Hello all!

Following these notes and SCN links is really helping me on my journey to setup SSO !

SCN community:

http://scn.sap.com/community/sso

Important BLOGS:

http://scn.sap.com/community/sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-for-sap-gui-for-windows-with-kerberos-integration

–> Nice blog.  Good detail on how to use kerberos to do SSO purely for SAP GUI for windows

http://scn.sap.com/community/sso/blog/2015/03/04/reusing-kerberos-token-for-issuing-an-x509-client-certificate-with-secure-login-server

–> interesting,

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/50e92ab8-a2a4-3210-aebe-9f21db341d3e?QuickLink=index&overridelayout=true&59983513260820

–> SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates

http://scn.sap.com/community/sso/blog/2013/09/18/mobile-single-sign-on-from-ios-7-to-sap-netweaver

–> interesting for a mobile solution.  We can make X.509 work now on IOS if the PKCSv12 is used.  Manual step and assumed VPN but it does work.

http://scn.sap.com/community/sso/blog/2012/10/11/secure-login-library-and-sap-netweaver-single-sign-on-and-os400aixas400pase

–> just proves that with 2.0 AIX is fully supported for SSO.

http://scn.sap.com/docs/DOC-40178

–> This is the kerberos and SPNEGO for ABAP.  Great set of videos.  I think this is the easiest/simplest way for our reps and end users to get SSO for SAPGUI/ICWEB.

http://scn.sap.com/docs/DOC-40179

–> Implementing Single Sign-On with X.509 Certificates

http://help.sap.com/download/sapsso/secure_login_impl_guide_en.pdf

–> full guide for SL stuff. 

http://scn.sap.com/people/holger.bruchelt/blog/2010/01/11/single-sign-on-to-bsp-pages

–> some explanation about SSO for bsp. 

With the new NetWeaver SSO 2.0 it is now possible to configure the ABAP stack to support SPNego.

So the workaround outlined in this blog is no longer required.

http://scn.sap.com/community/sso/blog/2015/05/06/sp5-for-sap-single-sign-on-20-now-available

NEW SP05 info

Make “kerberos” the default ticket type after the Secure login client install:

http://scn.sap.com/thread/3459280

Password manager documentation

http://scn.sap.com/docs/DOC-40109

Important Notes:

1832706 – SPNego ABAP: Fixes for Algorithms AES128, AES256, DES

1819808 – SPNego ABAP: Collective Corrections

spnego/construct_SNC_name = 111 (which is good)

1798979 – SPNego ABAP: Downport

–> the note gives you all the minimum levels of the kernel and SP versions you need to do SPnego ABAP

1732610 – SPNego ABAP: Troubleshooting Note

–> good note to review if you are having problems with SPnego.

1912175 – SAP Single Sign-On 2.0: Central Note

–> central note for SSO 2.0

–> lists a basic explanation, relevant notes, suite of products, relevant components…

1887734 – Downloading NW SSO (Product or Patches)

–> good explanation on where/how to get the software off of OSS.

1876552 – Cannot find SAP Netweaver Single Sign-On

–> explains that you need a valid license to see the software on OSS.

1682957 – Downloading Patches for SNC Client Encryption

–> export control…

2079851 Transaction SPNEGO: Support for ActiveX Control Kerberos Configuration 

–> eases troubleshooting for AD and SPnego.  Note only relevant for SAPKB73115. 

2010613 Report for ActiveX Control ABAP Kerberos Configuration 

–> creates: SNCAX_TEST report to ease Kerberos troubleshooting for ABAP significantly.

1943266 Secure Login Client Front-End Control for ABAP Kerberos Configuration

–> general info about SAPGUI client SLC, and stuff

1879371 SPNego ABAP(ICF): Downport  

–> downport note for older versions. 

2104486 – Release Note SAP Single Sign-On 2.0 SP05

–> Release notes for latest version available at this time.

2044027 – No logon ticket created after SPNego logon (ABAP)

–> we need this to bring back the “ticket” functionality with SPnego to back-end and in the browser

2117110 – Recommendation to Replace SAP Logon Tickets with SAP Single Sign-On Solution

–> sap says they are moving away from tickets and over to x.509/SPnego anyway…and we should too

1313880 – SPNego with DNS aliases

–> interesting note.  reminds you that if you use alias’ that you need SETSPN for each alias name. 

Also some tool called KERBTRAY and reminds to check local hosts file on PC in case that is messing things up..

320991 – Error codes during logon (list)

if login fails, when you check HTTP trace report this note may help tell you what the codes mean.

1257108 – Collective Note: Analyzing issues with Single Sign On (SSO)

–> general SSO help. 

1677641 – Kerberos authentication problem (SNG/GSS error a2210217)

2072638 – Dependencies between CommonCryptoLib and SAP Kernel Package

–> just good info on if you put in a new cryptolib, you need to bounce SAP app server.  I’m going to assume the same is true for SSO secure login library.

1848999 – Central Note for CommonCryptoLib 8 (replacing SAPCRYPTOLIB)

–>excellent tracing capabilities for SPNEGO/SNC issues. 

creates the file called sectrace.ini with lines: LEVEL=4 and DIRECTORY=/sapmnt/CDM/SLL/sectrace

so you can view traces that SAP is going to want anyway.

2181120 – Tracing and troubleshooting security events in http communication with the AS ABAP

–> good note!

HELP:

http://help.sap.com/nwsso

–> main doc

http://help.sap.com/saphelp_nw73/helpdata/en/49/3d938a501a2009e10000000a42189c/content.htm

–> test that SSL is correct

Official SAP “help” info for SPnego…decent information:

http://help.sap.com/saphelp_nw74/helpdata/en/c7/b12d71977e4b0682e327b4ecf81e9b/frameset.htm

Component info:

BC-SEC-LGN Authentication and SSO

BC-IAM-SL Secure Login

BC-IAM-PWM Password Manager

I hope some of this helps!!

NICK

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Valentina Valkanova

    Hi everyone,

    the BCP components have changed, here are the new ones:

    BC-IAM-SSO-CCL – for Secure Login Library

    BC-IAM-SSO-FED – for Security Token Service and SSO Extension Library

    BC-IAM-SSO-OTP – for SSO Authentication Library

    BC-IAM-SSO-PWM – for Password Manager

    BC-IAM-SSO-SLO – for Secure Login Client and Secure Login Server

    BC-JAS-SEC-SML – for Identity Provider

    Best regards,

    Valentina

    (0) 
    1. Adrian Forro

      BC-IAM-SSO-OTP is for OneTimePassword and Access Policies

      BC-IAM-SSO-SLO is for Secure Login (client/server/library) issues

      BC-IAM-SSO-FED is for Kerberos Constrained Delegation and SCIM issues

      BC-IAM-SSO-CCL is for CommonCryptoLib issues

      (0) 
  2. Stanislav Oberberger

    Hello community,

    here are some other changed component information’s:

    BC-IAM-SSO-SL    – Secure Login

    BC-JAS-SEC-LGN – Logon, SSO

    BC-JAS-SEC-SML – Java SAML 1.1 and 2.0

    BC-JAS-SEC-UME – User Management Engine

    BC-JAS-SEC-WSS – Web Services Security

    BC-SEC-LGN-SML – SAML 2.0

    Regards,

    Stanislav Oberberger

    (0) 
    1. Filipe Santos

      Hi Stanislav,

      The first one is not correct.

      The component for Secure Login is the following:

      BC-IAM-SSO-SL


      I believe that it was just a typo 🙂


      Cheers,

      Filipe

      (0) 

Leave a Reply