on 04-01-2014 4:29 PM
dear experts,
i need your help because we are trying to configure the following scenario:
we have in the same system, two clients. One client is SUS and one client is SRM. Our need is to logon on the SUS web part (service srmsus) and once we are logged on SUS jump to MWBC on SRM without specify the user and pass, and the user that we use to logon on SUS is diferent that the user mapped on the SRM.
is this possible? do you have any information about this?
we only have this system, we have no portal anywhere.
thanks a million in advance
best regards
david
Yes it's possible if you configure SSO so that it works independently in both clients. I don't think you can use the assertion ticket or security session from one client in another client, especially since the user account names are different. For example SPNEGO for ABAP (part of NWSSO), SAML or X.509 would work.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
dear Alexander,
i have checked the requirements, if i am not wrong the Secure Login Server is installed on the JAVA application server and the Secure Login Client is installed on the ABAP application server. Is it right?
in my case, both application servers are linux, do you know any solution for my case???
a lot of thanks
best regards
david
SLS is installed on AS JAVA and SLC is installed on the client meaning the Windows PC. You could use SPNEGO for ABAP assuming you purchase NWSSO licenses and make sure your system meets the requirements (SP, kernel) for using SPNEGO for ABAP. SPNEGO for ABAP doesn't require anything on the client assuming the browser can handle the Kerberos authentication. Another option is to use SAML or even X.509 certificates.
dear Samuli,
as i understood on the link bellow (on the 3th video):
the SLC have to be installed on the application server ABAP. In my case, this is a linux server, so i can't use the SLC.
are you suggesting me that i can use SPNEGO instead of SLC?
forgive me, but i have no idea about this
a lot of thanks
best regards
david
dear Samuli,
i have another chance.
right now, we need to perform the SSO for external users. I mean, the external users will access to the srmsus service through internet and they can jump to the SRM NWBC without credentials.
Do you have any idea, we have never implemented this scenario.
a lot of thanks
bets regards
david
As I wrote before you will have enable SSO separately for both. In case of external users it comes down to security requirements and the number of external users. It might make sense to solve external users separately. In case of NWBC, do you mean NWBC for Desktop (the native Windows client) or NWBC for HTML, the browser version? With NWBC for Desktop your choices are somewhat restricted, with NWBC for HTML you have more options.
I assume the external users aren't maintained in your AD? That rules out Kerberos. You are left with SAML and X.509 since you don't have a portal to issue the SAP Logon Tickets. How many external users are there? Do you have a PKI in your IT infrastructure that you could use to issue X.509 certificates for external users? I myself would use SAML since you could use the same implementation for internal and external users, no need for two parallel solutions. If SAP GUI for Windows or NWBC for Desktop is in the picture (for internal users) and SSO is a requirement, SAML isn't the recommended option so you will end up with two parallel solutions. It believe NWSSO can be used as PKI to also issue long term certificates so you could have a global solution based on X.509 certificates. The external users would authenticate against the Secure Login Server to receive their X.509 certificate.
ok, so the external users logon to the server who has the Secure Login Server installed (through the srmsus url) but how these users recieve the x.509 certificate. Because if the server does not have the external users mapped on the AD, how the server generates the X.509 to validate and send it to the external users?
a lot of thanks
david
Hi all, I am a colleague of David and I am continuing the implementation of the SSO between SRM and SUS.
Just to resume, as David says we are willing to configure the access to SRM BSP through HTTPS for external users and then redirect them to the SUS system throught NWBC with asking them password authenticacion between SRM and SUS.
For understanding, the external users will connect to the BSP from internet (HTTPS) and authenticated with a user created in ABAP (client 600) this user should be able to logon to the link provided in the customized menu without user/password to access the NWBC connected to SUS (client 800).
The user will have the same ID in both client (600 and 800)
We dont have Java, users created in SUS and SRM will not be maintained through Active directory.
Is it mandatory to use SLC and SLS for that scenario ?
Is it possible to just configure a trusted relation between client to allow BSP redirection to NWBC ?
thanks a lot in advance.
Denis
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.