on 10-17-2014 1:45 AM
Hello,
How can we achieve SSO for SAPGUI with AD authentication when SAP system resides in a separate domain and end users are logging in from a different domain? I have read that in order to accomplish this, we need to setup trust between the two domains. However if setting up trust is not an option (due to security/various reasons), then is there any other workaround/option to accomplish single sign-on for SAPGUI? Does SAP provide any product to accomplish to achieve this? Or is there a 3rd party product that can provide this feature? I am looking more along the lines where SAP system is hosted in a cloud and the SAPGUI users need to use SSO to login into the system but without setting up trust between the domains.
Any help will be greatly appreciated.
Thanks
Sid
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Valerie,
I did check the implementation videos, however I was not clear on the domain part. The videos show only one domain whereas in my case, SAP system will be hosted in a remote site (in a separate domain) and end users will be logging into SAPGUI from different locations (each location having different domain). Are you suggesting, this SSO is still possible without needing to setup trust between these domains if using SAP Single Sign-On 2.0 with Kerberos?
Thanks
Sid
Hi Sid,
yes, exactly. There is no need for a trust between the domains. This is a very typical scenario of SAP Single Sign-On customers. In many cases the ABAP systems are in a different domain, or in no Windows domain at all. This is not a problem, as the authentication check is done offline. So the ABAP system does not need to have network access to the Active Directory managing the user.
Just give it a try as shown in videos, it's very simple
Best regards,
Christian
Hi Sid,
Like Christian mentions, the ABAP and your client workstations muss not be in the same domain.
Now if you have many domains for client workstations you can either use a domain trust between the client workstation domains or configure SPN and keytabs for each domains without the trust.
So for domain A you will need a service account Service-A, an SPN-A and a keytab-A created with the UPN or Service-A.
For domain B you will need a service account Service-B, an SPN-B and a keytab-B created with the UPN or Service-B and so on.
KR
Valerie
Sid Q wrote:
Or is there a 3rd party product that can provide this feature?
Yes, there is a 3rd party product that can provide this feature.
Thanks
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.