cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAPGUI SSO with AD authentication - different domains

Go to solution
Former Member

on ‎10-17-2014 1:45 AM

0 Kudos

Hello,

How can we achieve SSO for SAPGUI with AD authentication when SAP system resides in a separate domain and end users are logging in from a different domain? I have read that in order to accomplish this, we need to setup trust between the two domains. However if setting up trust is not an option (due to security/various reasons), then is there any other workaround/option to accomplish single sign-on for SAPGUI? Does SAP provide any product to accomplish to achieve this? Or is there a 3rd party product that can provide this feature? I am looking more along the lines where SAP system is hosted in a cloud and the SAPGUI users need to use SSO to login into the system but without setting up trust between the domains.

Any help will be greatly appreciated.

Thanks

Sid

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-17-2014 7:24 AM
0 Kudos

Hi Sid,

There is no requierement to have your SAP systems in the same domain as you SAP GUI client domain to implement SAP SSO. You did not even need a trusted relation between both domains.

Did you check the implementation videos?

KR

Valerie

Show replies
Show replies
Former Member
‎10-17-2014 5:59 PM
0 Kudos

Hello Valerie,

I did check the implementation videos, however I was not clear on the domain part. The videos show only one domain whereas in my case, SAP system will be hosted in a remote site (in a separate domain) and end users will be logging into SAPGUI from different locations (each location having different domain). Are you suggesting, this SSO is still possible without needing to setup trust between these domains if using SAP Single Sign-On 2.0 with Kerberos?

Thanks

Sid

Christian_Cohrs
Product and Topic Expert
Product and Topic Expert
‎10-18-2014 3:46 PM
0 Kudos

Hi Sid,

yes, exactly. There is no need for a trust between the domains. This is a very typical scenario of SAP Single Sign-On customers. In many cases the ABAP systems are in a different domain, or in no Windows domain at all. This is not a problem, as the authentication check is done offline. So the ABAP system does not need to have network access to the Active Directory managing the user.

Just give it a try as shown in videos, it's very simple

Best regards,

Christian

Former Member
‎10-20-2014 7:51 AM
0 Kudos

Hi Sid,

Like Christian mentions, the ABAP and your client workstations muss not be in the same domain.

Now if you have many domains for client workstations you can either use a domain trust between the client workstation domains or configure SPN and keytabs for each domains without the trust.

So for domain A you will need a service account Service-A, an SPN-A and a keytab-A created with the UPN or Service-A.

For domain B you will need a service account Service-B, an SPN-B and a keytab-B created with the UPN or Service-B and so on.

KR

Valerie

Answers (1)

Answers (1)

tim_alsop
Active Contributor
‎10-17-2014 7:43 AM
0 Kudos 


Sid Q wrote:




Or is there a 3rd party product that can provide this feature?

Yes, there is a 3rd party product that can provide this feature.

Thanks

Tim

Show replies
Show replies
Former Member
‎10-17-2014 6:02 PM
0 Kudos

Tim,

Thanks for your response. I am not sure if the rules permit you to name the 3rd party product here. If they do, can you please let me know which one.

Thanks

Sid

tim_alsop
Active Contributor
‎10-17-2014 6:06 PM
0 Kudos

Sid,

Sorry, it is not possible to mention third party products on SCN forums.

I'm sure you know, that you can click on somebodies business card to get contact details and details of who they work for. Then you can decide if you want to contact them or not.

Take care,

Tim

Ask a Question