How to configure SAP Work Manager SSO with SMP LDAP Authentication
This blog will introduce the steps necessary to configure SAP Work Manager (6.4.1) to accept SSO login tickets generated by SMP server to access SAP Backend server.
LDAP server and OpenSSL tool are used as example in this blog.
Structure:
Prerequisites:
- SAP Work Manager installed and connection to both SMP server and SAP Backend are accessible.
- LDAP Server and Client installed.
- Certificate Generation tool is available.
Step 1: Generating Certificates using OpenSSL
Restriction of Certificates (SMP):
- smp_keystore.jks trusts PKCS #12 certificates for technical user back-end connections
- SMP SSO Generator restriction: Only 1024 bit DSA certificates that use SHA1 as the signature algorithm are supported.
1). openssl dsaparam -out dsaparam.pem 1024
This command generates the parameters that would be used for DSA Key generation.
2). openssl gendsa -out smp3sso.pem dsaparam.pem
This command generates the DSA key smp3sso.pem.
3). openssl req -x509 -days 3650 -new -key smp3sso.pem –sha1 -out smp3sso.cer
This command generates a self-signed certificate smp3sso.cer using SHA-1 hash algorithm.
4). openssl pkcs12 -export -in smp3sso.cer -inkey smp3sso.pem -out smp3sso.p12
This command uses pkcs12 tool to generate one .p12 certificate smp3sso.p12.
Step 2: Import the certificates
a). Import smp3sso.p12 to SAP Mobile Platform Server
- Login to the SMP3 Management Cockpit
- Go to Settings | Certificates | Shared Key Store Entries and click the Import button
b). Install smp3sso.cer on SAP Backend
Run transaction STRUSTSSO2
- Click on edit button
- Click Import button and choose the certificate.
- Click “Add to Certificate List”
- Click “Add to ACL”
Step 3: LDAP Provider and SAPSSO2 Generator’s Configuration on SMP
Note: SAPSSO2 Generator enables single sign-on (SSO) access to back-end resources. Before you can establish SSO connections, an authentication provider must first authenticate the client.
a). Create the new Security Profile to Authenticate
- Go to Settings | Security Profiles and click New
- Set the Name. This can be anything you want but should be indicative of what type of authentication it is performing (i.e. LDAP_{SID}) Where {SID} matches the SID of the SAP System you are setting up SSO against.
- Click Add and select Directory Service (LDAP/AD)
b). Make sure the users’ search base and Root DN from LDAP Client side
Sample user “admin”
DN: uid=admin,ou=smp,dc=maxcrc,dc=com
Root DN can be found at “C:\OpenLDAP\Sldap.conf”
Root DN: cn=Manager,dc=maxcrc,dc=com
c). Input the settings per your environment and click Save
- Server Type =
sunone5 – SunOne 5.x OR iPlanet 5.x
msad2k – Microsoft Active Directory, Windows 2000
openldap – OpenLDAP Directory Server 2.x
- Provider URL = ldap://{your ldap host}:389
- Bind DN – The user DN to bind when building the initial LDAP connection.
- Bind Password = {password for your bind user referenced in the Bind DN}
- Authentication Filter =
For most LDAP servers: (&(uid={uid})(objectclass=person))
For Active Directory e-mail lookups: (&(userPrincipalName={uid}) (objectclass=user)) [ActiveDirectory]
For Active Directory Windows user-name lookups: (&(sAMAccountName={uid})(objectclass=user))
- Authentication Scope – May need to switch to subtree depending on your LDAP setup
- Authentication Search Base – The search base used to authenticate users. If this property is not configured, the value for Default Search Base is used, then you need to make sure Default Search Base has correct value.
- Skip Role Lookup – Checked
Above values will make sure my user ‘admin’ maintained in LDAP server has access to SMP server.
More details please refer to Directory Service (LDAP/AD) Configuration Properties
d). Configure SAPSSO2 Generator by clicking Add and select SAPSSO2 Generator
- IssuerSID = SMP
- IssuerClient = 000
- RecipientSID – The SID of the SAP Backend system you are connecting to
- RecipientClient – The client number within the SAP Backend system
- CertificateAlias = {alias from .p12 import}
Step 4: Configuration on Work Manager side
a). Edit your Work Manager application to use the new authentication scheme
b). Edit JavaBE.ini file to accept SSO ticket from SMP server
[LOGON_METHOD]
- LOGON_METHOD=USER_AUTH_SSO
- SERVICE_USER_LOGON_METHOD=USER_AUTH
- PUSH_USER_LOGON_METHOD=USER_AUTH
[USER_AUTH_SSO]
- BYPASS_USERID_CHECK=true
- SSOCLIENT_CLASS=com.syclo.sap.auth.sso.SMPSSOClient
Step 5: Restart your Work Manager application and test with Agentry Client
Note: the users in LDAP server should exist in SAP Backend server.
Login Work Manager Client with LDAP user and password.
Additional Information:
- If you are using Work Manager 6.3, you will need additional jar file, please refer to SAP Note 2367419
- For diagnostic reasons, you can adjust security log to debug level to capture more information in SMP server log.
- Directory Service (LDAP/AD) Configuration Properties
The limitation of SSO Generator: Only 1024 bit DSA certificates that use SHA1, seems not being checked for older SMP versions, Ajay Sehgal has work it out with 2048 bit DSA using SHA256 before SMP 3.0 SP14.
After SP14, there was a checking with the key size, and this can be workaround following SAP Note 2639810.
Special thanks to Ajay ?
Hey all,
anyone knows what to do in order to enable LDAPs instead of plain LDAP? Our customer does not allow LDAP. In the documentation it says: "Procedure Use the keytool utility to import security configuration in which to add theLDAPprovider." However, i was not able to find a document(ation) containing the exact steps required to add the certs to a java trust store, where to place this trust store, where to specify the password etc.
I am asking here because I hope anyone had the same requirement. Thanks a lot for answers!
Cheers Carsten