cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Single Sign On - Selection / Strategy

Former Member

on ‎02-19-2015 4:24 PM

0 Kudos

Hello,

I do have a basic question about selecting the "best" strategy for implementing Single Sign On at least for our SAP systems (ABAP & JAVA) or at least to understand the difference, benefits and limitations.

I have gone thru a lot of documents and also the short videos here in the community about "SAP (Netweaver) Single Sign On 2.0" and do like this approach.

Our SAP Account Executive - who also recommended this forum to get useful information - told me that "SAP Single Sign On 2.0" would require additional licenses while the classic/included SSO does not.

I know from other customers that SSO with SPNEGO works "out of the box" for JAVA systems without additional licenses.

I'm just wondering where the difference or limitations are and which part causes the additional licenses.

Requirements from our side is that this SSO solution should cover ABAP and JAVA systems (no 3rd party systems required, just optional) and must work with GUI and web.

Thanks, for your help,

Michael

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

tim_alsop
Active Contributor
‎02-19-2015 6:05 PM
0 Kudos

The most common and easiest way (especially if your users logon to their workstations using Active Directory credentials) is to use SNC for SAP GUI users who logon to ABAP systems, and SPNEGO for web based access to ABAP and JAVA systems. As you mentioned, the SPNEGO JAVA functionality is free, but other logon methods would require a product to be licensed, either using the SAP SSO product or a SAP SSO product from a SAP partner.

Thanks

Tim

Show replies
Show replies
Former Member
‎02-20-2015 11:45 AM
0 Kudos

Hello Tim,

thanks for the answer.

So, if I understand this correctly

As we want to use SSO for SAP Business Suite apps only (no cloud, no non-SAP)

- using Kerberos

- for all SAP apps (ABAP & JAVA)

- no additional servers

- Encryption

and using our AD credentials

we can use SNC for GUI and SPNEGO for web based apps.

These would not require additional licences, correct?

I assume that the Secure Login Server for SAP Single Sign On 2.0 (for also non-SAP apps) is the part that will require extra licenses. As we don't need this we should be good to start.

Please let me know if I'm still on the right way 😉

Thanks,

Michael

tim_alsop
Active Contributor
‎02-20-2015 11:50 AM
0 Kudos

Michael,

Your summary is correct apart from the last part when you mention licensing. As I mentioned, the only part which is free is SPNEGO JAVA. For SPNEGO on ABAP and SNC for SAP GUI SSO with Kerberos, you need a license for an SSO product, either the SAP product or a SAP SSO product from an SAP partner.

Thanks

TIm

donka_dimitrova
Contributor
‎02-20-2015 12:21 PM
0 Kudos

Hello Michael,

As mentioned by Tim, for User based SSO with X.509 or Kerberos, like SNC for SAP GUI or RFC clients you need to pay license for an SSO product.

Please, find for more details the note that explains the license requirement for the CommonCryptoLib (SAP Single Sign-On product): 1848999 - Central Note for CommonCryptoLib 8 (replacing SAPCRYPTOLIB)

Regards,

Donka Dimitrova

Former Member
‎02-20-2015 12:27 PM
0 Kudos

Thanks Donka and Tim,

guess that answers my question. I will check the mentioned note and come in case of questions.

Michael

Ask a Question