cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO between SUS and SRM

Go to solution
Former Member

on ‎04-01-2014 4:29 PM

0 Kudos

dear experts,

i need your help because we are trying to configure the following scenario:

we have in the same system, two clients. One client is SUS and one client is SRM. Our need is to logon on the SUS web part (service srmsus) and once we are logged on SUS jump to MWBC on SRM without specify the user and pass, and the user that we use to logon on SUS is diferent that the user mapped on the SRM.

is this possible? do you have any information about this?

we only have this system, we have no portal anywhere.

thanks a million in advance

best regards

david

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-01-2014 5:08 PM
0 Kudos

Yes it's possible if you configure SSO so that it works independently in both clients. I don't think you can use the assertion ticket or security session from one client in another client, especially since the user account names are different. For example SPNEGO for ABAP (part of NWSSO), SAML or X.509 would work.

Show replies
Show replies
Former Member
‎04-02-2014 10:10 AM
0 Kudos

dear Samuli,

i have checked the netweaver SSO on the PAM side, and it only works for windows. Is it right? in afirmative case, do you know another tool for linux?

thanks a million

best regards

david

Former Member
‎04-02-2014 10:15 AM
0 Kudos

i mean, that the Secue Server Login and the Secure Client Login only work on Windows (tha tools to generate and configure the x.509 certificates)

thanks Samuli

david

Former Member
‎04-02-2014 12:46 PM
0 Kudos

Hi David,

Secure Login Server is available for all Netweaver platforms, so also linux.
Secure Login Client is only available for Windows and MAC OSX (2.0 SP03, release date 12.5.2014).
For Linux there is currently no client SSO solution available, sorry.

best regards

Alex

Former Member
‎04-02-2014 4:31 PM
0 Kudos

dear Alexander,

i have checked the requirements, if i am not wrong the Secure Login Server is installed on the JAVA application server and the Secure Login Client is installed on the ABAP application server. Is it right?

in my case, both application servers are linux, do you know any solution for my case???

a lot of thanks

best regards

david

Former Member
‎04-02-2014 5:27 PM
0 Kudos

SLS is installed on AS JAVA and SLC is installed on the client meaning the Windows PC. You could use SPNEGO for ABAP assuming you purchase NWSSO licenses and make sure your system meets the requirements (SP, kernel) for using SPNEGO for ABAP. SPNEGO for ABAP doesn't require anything on the client assuming the browser can handle the Kerberos authentication. Another option is to use SAML or even X.509 certificates.

Former Member
‎04-02-2014 6:05 PM
0 Kudos

dear Samuli,

as i understood on the link bellow (on the 3th video):

the SLC have to be installed on the application server ABAP. In my case, this is a linux server, so i can't use the SLC.

are you suggesting me that i can use SPNEGO instead of SLC?

forgive me, but i have no idea about this

a lot of thanks

best regards

david

Former Member
‎04-02-2014 6:10 PM
0 Kudos

i mean if i have to install the SLC on every users PC or i have to install the SLC on the ABAP application server?

thanks Samuli

Former Member
‎04-02-2014 6:13 PM
0 Kudos

SLC is installed on every PC. Yes, I'm suggesting SPNEGO for ABAP, SAML or X.509 certificates. You can have X.509 certificates with or without NWSSO.

Former Member
‎04-02-2014 6:31 PM
0 Kudos

ahhhhh, ok. So if I understood properly, i can follow the link i provided you above to configure the SSO with Secure Login, and of course, supposing that we have already a Active Directory server.

do you think i am right???

Former Member
‎04-03-2014 10:27 AM
0 Kudos

many thanks for your help Samuli.

at the end, we are going to implement the Secure Login with X.509. We have been investigating and for bsp and NWBC is the best way we can follow.

best regards

Former Member
‎04-03-2014 3:29 PM
0 Kudos

dear Samuli,

i have another chance.

right now, we need to perform the SSO for external users. I mean, the external users will access to the srmsus service through internet and they can jump to the SRM NWBC without credentials.

Do you have any idea, we have never implemented this scenario.

a lot of thanks

bets regards

david

Former Member
‎04-03-2014 4:58 PM
0 Kudos

As I wrote before you will have enable SSO separately for both. In case of external users it comes down to security requirements and the number of external users. It might make sense to solve external users separately. In case of NWBC, do you mean NWBC for Desktop (the native Windows client) or NWBC for HTML, the browser version? With NWBC for Desktop your choices are somewhat restricted, with NWBC for HTML you have more options.

Former Member
‎04-03-2014 5:05 PM
0 Kudos

dear Samuli,

the external users will access/logon to sus (through the webservice srmsus, is a bsp in sus) and then the external users jump to the NWBC SRM HTML

this jump will be able through a link from the srmsus bsp to nwbc html in srm

thanks a million

best regards

david

Former Member
‎04-03-2014 5:27 PM
0 Kudos

I assume the external users aren't maintained in your AD? That rules out Kerberos. You are left with SAML and X.509 since you don't have a portal to issue the SAP Logon Tickets. How many external users are there? Do you have a PKI in your IT infrastructure that you could use to issue X.509 certificates for external users? I myself would use SAML since you could use the same implementation for internal and external users, no need for two parallel solutions. If SAP GUI for Windows or NWBC for Desktop is in the picture (for internal users) and SSO is a requirement, SAML isn't the recommended option so you will end up with two parallel solutions. It believe NWSSO can be used as PKI to also issue long term certificates so you could have a global solution based on X.509 certificates. The external users would authenticate against the Secure Login Server to receive their X.509 certificate.

Former Member
‎04-03-2014 5:43 PM
0 Kudos

ok, so the external users logon to the server who has the Secure Login Server installed (through the srmsus url) but how these users recieve the x.509 certificate. Because if the server does not have the external users mapped on the AD, how the server generates the X.509 to validate and send it to the external users?

a lot of thanks

david

Former Member
‎04-03-2014 5:57 PM
0 Kudos

As long as the SLS is able to authenticate the external users with any of the supported methods, it will issue the X.509 certificate.

Former Member
‎04-03-2014 6:02 PM
0 Kudos

do you know which methods can we implement or are supported by the Secure Login Server?

many thanks

best regards

david

Former Member
‎04-03-2014 6:11 PM
0 Kudos

For the list of supported authentication methods, see the NWSSO SLS implementation guide chapter 1.1.2.1.

former_member232386
Explorer
‎07-03-2014 12:12 PM
0 Kudos

Hi all, I am a colleague of David and I am continuing the implementation of the SSO between SRM and SUS.

Just to resume, as David says we are willing to configure the access to SRM BSP through HTTPS for external users and then redirect them to the SUS system throught NWBC with asking them password authenticacion between SRM and SUS.

For understanding, the external users will connect to the BSP from internet (HTTPS) and authenticated with a user created in ABAP (client 600) this user should be able to logon to the link provided in the customized menu without user/password  to access the NWBC connected to SUS (client 800).

The user will have the same ID in both client (600 and 800)

We dont have Java, users created in SUS and SRM will not be maintained through Active directory.

Is it mandatory to use SLC and SLS for that scenario ?

Is it possible to just configure a trusted relation between client to allow BSP redirection to NWBC ?

thanks a lot in advance.

Denis

Answers (0)

Ask a Question