you might find.
The really frustrating thing (for me at least) is that the ABAP stack already supports Kerberos, because this is how Single Sign On via SNC works. So the capability is there, it just simply isn't available for HTTP. I really do hope that someone from SAP is working on this, but if I was being cynical I would suggest that if they want to keep the primary use case for NetWeaver SSO, SAP have a good reason not to develop a solution.
Cheers,
Jon
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2012 2:49 PM
Hi,
SAP is aware about the issue with Kerberos and Web applications based on ABAP especially for NWBC. We are actually working on possible solutions but it is too early to share techical details.
SAML and certificates have the big advantage, that a customer can integrate various applications (also non-SAP). Furthermore new standards (beside Kerberos) are needed especially for external, cloud and on-device applications. Kerberos is very good for internal scenarios. This is why we are working on this. But depending on the customer scenarios - different techniques need to be available.
Regards
Matthias
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2012 3:08 PM
Hi Matthias,
Thanks for providing such a prompt update, and it's good to know that SAP are working on a solution (sorry for my earlier cynicism).
I can definitely appreciate that SAML and certificates have broader uses, but in my experience the main use cases for implementing NWBC are to replace existing internal entry points to SAP i.e.:
- NWBC (Desktop) instead of SAPGUI
- NWBC (HTML) instead of Portal
As both SAPGUI and Portal already support Kerberos, and this capability is widely used, I believe that the absence of Kerberos support is a major obstacle in the customer adoption of NWBC. This really is a shame, as I believe that NWBC provides many advantages. I can only hope that you are able to share more details of the SAP solution soon.
Cheers,
Jon
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2012 3:43 PM
Hi Jon,
no problem - any integration of Kerberos for Web ABAP applictions would mean a small "operation" deep in the ABAP stack. --> so this not done in one week
I am sure SAP has an update on this topic on SAP TechEd and of course also on SCN.
Regards
Matthias
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2012 12:10 PM
Jonathan,
SAP missed the boat on SSO for NWBC with ABAP systems. As you state, SAPGUI and Portal already support kerberos, but NWBC seems to have been forgotten when it comes to SSO - at least for earlier versions of Netweaver.
There appear to be several solutions (NW SSO 1.0 SP4) available for later versions of Netweaver (7.2, 7.3) but many customers have NW 7.0 EHP1 or 2. Our customer requested NWBC SSO with their ABAP system and they have NW 7.0 EHP2. I already have SAPGui SSO working with kerberos for our customer, but NWBC SSO is proving to be a challenge. Our customer has NWBC 3.0 connecting to an ABAP only, ECC EHP5, Netweaver 7.0 EHP2 (7.02).
I"m trying to determine the best, fastest, easiest installation for NWBC SSO for our customer's version of Netweaver and it's been quite a frustrating process.
Vicki
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2012 12:16 PM
Dagfinn,
There appear to be several solutions (NW SSO 1.0 SP4) available for later versions of Netweaver (7.2, 7.3) but many customers have NW 7.0 EHP1 or 2. Our customer requested NWBC SSO with their ABAP system and they have NW 7.0 EHP2. I already have SAPGui SSO working with kerberos for our customer, but NWBC SSO is proving to be a challenge. Our customer has NWBC 3.0 connecting to an ABAP only, ECC EHP5, Netweaver 7.0 EHP2 (7.02).
I"m trying to determine the best, fastest, easiest installation for NWBC SSO for our customer's version of Netweaver and it's been quite a frustrating process.
Can you recommend a possible solution for this version of Netweaver? Would it be a good idea to upgrade NWBC? Can I use kerberos for NWBC SSO?
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2012 12:22 PM
Hi,
to avoid any missunderstandings ....
There appear to be several solutions (NW SSO 1.0 SP4) available for later versions of Netweaver (7.2, 7.3) but many customers have NW 7.0 EHP1 or 2.
Only the component "secure login server" of SAP NW SSO has to run on SAP NW Java 7.2 or 7.3. Not the target systems! So X.509 based authentication is also supported in a SAP Web Application Server 6.40.
Regards
Matthias
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2012 10:45 AM
Hi all, sorry if this has been mentioned already.
Alternative 1. For info, you probably have an implicit license for SAP NW Identity Management. This includes a SAML 2.0 Identity Provider.
Search for IDMFEDERATION06_0-10010028.SCA in SWDC and
Implementation Guide SAP NetWeaver Identity Management Identity
Provider.pdf
I hope this helps.
Kind regards, Jamie
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2012 11:08 AM
Hi Jamie,
to avoid misunderstanding:
SAP NWBC for Windows contains an integration with SAP GUI for Windows. SAP NWBC do not officially support SAML. There are some use cases, which work by chance (only Web based applications in NWBC).
So the current options for SAP NWBC for Windows:
SAP NW SSO with certificates
SAP Logon Tickets
Future plans:
SPNego for ABAP for NWBC
SAML -> no client software needs to distributed -> this is a nice solution if all your back end systems support this standard already. An integration of non-SAP applications is possible and this is working also cross domains.On the client side you can use different OS systems. SAML is a stanadard for Web single sign-on (SAP Portal, Web Dynpro for ABAP, Java, other Web applications). It is not supporting SAP GUI for Windows
Regards
Matthias
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2012 11:32 AM
Hi Matthias,
Apologies for any confusion. My company is trying to expose WebDynpro ABAP HCM web services, using SSO from SharePoint to SAP. This being with the Web version of NWBC.
Can you please advise if this would work with SAML 2.0?
Our SAP UK consulting manager has advised us that this will work with SAP NW SSO or SAP NW IDM. This has led to my assumption that we could use the SAP NW IDM SAML 2.0 Identity Provider.
Assumptions are clearly dangerous.
Kind regards, Jamie
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2012 12:38 PM
Hi Jamie,
NWBC and SSO is very complicated 🙂 I am planning to write a blog with all my findings but this will take some time ....
So the Web version of NWBC is based on the SAP Internet Communication Manager (transaction ... SMICM, SICF). SAP GUI based transaction are integrated via the WEBGUI. There is no SAP GUI involved per default. So all the standard authentication methods should work (SAML, X.509, SAP Logon Tickets) --> But I did not try it out yet by myself
The SAML IdP is historically part of SAP NW SSO and SAP NW IDP. But you have to take care about the details of your IDM licenses. New major SSO functions we will add to SAP NW SSO. I try to prevent to talk about any detailed license questions in SCN (that are the official rules - SCN is about solutions not about licenses). Contact person for license related question is always the account executive.
Regards
Matthias
Remark:
If some content owner or custom developer start to use SAP Shortcuts (not very secure in my point of view), then you will have again a problem.
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2012 1:31 PM
Many thanks for confirmation Matthias.
We will discuss with our account manager.
Kind regards, Jamie
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2013 3:21 PM
Matthias,
Is there in progress on this situation?
We are in the middle of a project for ESS/MSS and are using NWBC 4.0 and SAP GUI.
We do not have Portal and can get SSO working (kerberos) on SAP GUI, but need to get it working for NWBC is the key as 90% of our end users will be using that method of connectivity.
Please update your findings/info on this issue!
Thanks!
Chris
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2014 9:53 AM
Hi Matthias,
Appreciate if any update, we also would like to know what's the easiest way to enable SSO for NWBC 4.0.
Thanks a lot.
BR,
Eric
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2014 10:18 AM
That depends on your system landscape. If you are using MS AD for client authentication and if you want to access direct ABAP Systems, I would recommend that you configure Kerberos&SPNEGO with SAP NW SSO. This is a simple and secure solution.
Requirment SPNEGO for ABAP with SAP NW SSO:
ABAP 7.02 SP14
ABAP 7.03 SP07
ABAP 7.40 SP02
If you use NWBC only for Web based applications, you can also think about to use SAP Logon Tickets.
Regards
Matthias
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2014 12:31 PM
Matthias,
Do you happen to know if the version of SAP NW SSO that would support this is the one licensed with Netweaver (i.e. an ERP/Business Suite customer would already have access to it) or if it requires its own distinct license (which is my understanding)?
Eric
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2014 12:50 PM
Hi Eric,
SAP NetWeaver Single Sign-On is a separate product based on an acquisition some years ago. It is not part of the SAP NetWeaver license. For detailed license questions, you have to contact your SAP sales contact person (I am not in the sales organisation).
Please check this link regarding SSO and NWBC with all options:
That is al
Regards
Matthias
- SAP Managed Tags:
- User Interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-05-2015 11:19 AM
Single Sign-on for WEBGUI with SecureAuth [ third party tool ] , while login to the system, "system message" is not showing in WEBDYNPRO standard and customizing URL's. However its working without SSO.
Could anyone please give any idea of this issue?
- SAP Managed Tags:
- User Interface
