Skip to Content
avatar image
Former Member

SAML based SSO in context of NWBC 4.0 Desktop

I setup NWBC to SSO via SAML2 (OKTA as - Identity provider) with the help of my infrastructure team.

 

The web html version of NWBC via IE works absolutely fine including HTTP & HTTPS (with suggestions from Samuli kaski on this forum)

However, the NWBC 4.0 PL12 desktop version, is having issues. When I try the SAP system's SICF service URL, https://<ABAP AS>:44301/nwbc in the connection settings, the NWBC screen goes through the SAML/IDP authentication succesfully and then just hangs with a blank screen. Confirmed via fiddler

Set the trace level to VERBOSE and couldnt find anything that made sense to me in the trace files. I also setup the parameter AllowTemporaryConnections to True in the NwbcOptions.xml.template file on my client side.

I checked the note # 1378659 - NWBC known issues & what to check when opening a ticket

The NWBC 4.0 PL12 is the latest version, backened SAP_BASIS version is at NW 7.31 SP09 & Windows version is Windows 7

Any suggestions on this issue? Thanks in advnace.

Thanks

Dhee

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Apr 11, 2014 at 06:10 PM
    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Apr 23, 2014 at 01:08 AM

    Hi Samuli,

    Sorry for the late reply. I missed your message somehow. We are at NW 7.31 SP08 AS Java.  I did do a fiddler trace

    Via IE browser it works as expected and launches the HTML NWBC version.

    Via NWBC -

    http://<as abap hostname>:<icm port>/nwbc/TicketIssuer?required_abap_runtime_version=3.1.0&preferred_abap_runtime_version=3.5.0&nwbc_runtime_version=4.0&sap-nwbc-supportbits=0F&NWBC_avoidCache=173818189&sap-user=<username>&sap-client=300&sap-language=EN

    This is the first URL it hits from NWBC. That is the only difference, rest all is similar to how it is in aIE browser.

    No errors or trace in defaulttrace of the portal.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Suresh,

      At our company, I do not maintain the OKTA, but I did work with the admin who maintained it. What exactly are you looking to do? Is it for NWBC Client version or web version?

      You have to enable SAML 2.0 on the AS ABAP so it acts as the service provider and generate the metadata.xml file and import it on the OKTA IP settings. Not sure where exaclty that is done.

      Once that is done, request for a metadata.xml file from OKTA identiry provider and import it into the AS ABAP under SAML2 Config and Trusted procviders. You would also need to provide the OKTA with the NWBC URL that you will be calling so the SAML insertion takes place.

      This is the high level setup. However, if you are having specific questions, let me know and I will try to answer.

      Enable the SAML2 service in SICF under /sap/bc/webdynpro/sap/saml2

      Procedure

      .Start the SAML 2.0 configuration application (transaction SAML2).

      If you have never configured your system for SAML 2.0, the system displays the following message:

      Client <client_number> is not configured to support SAML 2.0.

      Choose the Enable SAML 2.0 Support pushbutton.

      Enter a name for the provider.

      Continue through the configuration wizard and enter data as desired.

      For more information, see Configuring AS ABAP as a Service Provider.

      Choose the Finish pushbutton.

      Activate the necessary Internet Communication Framework (ICF) services.

      To use the service provider, you must manually activate the following two ICF services:

      •/default_host/sap/public/bc/sec/saml2

      •/default_host/sap/public/bc/sec/cdc_ext_service


      Thanks

      Dhee

  • avatar image
    Former Member
    Jan 29, 2015 at 07:32 PM

    Hi Dhee,

    We are working to enable SSO on SAP NWBC Desktop version through SAML 2.0.

    Configured SAP ABAP as SP and OKTA is our Identify provider. Below are the configuration steps taken already? But still when we try to login through OKTA to NWBC Web version SSO is not working. It lands us again to the authentication page.

    SAP ABAP on 731 SP07 release.

    Steps Taken:

    • Activated all required SICF SAML services.
    • Enabled SAML transaction in ABAP Server.
    • Uploaded metadata.xml file generated from OKTA in SAP and vice versa but still no luck.

    Please let me know if we are missing any configuration steps to be taken care from SP end?

    Thanks in Advance

    Sandeep

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Brian O'Neill

      Hi Brian,

      Yes , i did resolved this error by entering correct Default application path in SAML2 transaction for the requested application.

      - Sandeep