Mobile Single Sign On from iOS 7 to SAP NetWeaver
Update: Meanwhile SAP has delivered its SAP Authenticator app that should be evaluated for mobile single-sign-on. See Simple and Secure Mobile Single Sign-On with SAP Authenticator
With the release of iOS 7 Apple enhanced its operating system with several security features. One of them is the so called enterprise single sign-on, which makes it possible to login once and access backend systems from various apps without the need to store any credentials on the device. In the following blog post, I would explain how that new feature can be used to achieve Single Sign On to a SAP NetWeaver system. In the example below a SAP NetWeaver Gateway system would be used, although any HTTP-based API or UI can be accessed, including web dynpro and web gui.
Here are some screenshots on what you might expect as a final result (click on the images to get a larger image):
When you start an app that would try to connect to a SAP NetWeaver Gateway system, iOS would detect that authentication is required and would show a popup asking you to enter your credentials:
The next time an app (either the same or another one) wants to connect to a configured system (either the same SAP NetWeaver Gateway system or another one configured), iOS would reuse the authentication information and would not show a popup anymore:
but it would still authenticate to the backend system and the app would receive a positive response:
The credentials would not be shared neither with the mobile app, nor with SAP NetWeaver Gateway. Instead iOS would “exchange” them for a ticket that would be used for the authentication in the SAP NetWeaver Gateway System. As long as the ticket is not expired (usually 8 hours), SSO would work. Afterwards, the user would be asked to enter his credentials again.
Technically this is based on Kerberos. In order Kerberos to work, one needs three things:
- a client – this is the iOS device
- an authentication server – in most enterprises this already exists, e.g. the domain controller in a Windows environment. iOS would access it in order to get a server ticket for the server an app wants to connect to
- a service server – this is the server a mobile app connects to, e.g. SAP NetWeaver Gateway. iOS would send the server ticket it obtained from the authentication server in order to authenticate. SPNEGO is used to send that ticket to the server.
All of those need to be configured, so that Kerberos could work
Configuration on the iOS Device
iOS provides the means to control which apps would be able to connect to which servers. This is done with configuration profiles and with iOS 7 a new SSO payload type has been introduced. Here is a sample configuration profile that needs to be installed on the device:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple/DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>SSO Settings</string>
<key>PayloadType</key>
<string>com.apple.sso</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>d3fe4709-0cc6-4f51-afed-839c6ab1451c</string>
<key>PayloadIdentifier</key>
<string>com.sap.example.sso</string>
<key>Name</key>
<string>username@EXAMPLE.COM</string>
<key>Kerberos</key>
<dict>
<key>PrincipalName</key>
<string>username</string>
<key>Realm</key>
<string>EXAMPLE.COM</string>
<key>URLPrefixMatches</key>
<array>
<string>https://example.com/</string>
<string>https://example.com:443/</string>
</array>
<key>AppIdentifierMatches</key>
<array>
<string>com.apple.mobilesafari</string>
<string>com.sap.*</string>
</array>
</dict>
</dict>
</array>
<key>PayloadOrganization</key>
<string>SAP</string>
<key>PayloadDisplayName</key>
<string>SSO for SAP</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>f4544183-fc96-495f-a384-435cdb66e5b9</string>
<key>PayloadIdentifier</key>
<string>com.sap.example.sso.profile</string>
<key>PayloadDescription</key>
<string>SSO Configuration profile</string>
<key>PayloadType</key>
<string>Configuration</string>
</dict>
</plist>The configuration profile can be installed by any means iOS supports, but usually that would be done via an MDM solution or pulled by the user from an HTTP server:
The most important attributes in the configuration profile are:
- PrincipalName – this contains the username. It is an optional value and if it is missing the user would be asked to enter the username upon installation.
- Realm – this is the Kerberos realm name. The realm must be accessible by the device – via connecting the device to the corporate network, VPN or using per app VPN (another new feature in iOS 7).
- URLPrefixMatches – this is a list of URL prefixes, where Kerberos would work. If an app tries to connect to a URL that matches some of those URL prefixes, Kerberos would be activated. Otherwise it will not be and a standard HTTP call will be made. Here you need to list all valid prefixes explicitly, e.g. https://*.example.com/ would not work.
- AppIdentifierMatches – those are the app identifiers of the apps that should be granted access to Kerberos. You need to explicitly mention the allowed app IDs, but you can use wildcards at the end, e.g. com.sap.*
The sample configuration profile above activates Kerberos for Safari as well as any app developed by SAP. Activation for Safari makes it possible to access even web gui or web dynpro via Kerberos. Of course, that can be disabled on SAP AS ABAP.
Configuration on the Authentication Server
iOS uses DNS to discover the Kerberos services, therefore they shall be registered within the DNS server that the iOS device uses (directly or via VPN). In order to test if that has been set up correctly, you might connect with a laptop to the same network the iPad/iPhone connects to and execute
nslookup -querytype=SRV _kerberos._tcp.EXAMPLE.COM
where EXAMPLE.COM should be replaced with your realm name. If you get an error (e.g. that the domain does not exist), then DNS is not configured correctly and you should contact your network administrators to change that.
In Windows environment, the domain controller advertises its Kerberos services automatically. Thus one just needs to make sure the iOS device is connected to the same DNS server (by modifying the Wi-Fi or VPN settings). In case of issues one might follow http://support.microsoft.com/kb/816587 or http://technet.microsoft.com/en-us/library/dd378871.aspx.
Configuration on the Service Server
SAP NetWeaver needs to be configured to use SPNEGO/Kerberos and to trust tickets issued by the Authentication Server the iOS devices use. For that you would need:
- a supported version of SAP NetWeaver Application Server – see SAP Note 1798979 for details
- a license for the product SAP NetWeaver Single Sign-On 2.0 (or higher)
- several configuration steps – more details on configuring Kerberos on SAP AS ABAP you can get by watching the videos here
- depending on the SAP AS ABAP and SAP NetWeaver SSO versions that you have, you might need to apply SAP Note 1902749 or 1902750 in order for Kerberos from iOS to work correctly
Would this also work with portal using the SPNegoLoginModule?
Yes, that would work also with the portal as long as AS Java is on a release as documented in SAP Note 1766762
Nice article. But I am not clear with role of NWSSO in io7 integration. What is its roles here? Appreciate if you can help me understanding it.
Do we need to deploy SLS? If yes how Mobile will get the certificate.
NW SSO consists of multiple components and SLS is just one of them. SLS is not required here. Instead, one would use Kerberos/SPNEGO with NW ABAP. In order to use SPNEGO with NW ABAP you need the Secure Login Library component of NW SSO (and thus a license for NW SSO).
Thanks Alex. Currently we have implemented NW SSO in one of our customer environment and there we are using X.509 certificate based authentication though Secure Login Client on Desktop. SAP Portal and SAP ECC are integrated for SSO using X.509.
But we are not sure how to achieve SSO for mobile apps. Does mobile application support SSO only for kerberos or does it support X.509 ticket? Appreciate if you can help us understaning the integration.
Thanks Alex. Currently we have implemented NW SSO in one of our customer environment and there we are using X.509 certificate based authentication though Secure Login Client on Desktop. SAP Portal and SAP ECC are integrated for SSO using X.509.
But we are not sure how to achieve SSO for mobile apps. Does mobile application support SSO only for kerberos or does it support X.509 ticket? Appreciate if you can help us understaning the integration.
What kind of mobile apps would be used - custom built/signed by the same vendor or apps signed by various vendors?
Hi Alex
We are stuck with something similar in our environment. Our blackberry users get an email in the Outlook with links to approve and reject leaves (using NWBC). When they open the links, the single sign on has to be achieved. We are struggling to pass on the Kerberos token to the blackberry client. ( Outlook on blackberry is already signed in and they try to open a link from the email which needs SSO to backend ABAP Server)
Also, SSO has been successfully achieved via NW SS) 2.0 with SPN, AD & SAP Server as per the recommendations and works successfully.
Request your suggestion here, please.
Regards
Sai
Hi Sai,
Did you get any solution on this?
Appreciate if you can share the solution if you have any.
Thanks
Sanath
Hi Sanath
I have eceived feedback to use SAML assertion tickets. Regarding Kerberos on Blackberry, I have posted in the SAP mobile community for suggestions and yet to receive replies.
We are also looking at other options. I will post in case we find a solution.
Regards
Sai
I have a fundamental question. When I launch Fiori Apps (or any web apps for that matter) running on a particular SAP system (lets say SAP Gateway or SAP Portal), it will ask for userid and password for the 1st time. After successful authentication, it sets a SAP Logon ticket cookie for 8 hrs (default) and so wouldn't ask for authentication again. So basically we are able to achieve the same outcome by using standard authentication.So why bother to implement Kerberos??
Kerberos as a standard can be used also for non-SAP backends. Thus with one technology you can achieve single sign on for both SAP and non-SAP. Another advantage is the possibility to reuse the Kerberos ticket among multiple native apps from various vendors
Are there any ways to avoid entering of initial password? (Based upon my experience so far, users find it very irritating to enter password on mobile devices)
Can Kerberos authentication use client certificate instead of userid and password? Its easy to roll out client certificate to user's mobile device and if this can be used for Kerberos authentication, this could be the preferred option...
You can natively use X.509 SSO which provides seamless SSO without the need to enter a PWD. Disadvantage is a) require MDM solution or other ways to provide required authentication certificates to mobile devices b) authentication token is always stored on the device (statically) instead of service ticket (only e. g. 8h) = security decission.
We always have those kind of discussions with our customers e.g. when we talk about SAML based auth. - same issue - first time authentication prompt required. But isn't that "Single" sign-On.. guess it is 😉
Agree, certs are good for native apps. But Safari (even on latest iOS7) doesn't support X-509 certificates so what to do for mobile-web-apps?
Dear Chandra,
have not heard about that. I am using certs with iOS 7
Where do you get this information from?
thx a lit
Carsten
Client certs working for Safari on iOS? As mentioned earlier, I need certs working for web apps. Cert for native apps work fine.
Thx, Chandra
Hi Chandra,
at least for my IOs Devices, I do have X.509 certificates installed which are being used by safari to connect to web servers. for instance I can log on with certificates at SCN. Actually this works at least since IOs 5 (most likly longer but I have only tried then).
Regards,
Patrick
Hi Guys,
just set this up, and it worked for SAP NetWeaver ABAP Web Dynpro. It does not work with my SAP NetWeaver JAVA 7.31 System. Any time i try to access the Portal it requests the ST from KDC for right Principal but then in the J2EE trace i see:
Could not validate SPNEGO token.
[EXCEPTION]
java.io.IOException: OID: 1.2.840.113554.1.2.2 does not match SPNEGO OID: 1.3.6.1.5.5.2
Any idea what i can do here? Sound to me like there is some incompatibility in regards to the GSSAPI token format. And maybe the SPNego implementation on the AS ABAP side used with SAP NW SSO 2.0 SP2 Patch1 does support this...
Has someone ever setup SSO via SPNego to Portal from iPad?
Thanks
Carsten
PS: SPNego is working well from Windows Client using IE browser, so no config issue with JAAS modules etc.
Hi Carsten,
You need to apply SAP Note 1766762 so that this can work on your portal, i.e. update portal AS Java to 7.31 SP6 or higher
Regards, Alexander
HI Alexander,
We are trying to implement SPNego from the iPad in iOS7 to the SAP Portal as well and we have the same issue. However, our Portal is NW 7.02. Is there a Patch on NW 7.02 to fix the SPNego Token issue, or do we need to upgrade the Portal to get this functionality?
We already use the Portal for all our Enterprise SSO using SPNego from the desktop, but we're looking to remove the dependency on the Portal by having SPNego at each ABAP System (if it makes sense to do so). Our ABAP Systems are going from 7.02 to 7.3x (or 7.4) over the next few months, so I have advised our teams to wait until the upgrades are done. Unfortunately we are also in the middle of deploying iPads to all our Sales Reps and they need SSO access to our CRM System. The only part that doesn't work is SPNego to the Portal.
Regards,
Paul
Hi, we need it to access SAP portal on ios without password. Can You please explain what atributes of this xml are mandatory? We use only Realm, but sso on our safari browser do not work. Do we need additionaly import some certificat to ios device and from where must we obtain it?
Thanks for answer in advance!!
Martins
Hi Martins, you don't require Certificates in order to have SPNego (Kerberos) based SSO to your Portal. However it is required to have a running SPNego configuration on your Portal system first. Does SSO it work with normal Windows PC? If yes do you have the required SPS installed see post from Alexander (7.31 SPS6+)? If yes do you see any errors helping you in the trace of the J2EE system?
You require some attributes of the XML, here is a sample one i have created and successfully tested on a SAP ABAP ICM with SPNego. It may help:
regards,
Carsten
Thanks Carsten for Your answer, yes Windows PC does SSO using IE. We have NW 7.00 not 7.31.
Only logs I found is if I do reload initial logon page:
LOGIN.FAILED User: N/A Authentication Stack: ticket Login Module Flag Initialize Login Commit Abort Details 1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true 2. com.sap.security.core.server.jaas.SPNegoLoginModule OPTIONAL ok exception true Trigger SPNEGO authentication. 3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false true 4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUIRED ok false false 5. com.sap.security.core.server.jaas.CreateTicketLoginModule REQUIRED ok false true
Possible this works not with the old NW release and SPNego implementation... 😐
Hi everybody,
You may have already seen that the NW SSO team is starting a CEI project (https://cw.sdn.sap.com/cw/community/influence/cei) in the area of Mobile SSO. The announcement is at the beginning of the NW SSO community page - SAP NetWeaver Single Sign-On (Wanted: Your Feedback). Main focus will be SSO to SAP Portal, mobile edition, but not only. We plan to discuss/implement other authentication options besides the mentioned above Kerberos, X.509 certificates, SAP Logon Tickets, for example one-time passwords (OTP) and others which are much more suitable and easy to use at mobile devices. If you are interested in further details you can contact me at dimitar(dot)mihaylov(at)sap(dot)com.
Best regards,
Dimitar Mihaylov
Hi Alexander
I have configured SPNEGO for iPad but I am facing an issue. When I access my gateway server url I get a prompt to enter AD credentials with AD user is pre-populated. Once I enter AD password I am getting error 'Your browser is not configured for using SPNego' and this time I get another prompt for user credentials from gateway server. Is there any setting which we have to do on safari browser apart from payload file?
Regards
Mandeep Singh
Hi Mandeep Singh,
I had a similar problem on iOS 7.01. An error message was displayed in the browser after the initial authentication. Then, after closing and re-opening the browser SSO was available.
This issue was fixed for me with iOS 7.02.
Best regards,
Christian
Hi Christian
Our iOS version is 7.0.4. Any other clue to resolve this issue.
Regards
Mandeep Singh
Hi Mandeep Singh,
Does Kerberos login work via a deskop browser? Have you configured AS ABAP to work with that domain?
Regards, Alexander
Hi Alexander
We have configured AS ABAP to work with the same domain. I tried on desktop and it is not working. In our landscape the SAP ID is different from AD ID. We have done some mapping configuration to make it work on portal. This is the first time we are doing kerberos configuration on AS ABAP. We need to check why it is not working on desktop.
But on iPad I am getting the prompt for AD credentials
when I am entering the password of AD server. Then I am getting the below screen. Hope this will little more clarity.
Please let me know if there are any steps to debug this issue.
Regards
Mandeep Singh
Hi Mandeep Singh,
Your configuration on the iPad seems to be fine. The issue is that you have not configured correctly AS ABAP to accept the Kerberos token.
Note, on the iPad, you get the prompt for the AD credentials, then iOS gets a token and sends this token to AS ABAP. If AS ABAP does not accept the token you would get the user/pass prompt.
On the desktop, the browser gets the Kerberos token from the domain you are already logged in (that's why you don't see any prompt for AD credentials) and sends this token to AS ABAP. As AS ABAP does not accept it, you would get also a user/pass prompt.
Thus, it would be best if you first make Kerberos running on a desktop machine which uses the same REALM as the iPad.
In order to configure AS ABAP correctly follow the videos and the prerequisites, which are linked above under "Configuration on the Service Server"
Regards, Alexander
Hi Alexander
I will check the configuration on the AS ABAP. There is note I have found which will direct to debug kerberos configurations Note 1732610. I will update on the progress. Thanks 🙂
Regards
Mandeep Singh
Hi Alexander
In continuation of the same issue, I am trying to make it work on desktop first. In the logs in SM50 I see the below erroe message:
N SPNegoRefreshKeyTab: KeyTab in-memory and KeyTab in secure store differ. Reading update from secure sto
N SPNegoInitKeyTab: Kerberos KeyTab successfully loaded
N *** ERROR => SPNegoLogon: SntNameToHash returned -23 [sign.c 19829]
In note 1732610 it is mentioned
The trace shows the following message:
N *** ERROR => SPNegoLogon: SntNameToHash returned -23 [sign.c 19734]
SNC is not configured for the (current) AS_ABAP (instance). Ensure that you have an SNC installation configured to enable the proper user mapping as described in 3.2.9.
---------------------------------------------------------
As the AD ID and SAPID are different we have to do user mapping. It seems for user mapping to work we have to configure Keytab for SNC. Earlier I had left this configuration as I thought it was not relevant as we were trying to setup SPNEGO for iOS7 devices. Please let me know if my understanding is correct and I have to setup keytab for SNC to make it work?
Regards
Mandeep Singh
Hi Mandeep,
in general SNC doesnt have something in common with SPNego implementation. However the SAP NW SSO SPNego implementation uses the SU01 SNC-Name user mapping from USRACL thus it is required to have the SNC name mapping done. The Kerberos Principal is required here, normally this is p:CN=<sAMAccountName>@REALM
If you are able to perform SPNego from your desktop, you will be able to do so in iOS. I would suggest to first check out all requirements and documentation from SAP and configure your system accordingly.
If you require further support let me know by PM
Regards,
Carsten
Hi Carsten
We have now configured Keytab for SNC and User mapping issue is resolved. But now we are getting kernel issue.
M CCMS: Reporting Rabax: SnapKey: 20140220 150105, vawrk338_SK7_01, [000:SAPSYS], report CL_SPNEGO_KERNEL==============, task D
M CCMS: Reporting Rabax: AlReportSingleMessage returned 0
M CCMS: Reporting Rabax: AlReportPerfValue returned 0
M CCMS: Reporting Rabax: SnapKey: 20140220 150105, vawrk338_SK7_01, [000:SAPSYS], report CL_SPNEGO_KERNEL==============, task D
We had recently upgraded the kernel as SPNEGO transaction we were getting 'kernel too old' message. Our kernel is on 721_EXT 21.
Any Clues?
Regards
Mandeep Singh
Hi Mandeep Singh, You mentioned that have configured SSO for ipad. How did You done this? Please provide us with steps done or give some refernces. Witch NW do You have?
Thanks in advance, Martins!
Hi mandeep, Thanks for Your Answer. Just one question, witch NW version do You have?
Hi Martins
SAP NetWeaver AS ABAP 7.31
Regards
Mandeep Singh
Hi Martins
I have followed the steps mentioned in the link Single Sign-On with Kerberos
1. We created a service user on AD and add the SPN for SPNEGO (HTTP/FQ Hostname of AS ABAP.
2. We copied the secure login libraries in usr/sap/SID/DVEBMGS00/SLL folder
3. Configured SNC/SPNEGO Instance profile parameters.
snc/enable = 1
snc/data_protection/min = 2
snc/data_protection/max = 3
snc/data_protection/use = 3
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_rfc = 1
snc/force_login_screen =0
snc/r3int_rfc_secure = 0
snc/r3int_rfc_qop = 8
snc/permit_insecure_start = 1
snc/identity/as = p:CN=sAMAccountName@REALM
snc/gssapi_lib = $(DIR_INSTANCE)/SLL/libsapcrypto.so
spnego/krbspnego_lib = $(DIR_INSTANCE)/SLL/libsapcrypto.so
spnego/enable = 1
4. Configured Keytab for SNC
created a .pse file using service user and created a cred_v2 file in sec folder and provided the system access to credential file
5. Configured SPNEGO keytab
On iPAD we have deployed a payload file .mobileconfig
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>Single Sign-On via SPNego</string>
<key>PayloadType</key>
<string>com.apple.sso</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>d3fe4709-0cc6-4f51-afed-839c6ab1451c</string>
<key>PayloadIdentifier</key>
<string>com.sso.test.kerberos</string>
<key>Name</key>
<string>Kerberos SSO</string>
<key>Kerberos</key>
<dict>
<key>PrincipalName</key>
<string>USERID</string>
<key>Realm</key>
<string>RealmName</string>
<key>URLPrefixMatches</key>
<array>
<string>URL for which SPNEGO should be invoked</string>
<string>http://*.domainname</string>
</array>
<key>AppIdentifierMatches</key>
<array>
<string>com.apple.mobilesafari</string>
<string>com.sap.*</string>
</array>
</dict>
</dict>
</array>
<key>PayloadOrganization</key>
<string>SAP</string>
<key>PayloadDisplayName</key>
<string>SSO for SAP Fiori</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>95A9BDB1-D1F1-4A66-8F10-E72B48D79665</string>
<key>PayloadIdentifier</key>
<string>com.fiori.sso.profile</string>
<key>PayloadDescription</key>
<string>SSO Configuration profile</string>
<key>PayloadType</key>
<string>Configuration</string>
</dict>
</plist>
Regards
Mandeep Singh
Hi All
We tried configuring SPNEGO SSO for iOS7 device but we have stuck with the error related to kernel. We have raised an OSS message for the same. Please let me know if anyone has faced this issue.
We have also configured client certificate option for SSO and it is working. At the moment iOS7 device is prompting to user to choose client certificate out of all the certificate present on iOS7 device. I am looking for a way to automatic provision a particular client certificate for a particular url. I have seen there is VPN configuration profile which does the same to push a particular client certificate to establish VPN connection.
Automatic-AnyConnect automatically chooses the client certificate with which to authenticate. In this case, AnyConnect views all the installed certificates, disregards those certificates that are out of date, applies the certificate matching criteria defined in VPN client profile, and then authenticates using the certificate that matches the criteria. This happens every time the user attempts to establish a VPN connection.
Is there a configuration profile available to achieve automatic provisioning of client certificate on iOS7 device?
Regards
Mandeep Singh
Hi, are there maybe some mechanism to authenticate on sap portal on ios by entering user credentials only for first time using NW 7.00?
Hi Mandeep Singh,
I see from Your post that You have refernce on libsapcrypto.so file. In my downloaded SLL file SLLIBRARY04_4-20008868.SAR I have no such file. Can You please point to Secure Login library file did You use?
Hi Martins
Our operating environment is AIX so we have used respective SLLIBRARY00_1.SAR file. For AIX environments there is '.so' file instead of '.dll'.
Regards
Mandeep Singh
Thanks for Your response, but I can't find SLL with file libsapcrypto.so. Does we require license on this product? We have AIX,too. It seems that I found only patch, not base of this product.
Hi Martins,
possible you use SAP NW SSO 1.0? The SNC library was libsecgss.so or secgss.dll for Windows.
Since SSO 2.0 the SNC library name is WINDOWS: sapcrypto.dll | UNIX: libsapcrypto.so | HP-UX: libsapcrypto.sl
look here
Ok, but our productive envirnment now points like this
Is this the same as snc/gssapi_lib = $(DIR_INSTANCE)/SLL/libsapcrypto.so?
Hi Martin
As per the video we need to set the snc/gssapi_lib to $(DIR_INSTANCE)/SLL/libsapcrypto.so
I think we are referencing the lib crypto file which is present in SLL folder, where we unarchived the SLLIBRARY00_1.SAR file contents.
Single Sign-On with Kerberos
Regards
Mandeep Singh
Hi Alex
Thanks for posting such a wonderful document. I'm more eager to know on this.
Await for your valuable blogs in near future.
Cheers 😉
Pradyp
Hello, Thanks for this. We are trying to do this now for our Travel expense scenario. I am not familiar with the configuration profile part. Please can someone guide me on
a) how and who creates the configuration profile
b) how is it installed on the iOS
(assuming its not something that already exists and i just need to edit it )
The configuration profile is the standard means to configure an iOS-based device. I would recommend you to use an MDM solution like Afaria to create and push that to the devices.
Hi Alex,
I managed to configure it and have the following questions
1) What tools can i use on the iOS device to trace how the ticket exchange with the domain controller is indeed taking place? Like we can use diagtool on a netweaver java system or a wireshark on the browser side
2) Is the first popup to enter the pwd of user@domain.com a MUST? Could we not avoid this? In our case, we already have a VPN authentication enabled where users must enter their domain pwd. A second popup for the same pwd is seen as redundant. Can we avoid and acheive SSO in true sense?
eg: For browser based logins, once SSO is configured, it never asks for a domain pwd even for the first time. Can we acheive the same for iOS ?
3) how do i roll out this profile in a generic form? The profile currently has a user in its configuration . At the time of rollout and install of the profile, will the users be asked to enter their userid? In general profiles are set to be installed seamlessly . So where does user get the chance to enter his domainname?
4) Similar to point 3, how do we do this if we have users in multiple domains? how do we roll out the profile in such cases?
Thx
Chandrakanth
Hi Chandrakanth,
Here are some answers to your questions:
1) I am not aware of any. iOS is very closed and you cannot have an app that would allow tracing that. In some special cases, you might use XCode with developer devices, but it cannot be used for any iOS device
2) I guess in your VPN setup you pass the password to the VPN server which then validates it against active directory. In this case, you are still not authenticated to the KDC and thus the second pop-up comes
3) You might omit the user information and then users would be asked to enter their userID. Consult with the profile documentation on Apple's site or with the documentation of your MDM server
4) A user can enter only his userID but not a domain name. Thus you need to push a domain-specific profile to the user
Regards, Alexander
Hello,
Another question : the profile has some redundancy? There is a key with user (in the format username@realm) and then again a key with principal name and realm. Why is this?
Thx
Chandrakanth
username@realm is just the display name. You can substitute it with anything
Hi, we have implemented iOS 7 SSO using MobileIron, we establish a VPN connection using AnyConnect and are prompted by Safari or MobileApps to Enter the SSO password. This all works like a charm.
Our Kerberos tickets have a lifetime of 10 hours and a Renew Time of 7 days however I have to re-enter the password every 10 hours. It seems that iOS or Safari is not renewing the Kerberos ticket. Anyone any idea why this is?
Thanks in advance
Shannon
Unfortunately, current version of iOS does not renew the ticket automatically and thus once the ticket lifetime expires, one would be asked again for a user/pass
Alexander, first of all thank you for your response. I thought this was the issue, but wanted to know for sure. Do you know if there is any whitepaper of document from Apple where this is confirmed? I need to reply to my manager and it would be great if I got a whitepaper or something.
Thank you.
I am not aware of any document from Apple
Anyone having issues with cert-based auth and iOS 8.x? What worked in iOS 7.x is not working in 8. It appears that either iOS is not presenting the client cert to the web server or the mobile browser (Safari and Chrome) do not have access to the certs. Maybe there could be something wrong with the certs, but they are "verified" and again ... they work on 7.
Still works for me, and even better than before: No more certificate selection popup although there is only one in the keychain.
-- Stephan
I just tested a beta version of 8.1 and the issue has been resolved. This must mean that there is something about our certs that iOS 8.0.2 does not like but 7.1.2 and 8.1 have no issue with. Any ideas?
Hi All Gurus,
All this configuration is done on the iOS 7 O.S. Can the same configuration be done on Android O.S. Kindly help me for the same.
Thanks,
Sarang.
AFAIK, Android does not support Kerberos natively. You need to build custom logic in your apps to do that or you have to use a container-based approach.
Hi Alexander,
Thank you very much for the prompt reply. I have also raise OSS a message regarding SSO configuration but there is no reply for this. Do you know any document for configuring the SSO on Android Phone where the SAP FIORI is having only ABAP stack.
Thanks,
Sarang.
Hello,
Kerberos is not generally available on Android. You may consider using SAP Authenticator and SAP SSO instead:
What is the number of the OSS message you have opened with SAP?
Best regards,
Dimitar Mihaylov
Hi Dimitar, we have configured SSO for ABAP using SAML2. But this configuration works on desktop only, IDP authentification window is thrown. Can You please provide witch steps do we need to start work with SSO on Android device? Is Nw SSO 2 product mandatory prerequisite for enabling SSO on mobile devices using SAML2 authentification mehanism?
Hello Martins,
Yes, you need license for the SAP Single Sign-On product if you want to implement this Mobile SSO solution.
The enablement of Mobile SSO requires implementation of One-Time Password Authentication on the company side with installation of the SSO AUTHENTICATION LIBRARY 2.0 and relevant policy configuration with enablement of the TOTPLoginModule for the respective system.
For more details, see: Mobile SSO using SAP Authenticator
Regards,
Donka Dimitrova
Thanks for Your answer, as I understand there are no scenarios for mobile SSO without SSO 2 or any other third party apps?
Hi Martin,
Another option would be to provision X.509 certificates to the mobile devices, e.g. using an MDM solution. However if that's not an option for your scenario then the only solution for Android, provided officially by SAP, is to use SAP Authenticator in combination with the SAP SSO product. Please note that this solution is not limited to only single sign-on but provide also advanced features for risk-based authentication (dynamically decide what authentication mechanism to use and if two-factor authentication is required, the second factor could be time-based one-time password or one-time password sent out-of-band - sms, email or other channel) and authorization (e.g. limit user's permissions based on the context). If you need further details or even want to see how the solution works then we can organize a call for this.
Regards,
Dimitar
Hallo Dimitar, SSO 2 is again in our agenda, can You please organize Call or provide us with trial version to see how the things work?
Thanks for Your help!
Dear Mae Ker,
We will be able to organize a presentation and a demo of the SAP Single Sign-On 2.0. Just send me a message on my corporate e-mail donka.dimitrova<at>sap.com
Regards,
Donka Dimitrova
Hi Dimitar,
Thank you for the reply. I have already gone through these documents provided with the links mentioned above by you. I found that it requires AS JAVA stack on SAP FIORI. But the problem is that we have only ABAP stack installed with SAP NetWeaver 7.40. I have raised one OSS message to SAP regarding the same and they had provided the same links you had mentioned above. But regarding ABAP stack there is no response from 13th of January 2015 until now.
Thanks,
Sarang.
Hi Sarang,
The AS Java system could be also 7.30 or 7.31. There is no requirement to be a double stack or 7.40. Do you have any AS Java system in the landscape? We can continue the discussion also via emai - just write me at "<firstname>.<lastname>@sap.com".
Regards,
Dimitar Mihaylov
Hi Dimitar,
Sorry, I forgot to mention the OSS number. OSS number for the message is 14985 / 2015.
Thanks,
Sarang.
Hi Sarang,
I've checked the ticket and according to it you'd like to use the native Fiori client. However SAP Authenticator can provide SSO capabilities only when a regular browser is used as a client. So at the end the prerequisistes to enable SSO using SAP Authenticator are the following:
- AS Java 7.30, 7.31 or 7.40
- Use regular browser as a Fiori client on the mobile device
Regards,
Dimitar
Hi Dimitar,
That is the problem we are having. We do not have JAVA stack installed for SAP FIORI. How can we configure SSO for ABAP stack. Kindly help us out.
Thanks,
Sarang.
Hello Sarang,
As my colleague Dimitar mentioned, If you want to use Mobile SSO for Fiori with SAP Authenticator, you need AS Java 7.30, 7.31 or 7.40 because the implementation requires SAML IDP, that is running on AS Java.
If you look carefully at the diagram here Mobile SSO for SAP Fiori, you will find that the SAP Fiori is running on the AS ABAP and the SSO is for AS ABAP (Fiori), but the SSO is using SAML 2.0 assertions. These SAML assertions are issued by the SAML IDP, running on the AS JAVA. This is why you need also AS JAVA.
I hope this will help.
Best regards,
Donka Dimitrova
Hi Sarang,
As already replied via email, here are the possible options:
- [Option 1] Use X.509 certificates for authentication to the Fiori (AS ABAP) systems. This options is supported already now but will require some kind of PKI.
- [Option 2] Use SAP Authenticator with SAP SSO. This option is supported already now but will require that you install the SAP SSO components on AS Java 7.30 (or higher) and that on the mobile devices a regular browser is used as Fiori client.
- [Option 3] Use SAP Authenticator with SAP Cloud Identity. This option is not available yet but is planned. The difference compared to option #2 is that you do not need to install AS Java system but will use SAP Cloud Identity which is an Identity Provider as a service.
Regards,
Dimitar
Hi Alexander
Do you know what is the AppIdentifierMatches for GoogleChrome? We want to enable SSO in iOS devices when launched through Google Chrome as well. It works great on Safari. Some of our users have Google Chrome on their iPads and we would like to SSO work on Google Chrome as well. I believe it works when we add the app identifier for Chrome in the Mobile Config, but I am not able to find the Identifier for Chrome.
Thanks in advance.
Regards
Sasi Reddy
I think it is com.google.chrome.ios
Hi All
I tried com.google.chrome.ios and com.google.*. Neither of them worked. Is there anyone who was able to make the SSO work on iOS devices using Google Chrome?
Thanks
Sasi
Hi All,
Does this require AS JAVA to be installed for the configuration OR configuration is done on the ABAP server only. Kindly guide on the same.
Thanks,
Sarang.
Dear Dimitrav,
Kindly tell me whether the configuration shown in this document requires SAP AS JAVA server or not. If yes then what configurations need to be done on the JAVA server? Is kerberos only necessary for configuration shown above? Kindly help me out for the same.
Thanks,
Sarang.
Dear Sarang,
If you are asking about Kerberos/SPNEGO authentication from iOS to AS ABAP then you do not need an additional AS JAVA system. If you are asking about different configuration then specify which configuration.
Best regards,
Dimitar Mihaylov
Hi Dimitar,
Sorry for replying so late as I was busy in other work. Yes I am asking about the configuration shown in this document, is this configuration requires the AS JAVA server OR the whole configuration can be succcessfully completed by configuring Kerberos on SAP ABAP server. Please let me know.
Thanks,
Sarang.
I have already answered this question. Check my previous reply.
Dimitar
Hi Donka,
I have Just one question now, the videos shown in this link showed the complete configuration on the Windows server, as well as the System is also installed on the Windows server. Is it possible to configure the same on AIX server. Kindly guide me.
Thanks,
Sarang.
Hello Sarang,
Please, clarify what videos and link you are talking about.
If possible just provide the links (also to the videos) as a reply.
Thanks in advance!
Regards,
Donka Dimitrova
Hi Donka,
The videos given in the link below:
http://scn.sap.com/docs/DOC-40178
Thanks,
Sarang.
Hello Sarang,
Yes, this has to be workign also if your systems are installed on AIX server.
Regards,
Donka Dimitrova