Helpful SSO links!
Following these notes and SCN links is really helping me on my journey to setup SSO !
–> Nice blog. Good detail on how to use kerberos to do SSO purely for SAP GUI for windows
–> SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
–> interesting for a mobile solution. We can make X.509 work now on IOS if the PKCSv12 is used. Manual step and assumed VPN but it does work.
–> just proves that with 2.0 AIX is fully supported for SSO.
–> This is the kerberos and SPNEGO for ABAP. Great set of videos. I think this is the easiest/simplest way for our reps and end users to get SSO for SAPGUI/ICWEB.
–> Implementing Single Sign-On with X.509 Certificates
–> full guide for SL stuff.
–> some explanation about SSO for bsp.
With the new NetWeaver SSO 2.0 it is now possible to configure the ABAP stack to support SPNego.
So the workaround outlined in this blog is no longer required.
NEW SP05 info
Make “kerberos” the default ticket type after the Secure login client install:
Password manager documentation
1832706 – SPNego ABAP: Fixes for Algorithms AES128, AES256, DES
1819808 – SPNego ABAP: Collective Corrections
spnego/construct_SNC_name = 111 (which is good)
1798979 – SPNego ABAP: Downport
–> the note gives you all the minimum levels of the kernel and SP versions you need to do SPnego ABAP
1732610 – SPNego ABAP: Troubleshooting Note
–> good note to review if you are having problems with SPnego.
1912175 – SAP Single Sign-On 2.0: Central Note
–> central note for SSO 2.0
–> lists a basic explanation, relevant notes, suite of products, relevant components…
1887734 – Downloading NW SSO (Product or Patches)
–> good explanation on where/how to get the software off of OSS.
1876552 – Cannot find SAP Netweaver Single Sign-On
–> explains that you need a valid license to see the software on OSS.
1682957 – Downloading Patches for SNC Client Encryption
–> export control…
|2079851||Transaction SPNEGO: Support for ActiveX Control Kerberos Configuration|
–> eases troubleshooting for AD and SPnego. Note only relevant for SAPKB73115.
|2010613||Report for ActiveX Control ABAP Kerberos Configuration|
–> creates: SNCAX_TEST report to ease Kerberos troubleshooting for ABAP significantly.
|1943266||Secure Login Client Front-End Control for ABAP Kerberos Configuration|
–> general info about SAPGUI client SLC, and stuff
|1879371||SPNego ABAP(ICF): Downport|
–> downport note for older versions.
2104486 – Release Note SAP Single Sign-On 2.0 SP05
–> Release notes for latest version available at this time.
2044027 – No logon ticket created after SPNego logon (ABAP)
–> we need this to bring back the “ticket” functionality with SPnego to back-end and in the browser
2117110 – Recommendation to Replace SAP Logon Tickets with SAP Single Sign-On Solution
–> sap says they are moving away from tickets and over to x.509/SPnego anyway…and we should too
1313880 – SPNego with DNS aliases
–> interesting note. reminds you that if you use alias’ that you need SETSPN for each alias name.
Also some tool called KERBTRAY and reminds to check local hosts file on PC in case that is messing things up..
320991 – Error codes during logon (list)
if login fails, when you check HTTP trace report this note may help tell you what the codes mean.
1257108 – Collective Note: Analyzing issues with Single Sign On (SSO)
–> general SSO help.
1677641 – Kerberos authentication problem (SNG/GSS error a2210217)
2072638 – Dependencies between CommonCryptoLib and SAP Kernel Package
–> just good info on if you put in a new cryptolib, you need to bounce SAP app server. I’m going to assume the same is true for SSO secure login library.
1848999 – Central Note for CommonCryptoLib 8 (replacing SAPCRYPTOLIB)
–>excellent tracing capabilities for SPNEGO/SNC issues.
creates the file called sectrace.ini with lines: LEVEL=4 and DIRECTORY=/sapmnt/CDM/SLL/sectrace
so you can view traces that SAP is going to want anyway.
2181120 – Tracing and troubleshooting security events in http communication with the AS ABAP
–> good note!
–> main doc
–> test that SSL is correct
Official SAP “help” info for SPnego…decent information:
BC-SEC-LGN Authentication and SSO
BC-IAM-SL Secure Login
BC-IAM-PWM Password Manager
I hope some of this helps!!
the BCP components have changed, here are the new ones:
BC-IAM-SSO-CCL - for Secure Login Library
BC-IAM-SSO-FED - for Security Token Service and SSO Extension Library
BC-IAM-SSO-OTP - for SSO Authentication Library
BC-IAM-SSO-PWM - for Password Manager
BC-IAM-SSO-SLO - for Secure Login Client and Secure Login Server
BC-JAS-SEC-SML - for Identity Provider
BC-IAM-SSO-OTP is for OneTimePassword and Access Policies
BC-IAM-SSO-SLO is for Secure Login (client/server/library) issues
BC-IAM-SSO-FED is for Kerberos Constrained Delegation and SCIM issues
BC-IAM-SSO-CCL is for CommonCryptoLib issues
here are some other changed component information's:
BC-IAM-SSO-SL - Secure Login
BC-JAS-SEC-LGN - Logon, SSO
BC-JAS-SEC-SML - Java SAML 1.1 and 2.0
BC-JAS-SEC-UME - User Management Engine
BC-JAS-SEC-WSS - Web Services Security
BC-SEC-LGN-SML - SAML 2.0
The first one is not correct.
The component for Secure Login is the following:
I believe that it was just a typo 🙂