Skip to Content

How to configure SAP Work Manager SSO with SMP LDAP Authentication

This blog will introduce the steps necessary to configure SAP Work Manager (6.4.1) to accept SSO login tickets generated by SMP server to access SAP Backend server.

LDAP server and OpenSSL tool are used as example in this blog.

Structure:

Prerequisites:

  • SAP Work Manager installed and connection to both SMP server and SAP Backend are accessible.
  • LDAP Server and Client installed.
  • Certificate Generation tool is available.

 

Step 1: Generating Certificates using OpenSSL

Restriction of Certificates (SMP):
  • smp_keystore.jks trusts PKCS #12 certificates for technical user back-end connections
  • SMP SSO Generator restrictionOnly 1024 bit DSA certificates that use SHA1 as the signature algorithm are supported.

1). openssl dsaparam -out dsaparam.pem 1024

This command generates the parameters that would be used for DSA Key generation.

2). openssl gendsa -out smp3sso.pem dsaparam.pem

This command generates the DSA key smp3sso.pem.

3). openssl req -x509 -days 3650 -new -key smp3sso.pem –sha1 -out smp3sso.cer

This command generates a self-signed certificate smp3sso.cer using SHA-1 hash algorithm.

4). openssl pkcs12 -export -in smp3sso.cer -inkey smp3sso.pem -out smp3sso.p12

This command uses pkcs12 tool to generate one .p12 certificate smp3sso.p12.

 

Step 2: Import the certificates

a). Import smp3sso.p12 to SAP Mobile Platform Server

  1. Login to the SMP3 Management Cockpit
  2. Go to Settings | Certificates | Shared Key Store Entries and click the Import button

b). Install smp3sso.cer on SAP Backend

Run transaction STRUSTSSO2

  1. Click on edit button
  2. Click Import button and choose the certificate.
  3. Click “Add to Certificate List”
  4. Click “Add to ACL”

 

Step 3: LDAP Provider and SAPSSO2 Generator’s Configuration on SMP 

Note: SAPSSO2 Generator enables single sign-on (SSO) access to back-end resources. Before you can establish SSO connections, an authentication provider must first authenticate the client.

 

a). Create the new Security Profile to Authenticate

  1. Go to Settings | Security Profiles and click New
  2. Set the Name. This can be anything you want but should be indicative of what type of authentication it is performing (i.e. LDAP_{SID})  Where {SID} matches the SID of the SAP System you are setting up SSO against.
  3. Click Add and select Directory Service (LDAP/AD)

 

b). Make sure the users’ search base and Root DN from LDAP Client side

Sample user “admin”

DN: uid=admin,ou=smp,dc=maxcrc,dc=com

Root DN can be found at “C:\OpenLDAP\Sldap.conf

Root DN: cn=Manager,dc=maxcrc,dc=com

 

c). Input the settings per your environment and click Save

 

  • Server Type =

sunone5 – SunOne 5.x OR iPlanet 5.x
msad2k – Microsoft Active Directory, Windows 2000
openldap – OpenLDAP Directory Server 2.x

  • Provider URL = ldap://{your ldap host}:389
  • Bind DN – The user DN to bind when building the initial LDAP connection.
  • Bind Password = {password for your bind user referenced in the Bind DN}
  • Authentication Filter =

For most LDAP servers: (&(uid={uid})(objectclass=person))

For Active Directory e-mail lookups: (&(userPrincipalName={uid}) (objectclass=user)) [ActiveDirectory]

For Active Directory Windows user-name lookups: (&(sAMAccountName={uid})(objectclass=user))

  • Authentication Scope – May need to switch to subtree depending on your LDAP setup
  • Authentication Search Base – The search base used to authenticate users. If this property is not configured, the value for Default Search Base is used, then you need to make sure Default Search Base has correct value.
  • Skip Role Lookup – Checked

Above values will make sure my user ‘admin’ maintained in LDAP server has access to SMP server.

More details please refer to Directory Service (LDAP/AD) Configuration Properties

 

d). Configure SAPSSO2 Generator by clicking Add and select SAPSSO2 Generator

  • IssuerSID = SMP
  • IssuerClient = 000
  • RecipientSID – The SID of the SAP Backend system you are connecting to
  • RecipientClient – The client number within the SAP Backend system
  • CertificateAlias = {alias from .p12 import}

 

Step 4: Configuration on Work Manager side

a). Edit your Work Manager application to use the new authentication scheme

b). Edit JavaBE.ini file to accept SSO ticket from SMP server

[LOGON_METHOD]

  • LOGON_METHOD=USER_AUTH_SSO
  • SERVICE_USER_LOGON_METHOD=USER_AUTH
  • PUSH_USER_LOGON_METHOD=USER_AUTH

[USER_AUTH_SSO]

  • BYPASS_USERID_CHECK=true
  • SSOCLIENT_CLASS=com.syclo.sap.auth.sso.SMPSSOClient

Step 5: Restart your Work Manager application and test with Agentry Client

Note: the users in LDAP server should exist in SAP Backend server.

Login Work Manager Client with LDAP user and password.

 

Additional Information:

 

2 Comments
You must be Logged on to comment or reply to a post.
  • The limitation of SSO Generator: Only 1024 bit DSA certificates that use SHA1, seems not being checked for older SMP versions, Ajay Sehgal has work it out with 2048 bit DSA using SHA256 before SMP 3.0 SP14.

    After SP14, there was a checking with the key size, and this can be workaround following SAP Note 2639810.

    Special thanks to Ajay 🙂

  • Hey all,

    anyone knows what to do in order to enable LDAPs instead of plain LDAP? Our customer does not allow LDAP. In the documentation it says: Procedure Use the keytool utility to import security configuration in which to add theLDAPprovider.” However, i was not able to find a document(ation) containing the exact steps required to add the certs to a java trust store, where to place this trust store, where to specify the password etc. 

    I am asking here because I hope anyone had the same requirement. Thanks a lot for answers!

    Cheers Carsten