cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

bypass the end-user having to select the cert/token the first time they use SSO?

Former Member

on ‎11-19-2013 5:34 PM

0 Kudos

Hello, I think this is in the right place. Does anyone know if there is a way to bypass the end-user having to select the cert/token the first time they use SSO? We have scripted the install of the SLC-2.x as well as moving over a new saplogon.ini that enables SSO. However its not fully unattended as the first time they open it, they get a prompt to pick a cert. We have about 30 on the list, they have to scroll all the way down to click the kerbros token with their user name.

Thanks!

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

HuiyangLi
Product and Topic Expert
Product and Topic Expert
‎12-03-2013 9:02 AM
0 Kudos

Hi Scott,

If you are using the existing X.509 certificate directly, you can try this one:

[HKEY_CURRENT_USER\Software\SAP\SecureLogin]

"TokenType"="tokcapi"

"CertFingerprint"="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

here the CertFingerprint is the client user's certificate fingerprint.

So You need to create a user-specific registry and let it executed when user logon.


Best Regards

Huiyang

Show replies
Show replies
Former Member
‎12-19-2013 7:25 PM
0 Kudos

Sorry for not responding. Were working out another issue with SSO breaking our Desktoplink process right now, so the whole cert selection got on the back burner. I will test with the info provided after the holidays.


Thank you very much for the info provided.

Former Member
‎11-28-2013 6:16 AM
0 Kudos

Hi all,

you can use a CAPI filter (which is HKLM setting) to filter out unwanted certs or match the correct one.

Example:

Windows Registry Editor Version 5.00
;; CAPI FILTER SETTINGS FOR SLC 2.0
;; FILTERS OUT ANY UNWANTED CERTIFICATES FROM SLC e. g. SAP SERVICE MARKETPLACE
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\common\capi]
"CAPIFilterIssuerDN"="CN=DUMMY Name"

Does this help you Scott AFAIK you "just" want to use the kerberos auth and not X.509?


Regards

Carsten

Show replies
Show replies
former_member251763
Explorer
‎11-19-2013 6:23 PM
0 Kudos

Hi Scott,

we have almost the same problem: We created for each Windows Active Directory domain in our landscape an authentication profile and used the active directory domain name in the name of the profile (for example "authentication profile - DOMAIN.CORP"). Then we distributed a reg key via logon script that created an entry in the HKCU Windows registry:

[HKEY_CURRENT_USER\SOFTWARE\SAP\SecureLogin\applications\DEFAULT]

"GssTargetName"="*"

"profile"="authentication profile - %USERDNSDOMAIN%"

"allowFavorite"=dword:00000001

The environment variable %USERDNSDOMAIN% was "translated / interpreted" by the logon script. A possible solution would be: use a REG_EXPAND_SZ reg type instead. Only drawback is: a windows relogon / restart is needed.

Best regards

Kai

Show replies
Show replies
Former Member
‎11-19-2013 7:45 PM
0 Kudos

Hey thanks for the input. I dont have those keys there as well. its stops at HKEY_CURRENT_USER\SOFTWARE\SAP\SecureLogin\

I put them in anyway, but no luck. I get a error when I try to launch sap gui from logon pad:

Error: service '?' unknown

Component NI, (Network Interface) Version 40

rc = -3, Detail NiErrSet

To add to this, I can find anything in the reg related to the selected token.

former_member251763
Explorer
‎11-20-2013 10:19 AM
0 Kudos

Hi Scott,

did you check the HKCU reg key "profile"="<NAME OF YOUR SAP SECURE LOGIN SERVER AUTH. PROFILE>"?  I suppose that there is a typo in it.

Best Regards

Kai

Former Member
‎11-25-2013 5:20 PM
0 Kudos

We don't have a secure logon server at all

Ask a Question