How to configure SAP Work Manager SSO with SMP LDAP Authentication

This blog will introduce the steps necessary to configure SAP Work Manager (6.4.1) to accept SSO login tickets generated by SMP server to access SAP Backend server.

LDAP server and OpenSSL tool are used as example in this blog.

Structure:

Prerequisites:

• SAP Work Manager installed and connection to both SMP server and SAP Backend are accessible.
• LDAP Server and Client installed.
• Certificate Generation tool is available.

Step 1: Generating Certificates using OpenSSL

Restriction of Certificates (SMP):

• smp_keystore.jks trusts PKCS #12 certificates for technical user back-end connections
• SMP SSO Generator restriction: Only 1024 bit DSA certificates that use SHA1 as the signature algorithm are supported.

1). openssl dsaparam -out dsaparam.pem 1024

This command generates the parameters that would be used for DSA Key generation.

2). openssl gendsa -out smp3sso.pem dsaparam.pem

This command generates the DSA key smp3sso.pem.

3). openssl req -x509 -days 3650 -new -key smp3sso.pem –sha1 -out smp3sso.cer

This command generates a self-signed certificate smp3sso.cer using SHA-1 hash algorithm.

4). openssl pkcs12 -export -in smp3sso.cer -inkey smp3sso.pem -out smp3sso.p12

This command uses pkcs12 tool to generate one .p12 certificate smp3sso.p12.

Step 2: Import the certificates

a). Import smp3sso.p12 to SAP Mobile Platform Server

1. Login to the SMP3 Management Cockpit
2. Go to Settings | Certificates | Shared Key Store Entries and click the Import button

b). Install smp3sso.cer on SAP Backend

Run transaction STRUSTSSO2

1. Click on edit button
2. Click Import button and choose the certificate.
3. Click “Add to Certificate List”
4. Click “Add to ACL”

Step 3: LDAP Provider and SAPSSO2 Generator’s Configuration on SMP 

Note: SAPSSO2 Generator enables single sign-on (SSO) access to back-end resources. Before you can establish SSO connections, an authentication provider must first authenticate the client.

a). Create the new Security Profile to Authenticate

1. Go to Settings | Security Profiles and click New
2. Set the Name. This can be anything you want but should be indicative of what type of authentication it is performing (i.e. LDAP_{SID})  Where {SID} matches the SID of the SAP System you are setting up SSO against.
3. Click Add and select Directory Service (LDAP/AD)

b). Make sure the users’ search base and Root DN from LDAP Client side

Sample user “admin”

DN: uid=admin,ou=smp,dc=maxcrc,dc=com

Root DN can be found at “C:\OpenLDAP\Sldap.conf”

Root DN: cn=Manager,dc=maxcrc,dc=com

c). Input the settings per your environment and click Save

• Server Type =

sunone5 – SunOne 5.x OR iPlanet 5.x
msad2k – Microsoft Active Directory, Windows 2000
openldap – OpenLDAP Directory Server 2.x

• Provider URL = ldap://{your ldap host}:389
• Bind DN – The user DN to bind when building the initial LDAP connection.
• Bind Password = {password for your bind user referenced in the Bind DN}

• Authentication Filter =

For most LDAP servers: (&(uid={uid})(objectclass=person))

For Active Directory e-mail lookups: (&(userPrincipalName={uid}) (objectclass=user)) [ActiveDirectory]

For Active Directory Windows user-name lookups: (&(sAMAccountName={uid})(objectclass=user))

• Authentication Scope – May need to switch to subtree depending on your LDAP setup

• Authentication Search Base – The search base used to authenticate users. If this property is not configured, the value for Default Search Base is used, then you need to make sure Default Search Base has correct value.
• Skip Role Lookup – Checked

Above values will make sure my user ‘admin’ maintained in LDAP server has access to SMP server.

More details please refer to Directory Service (LDAP/AD) Configuration Properties

d). Configure SAPSSO2 Generator by clicking Add and select SAPSSO2 Generator

• IssuerSID = SMP
• IssuerClient = 000
• RecipientSID – The SID of the SAP Backend system you are connecting to
• RecipientClient – The client number within the SAP Backend system
• CertificateAlias = {alias from .p12 import}

Step 4: Configuration on Work Manager side

a). Edit your Work Manager application to use the new authentication scheme

b). Edit JavaBE.ini file to accept SSO ticket from SMP server

[LOGON_METHOD]

• LOGON_METHOD=USER_AUTH_SSO
• SERVICE_USER_LOGON_METHOD=USER_AUTH
• PUSH_USER_LOGON_METHOD=USER_AUTH

[USER_AUTH_SSO]

• BYPASS_USERID_CHECK=true
• SSOCLIENT_CLASS=com.syclo.sap.auth.sso.SMPSSOClient

Step 5: Restart your Work Manager application and test with Agentry Client

Note: the users in LDAP server should exist in SAP Backend server.

Login Work Manager Client with LDAP user and password.

Additional Information:

• If you are using Work Manager 6.3, you will need additional jar file, please refer to SAP Note 2367419
• For diagnostic reasons, you can adjust security log to debug level to capture more information in SMP server log.
• Directory Service (LDAP/AD) Configuration Properties