cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Single Sign-On 2.0 Documentation

MikeDumas
Participant

on ‎01-14-2015 10:32 PM

0 Kudos

Greetings all,

We ran a pilot test of SSO 1.0 a few years ago and have decided to revisit SSO 2.0.  I have found the implemetation guide and the master document as well as the great SSO 1.0 - based videos, but I find that the screens we encountered in 1.0 have absolutely no match to those in 2.0 and the current guides don't have any screen shots and don't follow a logical sequence.  I'm struggling to even match the terminology used between the 1.0 and 2.0 screens.  Is there anywhere to find good documentation on this product?

Thanks,

Mike Dumas

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎01-23-2015 5:48 AM
0 Kudos

Hi Alexander,

I did try and change the option and the error was gone. However, it seems that the EvaluateTicketLoginModule still fails. Thus, leading to the basic password login module.

LOGIN.OK

User: Administrator

IP Address: 172.21.200.76

Authentication Stack: sap.com/tc~lm~itsam~ui~mainframe~wd*webdynpro_resources_sap.com_tc~lm~itsam~ui~mainframe~wd

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false      false                

        #1 trusteddn1 = CN=DV2,OU=I0020180324,OU=SAP Web AS,O=SAP Trust Community,C=DE

        #2 trusteddn2 = CN=DV2,OU=I0020180324,OU=SAP Web AS,O=SAP Trust Community,C=DE

        #3 trusteddn3 = OU=J2EE,CN=C74

        #4 trustediss1 = CN=DV2,OU=I0020180324,OU=SAP Web AS,O=SAP Trust Community,C=DE

        #5 trustediss2 = CN=DV2,OU=I0020180324,OU=SAP Web AS,O=SAP Trust Community,C=DE

        #6 trustediss3 = OU=J2EE,CN=C74

        #7 trustedsys1 = DV2,503

        #8 trustedsys2 = DV2,000

        #9 trustedsys3 = C74,000

        #10 ume.configuration.active = true

2. com.sap.engine.services.security.server.jaas.ClientCertLoginModule      SUFFICIENT  ok          false      false                

        #1 Rule1.attributeName = CN

        #2 Rule1.getUserFrom = subjectName

3. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          false      false                

        #1 ume.configuration.active = true

4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   SUFFICIENT  ok          true       true                 

Central Checks                                                                                                true   

Regards,

Tom

Show replies
Show replies
Former Member
‎01-23-2015 6:54 AM
0 Kudos

Hi Thomas,

on a first sight, I'd guess your logon stack is not correct.

For the EvaluateTicketLogin to work, CreateTicketLogin has to be gone through.

Based on your above stack, I'd assume the following could be correct:


1. EvaluateTicketLogin: Sufficient

2. ClientCertLoginModule: Optional

3. CreateTicketLogin: Sufficient

4. BasicPassword: Requisite

5. CreateTicketLogin: Optional

see User Authentication and Single Sign-On - SAP Library for a discussion of the different options.

Kind regards,

Patrick

Former Member
‎01-15-2015 8:02 AM
0 Kudos

Hello,

have you tried the videos?

http://scn.sap.com/docs/DOC-40178

http://scn.sap.com/docs/DOC-40179

best regards

Alexander Gimbel

Show replies
Show replies
MikeDumas
Participant
‎01-15-2015 3:17 PM
0 Kudos

Hi Alexander,

I first found those and was excited to run through them, but 40178 doesn't cover Secure Login Server specifically and 40179 is for SSO 1.0 and all the screens have changed in 2.0.

Thanks,

Mike Dumas

Former Member
‎01-16-2015 12:33 PM
0 Kudos

Hi Michael,

Please check the following videos:

Which use case are you trying to implement? Secure Login Server using which backend for authentication?

KR

Valerie

MikeDumas
Participant
‎01-16-2015 3:30 PM
0 Kudos

Hi Valerie,

We want to set up SSO for our CRM web ui and NWBC.  We're using AD authentication.  We already have SNC for SAP Gui working.

As good as the videos are, they don't map to SSO 2.0.

Thanks,

Mike

Former Member
‎01-19-2015 7:48 AM
0 Kudos

Hi Mike,

If you want to use SPNego for ABAP for Web UI and NWBC then the following video should be helpfull:

You can have more informaton in the impelmentation guide http://help.sap.com/download/sapsso/secure_login_impl_guide_en.pdf chapter 4.7.5 Kerberos Authentication for HTML-Based User Interfaces Using SAP NetWeaver AS for ABAP with SPNego

KR

Valerie

Former Member
‎01-20-2015 3:52 AM
0 Kudos

Hi Alexander,

Just a follow-up question regarding SSO 2.0. I did manage to get it working on the AS ABAP end with the help of the 40179 demo. However, I can't quite figure out the configuration for AS JAVA (without SSL).

My questions are...


(1) it is possible to use SSO 2.0 without SSL?

(2) can I configure AS JAVA to use AS ABAP UME, unlike secure login server where UME should be LDAP?

Please advise. Thank you.

Regards,

Tom

Former Member
‎01-20-2015 7:33 AM
0 Kudos

Hello,

to (1): The communication between Secure Login Server and Secure Login Client should be secured by SSL to prevent eavesdropping. So its recommended.

Why do you not want to use SSL ? Or do you mean the communication against ABAP? Here you can use SNC with SAP GUI instead of the web based UI with SSL.

to (2) : Yes you can bind the UME against an AS ABAP DB. Then as authentication method on the Secure Login Server the "Basic Password authentication" can be used.

But if you use Kerberos/SPNEGO as authentication method with Secure Login Server, its recommended to use the Virtual User feature or bind the Active Directory against the UME.

What kind of authentication method do you want to use? 

best regards

Alexander Gimbel

Former Member
‎01-21-2015 5:51 AM
0 Kudos

Hi Alexander,

Thank you for your response.

(1) is there a tutorial for its setup? 40179 demo only shows w/ SSL configuration.

(2) the authentication method as of the moment is SPNEGO, and UME is binded with AS ABAP which is probably why single sign-on does not work.

Again, thank you.

Regards,

Tom

Former Member
‎01-21-2015 7:48 AM
0 Kudos

Hello Thomas,

(1) for SSL Java configuration there is a help page

http://help.sap.com/saphelp_sfin100/helpdata/de/ee/de34e6754f4caaa5f73f38d9bde3f7/content.htmhttp://help.sap.com/saphelp_sfin100/helpdata/de/ee/de34e6754f4caaa5f73f38d9bde3f7/content.htmhttp://help.sap.com/saphelp_sfin100/helpdata/de/ee/de34e6754f4caaa5f73f38d9bde3f7/content.htmhttp://help.sap.com/saphelp_sfin100/helpdata/de/ee/de34e6754f4caaa5f73f38d9bde3f7/content.htm

But it describes not how to get a certified SSL key/certificate with the help of Secure Login Server.

This must be done like this :

1. go to Secure Login Server Administration Console, Certificate Management

2. select the SSL Sub CA and press the button issue entry

3. but in the fully qualified hostname of the AS Java server in DNS name and Common Name Field

4. go to Netweaver Administration SSL configuration

5.goto edit mode and under Server Identity, Copy entry

6. Choose View "SercureLoginServer" and entry the generated key (not the -cert entry), import

7. delete the self signed certificate

8. press Save in SSL configuration, all should be green now.(maybe a ICM restart is required)

(2) Can you please add a "security trouble shooting wizard" trace (server trace) for one SPNEGO authentication request from the Secure Login Client to the Secure Login Server? It will help to analyze the problem.

best regards

Alexander Gimbel


Former Member
‎01-23-2015 5:15 AM
0 Kudos

Hi Alexander,

Here's the error I got from the trace...

Cannot initialize login module com.sap.engine.services.security.server.jaas.ClientCertLoginModule.

[EXCEPTION]

com.sap.engine.services.security.server.jaas.cclm.InvalidOptionsException: getUserFrom 'SubjectName' is not a legal option!

GetUserFrom field - cannot assign value :Subject

at com.sap.engine.services.security.server.jaas.cclm.RuleHelper.options2Rules(RuleHelper.java:104)

at com.sap.engine.services.security.server.jaas.ClientCertLoginModule.initialize(ClientCertLoginModule.java:96)

at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.initialize(LoginModuleLoggingWrapperImpl.java:204)

at com.sap.engine.services.security.login.LoginContextFactory.initializeLoginContext(LoginContextFactory.java:186)

at com.sap.engine.services.security.login.FastLoginContext.logoutSession(FastLoginContext.java:853)

at com.sap.engine.services.security.login.SecuritySession.logout(SecuritySession.java:365)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

...

Regards,

Tom

Former Member
‎01-23-2015 7:35 AM
0 Kudos

Hi Thomas,

if you want a SPENGO authentication with the Secure Login Client you use the wrong stack.

You can use the default SecureLoginSPNEGOStack.

1. goto the Secure Login Server Console

2. search for your authentication profile you use and goto edit mode

3. on the "User Authentication" tab below, choose  the SecureLoginSPNEGOStack as policy configuration .

4. press save.

best regards

Alexander Gimbel


Former Member
‎01-28-2015 8:10 AM
0 Kudos

Hi Alexander,

Thanks for the help. Unfortunately, my colleagues decided to have SSL instead, and now I am faced with another issue. I hope you can still help me out.

Certificate Error: Navigation Blocked - "Server's certificate does not match the URL."


Although, I can continue (not recommended), I hope that it can be rectified. Upon checking, it seems that the certificate in question is the SSL certificate. Including the Secure Login Server Root CA to the SSL Trusted CAs didn't work either.


Thanks, again.


Regards,


Tom

Former Member
‎01-28-2015 8:15 AM
0 Kudos

Hi Thomas,

this is an easy one. The server certificate contains a so called common name (CN) which should be the name of the host. This needs to be the same as the hostname which is part of the URL.

In your case it seams, that the CN is something like firsthost.somedomain.com but the URL looks like http://otherhost.somedomain.com.

You can either change the URL or change the certificate of the server.

regards,

Patrick

Ask a Question