Skip to Content

NW SSO Project Implementation with Apache Reverse Proxy

My First Single Sign-On Project

In my opinion, every enterprise must have an Identity Management (IDM) system and a Single Sign-On (SSO) system.

These two are very important and critical for companies, since they are  increasing security and productivity while decreasing cost, downtime and repetitive tasks.

Let me give brief descriptions of IDM and SSO firstly.

Identity management (IDM) describes the management of individual principals, their authentication, authorization and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks. SAP Identity Management helps companies to centrally manage their user accounts (identities) in a complex system landscape. This includes both SAP and non-SAP systems.

Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. SAP NW Sigle Sign-On also offers authenticating once and subsequently accessing SAP and non-SAP applications in a secure and user-friendly way.

Let me come to my project after brief introduction.

I am involved in an SSO project. This was my first Single Sign-On project implementation. Of course we had some difficulties about the project. But in the end we were happy what we have done so far in the project.

We benefited from below scn links. Thanks to the writers of the document and implementers of the videos. There are configurations for both 1.0 and 2.0 versions on both links.

Implementing Single Sign-On with X.509 Certificates

SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates

Also many thanks to my colleague Zekeriya. He was the main implementer in the project.

We have all kinds of systems in our landscape. You can see the system landscape in below picture.

Configuration was done for all ABAP, Java and webgui systems. BO, non-SAP systems’ configuration still continues.


Project Implementation Steps

We implemented Single Sign-On Project with the following implementation steps.

  • NW 7.4 Java Installation
  • Secure Login Server 2.0 SP4 Add-On Installation
  • Secure Login Server Initialization
  • SSL Activation on SL Server
  • Secure Login Client Installation
  • NW Java Configuration
  • NW ABAP Configuration
  • Configuration of Apachr Reverse Proxy
  • BO System Configurations (Not implemented)
  • Non-SAP System Configurations (Not implemented yet)


Customer Organization

  • Presentations to explain the topic
  • Pilot work with IT and Key Users
  • Distribution of Secure Login Client
    • Install Server, create package
  • Going Live
  • Support

Diffficulties and Problems

As we know we can have problems during implementations and installations. Even when we have done it many times.

If you are doing the implementation for the first time, it is inevitable having difficulties and problems.

The major problem was about the Apache Reverse Proxy Server.

We built up the system and configured one of our java system (it was  Portal indeed). We looged on a host with a domain user and tried to login to portal using SSO. But it was still asking us user and password. We realized that proxy server was not transferring the certificates. After some googling and working with our proxy expert we changed settings in proxy configuration files and succeded transferring certificates.

Another issue was about Service Principle name. Since our AD Admin did not define service principle name correctly we lost some time to overcome the problem.

We faced problems when we were installing Secure Login Clients.

Solved problems using ShowUserPoliciesPage registry parameter. This parameter helped us to trace problems.

Also Secure Login Server Support must be selected when SL Client is installed.

Another problem or issue was BO SSO configuration for us. We investigated and rerad many documents for this issue.

And tried to configure BO SSO using x.509 certificates. Unfortunately BO system does not accept x.509 certificates yet. We learnt this ofter opening an OSS message. In our case AD SSO configuration does not help us since AD domain (* and Apache Reverse Proxy domain (* was different.

One of the other issue was the videos we followed. Since they were for SSO version 1.0, the configuration steps were different for version 2.0. For example secure login console is changed from /secure login to /slac.



1 Comment
You must be Logged on to comment or reply to a post.