Skip to Content

21 Comments

You must be Logged on to comment or reply to a post.

  1. Simon Kemp

    Hi Donka,

    Thanks for sharing this approach. My only concern here would be performance, there seems to be a lot going on during the initial creation of the X.509 cert – my experience using SAML right here on SCN isn’t great (it’s quite slow really). Do you have any comments regarding performance of such a scenario?

    How long would you recommend the X.509 certificates are valid for?

    Thanks again,

    Simon

    (0) 
    1. Samuli Kaski

      I have also reservations on having to open a browser to access Secure Login Web Client for the X.509 certificate to be issued. Maybe if the browser is opened minimized and closed as soon as the X.509 certificate is issued, it could work. All triggered by a logon script, for example. But then again why not use the native Secure Login Client (if running one of the supported platforms), maybe this solution is more theoretical for most customers. Nice nevertheless and I appreciate the contribution.

      (0) 
      1. Dimitar Mihaylov

        Hi Samuli,

        The question about “using” SAML 2.0 for SAP GUI came from customers who already have SAML 2.0 infrastructure for web browser SSO and would like to extend it for non-browser scenarios (SAP GUI). So the assumption is that you anyway use a browser as a starting point and in this case best integration point is in some Portal system (SAP or non-SAP). From there you can start SAP GUI using SAP shorcuts, you may be familiar with this feature in SAP Portal.

        SAML 2.0 support is not possible directly in SLC because the underlying DIAG protocol does not support it. If we extend it then it will be available only for the latest releases and its adoption will take “ages” 🙂 .

        Best regards,

        Dimitar Mihaylov

        (0) 
    2. Dimitar Mihaylov

      Hi Simon,

      You may experiense performance issues with SAML 2.0 only because of network delays, there are redirects between SP and IDP, but not because of the issuing or validation of the assertion. Especially in Intranet scenario this should not be a problem and Donka’s blog describes such use case. You may see example performance measurements using SAP identity provider in the following blog: http://scn.sap.com/community/sso/blog/2013/02/28/competitive-advantages-of-sap-identity-provider.

      The default validity of short-lived X.509 certificates issued by SLS is 10 hours which should cover to a regular working day.

      Best regards,

      Dimitar Mihaylov

      (0) 
  2. Tejas Gandhi

    Hello

    I Installed  SAP NetWeaver AS Java 7.4 SR1 – 90 days trial version. We are  facing issue with   “Uploading Metadata File”.   Error mention below

    “Metadata contains trusted provider which is not an identity provider”

    We referred   following  document for Configuration ::::   http://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0+and+ABAP+Systems+Supporting+SAP+Logon+Tickets?focusedCommentId=377389831#comment-377389831

    SAML ERROR.png

    Please suggest if   any configuration is require?

    Tejas Gandhi

    (0) 
    1. Dimitar Mihaylov

      Hi,

      You are trying to import a metadata of a service provider system however you shall import metadata of an identity provider system. Make sure you have exported the metadata of the correct system and it is really acting as an SAML 2.0 identity provider. The metadata should contain the following descriptor in this case:

      <ns3:EntityDescriptor ID=”Sf16ae1ea-bb87-49db-95ac-8df3e411b184″ entityID=”https://idp.company.com” xmlns:ns2=”http://www.w3.org/2001/04/xmlenc#” xmlns=”http://www.w3.org/2000/09/xmldsig#” xmlns:ns4=”urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ns3=”urn:oasis:names:tc:SAML:2.0:metadata”>

      <ns3:IDPSSODescriptor protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”>

      </ns3:IDPSSODescriptor>

      </ns3:EntityDescriptor>

      Best regards,

      Dimitar Mihaylov

      (0) 
  3. Esther SIMHI

    Hello,

    I would like to integrate this scenarion with IVIEWS from the Java Portal to abap backend system, using saplogon for windows. Do you know any documentation that could help me?

    (0) 
  4. Peter Laback

    Hi Donka !

    I would be interested if you continued to follow this approach especially in connection with saplogon.

    Is it possible to get in contact with you directly to discuss this topic?

    Best regards,

    Peter

    (0) 
  5. Osama Khalifa

    Hi Donka,

    I’m just trying to make sure SAML 2.0  is working with SAP ABAP only stack and it does support SAP WIN GUI.

    Thanks

    Osama Khalifa

    (0) 
    1. Donka Dimitrova Post author

      Hello Osama,

      The AS ABAP enables you to use a number of authentication options for integrating Web-based user access (for example SAP GUI for HTML) in SSO environments and SAML is one of them.

      Please, find the documentation that describes how to configure SAP NetWeaver Application Server (AS) ABAP as a Security Assertion Markup Language (SAML) 2.0 service provider:

      http://help.sap.com/saphelp_nw73/helpdata/en/4a/b6df333fec6d83e10000000a42189c/frameset.htm

      Regards,

      Donka Dimitrova

      (0) 
  6. Sasi Reddy

    Hi Donka

    We are trying to implement SSO 2.0. We are planning to use SAML 2.0 to authenticate SAP Portal and SAP GUI. Based on your blog, it looks like we will have to call SAP Secure Login Web Client first and then try to login to SAP Portal to log in. But instead, can we set up the below scenario?

    1. User tries to login to SAP Portal

    2. Portal checks for certificate in the browser, if the certificate exists, then the user gets logged in.

    3. If the certificate doesn’t exist, then the user is redirected to the Secure Login Web Client. Once the user authenticates SLWC (using basic password or SPNEGO), the certificate is downloaded and added into the users browser and the user gets logged into the portal.

    Please suggest if this can be achieved or not.

    Thanks
    Sasi

    (0) 
    1. Donka Dimitrova Post author

      Hello Sasi,

      If you want to use the SAML technology for authentication to SAP Portal it is not necessary to go over Secure Login Web Client & Secure Login Server. You can simply use the SAML assertion. You just need to configure the trust between SAP Portal (SAML SP) and the SAML IDP. The scenario here describes how to do this for SAP GUI.

      Regards,

      Donka

      (0) 
  7. yatin Phad

    Hello Donka,

    I am working on SSO 2.0 implementation. below is my scenario.

    1. NW sso 2.0 is available

    2. IDM 8 is available and it will be used as user source.

    3. there is no other user source available ex. AD etc.. so users are manually getting created in IDM with no further authentication.

    I am planning to use IDM as data source but my concern over is …

    How IDM user will be verified by SSO with backend ABAP system?

    Can you give some thoughts over here?

    If you need any further information to understand this scenario, please let me know.

    Regards,

    Yatin Phad

    (0) 
  8. Lutz Rottmann

    Hi Donka, Secure Login Web Client relies on a JAVA plugin to be available in all users’ browsers. All modern browsers have dismissed JAVA plugin support, so Secure Login Web Client has lost much of it’s value. Are there any plans to modernise the web client (I have no idea how) to make it compatible with Edge, Chrome and Firefox again?

    Regards,

    Lutz

    (0) 
  9. Patrick Rezek

    HI Donka

    We have  slightly unusual scenario. SPNego for ABAP is configured for SAP GUI as well as HTTP  I.E FIORI services that are called via browser. That works well. This is scenario for customers that are on internal network and have user IDs in our network AD.

    Now we also have customers that aren’t in AD. Those are from other closed networks in need of access to our system. Those customers use SAML over ADFS to authenticate. They USER IDs are in SU01 of ABAP system

    In JAVA system this works well as we have ticket policy set as follows

    EvaluateTicketLogin Module

    SPNegoLoginModule

    CreateTicketLoginModule

    SAML2LoginModule

    CreateTicketLoginModule

    BasicPasswordLoginModule

    CreateTicketLoginModule

    Basically whatever is presented to in request get the authentication. No issues 🙂

    In ABAP however this doesn’t work as expected. SPNego works well however when SAML is tested it authenticates but then attempts to do SPNego as well and fails. If I disable SPNego SAML works well.

    In short SPNEGO and SAML does’t work well togheter. I wonder if there is a trick to stop SPNego kicking in while SAML is authenticating?

    Regards

    Patrick Rezek

     

     

    (0) 
    1. Wolfgang Janzen

      I wonder if there is a trick to stop SPNego kicking in while SAML is authenticating?

      Well, there’s no trick – that’s documented in note 1798979:

      It is also possible to disable SPNego authentication per request (“opt-out”). You can achieve that by adding a URL parameter “spnego” with value “disabled”. When the ABAP server receives a request that contains this parameter, Kerberos authentication will be skipped even though it might be configured correctly.

      By intend, that’s the same opt-out mechanism as used by the Java server.
      If you are using an Apache-style reverse proxy (like SAP Web Dispatcher) you can also use the RewriteEngine to modify URLs of requests (by adding such URL parameters).

      Alternatively you can modify the ICF service configuration (or create a so-called “external alias” in t-code SICF for the service – with identical path, resulting in an “overlay”): simply activate the option “[x] Use All Logon Procedures”.

      By default only one logon attempt is made (with the first credential found in the order of the configured “Logon Procedure” – by default “SPNego” comes before “SAML 2.0”). If it fails, then immediately the configured “logon error” handling (either “Basic Authentication” or “FORM-based authentication” aka “System Logon”) is triggered – and no attempt is made to evaluate / trigger other credentials / logon methods.

       

      I hope this answer helps you to solve the problem.
      Kindly keep in mind that SCN is not the channel to report issues – there’s no SLA (Service Level Agreement), so don’t expect any timely response.
      All answers are provided on a voluntary basis and without any warranty.

       

      Best regards, Wolfgang

      (1) 
  10. Christopher Veith

    Donka:

    We are working with an organization that has deployed the latest version of the SAP GUI.  This organization has also deployed the AS ABAP application server version 7.5.  SAP Hana FPS 12 is the database for the SAP solution.

    The organization has NOT deployed NetWeaver Secure Login Server.

    We have been asked to investigate how SSO might be provided for the SAP GUI users.

    We have been examining whether the AS ABAP server could be Used as an Identity Service Provider, working with a Third Party Identity Provider.  These 2 Entities, the Identity Provider and the Service Provider, would communicate via SAML 2.0.

    Would the AS ABAP server, through the use of SAP Logon tokens, be able to establish SSO with the SAP GUI?

    Is there a better approach that you are aware of to provide SSO to the SAP GUI?

    Would you be available for a discussion by phone the week of 8/28?

    Regards,

    Chris

    (0) 
  11. Carsten Olt

    Dear Christopher,

    sure there are very easy approaches for SAP GUI SSO. Just get in touch if you require additional information.

    Regards, Carsten

     

    (0) 

Leave a Reply