Skip to Content
avatar image
Former Member

Unify SSO (w kerberos auth.) for all SAP applications


we've succesfully implemented SSO authentication processes with our kerberos token for SAP Gui.

Now we'd like to unify the authentication process for all SAP applications, not only SAP Logon for SAP Gui.

Is there a way to have for example the Business Explorer tools like Query Designer to use SSO authentication? I couldn't find an option for that.

And is it possible to use Kerberos authentication when calling up the ICM addresses of our SAP systems? With SAP Portal it's no problem, we are already using that as a pre-authentication step with Logon tickets, but the ICM address itself without using the SAP Portal before doesn't offer SSO processes, am I right?

Thank you for your help.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Jan 12, 2015 at 12:44 PM

    Hi Nikolai,

    I'm not sure why you post this in Enterprise Portal section, while the Kerberos is working fine on EP...😉

    1. Well, usually EP is used as the integrator or entry for many other apps, hence trust is usually built in EP -> apps way.
    I mean, once EP recognizes you, every fellow (like ESS, SRM, BW...) on EP recognizes you.
    Or put it in another way, once EP recognizes you, every 'trusting' websites recognizes you.
    And usually this is done, as you know, by logon ticket.
    Notice the fact: you have to configure fellow to accept logon ticket - fellow still needs an authentication.

    But now seems you are having multiple entries.

    Then you have to ask every, as you called, SAP application, to accept kerberos token.
    And for this you should perhaps ask experts from every particular SAP application.

    2. I'm not sure what your point is here.
    What is the 'ICM address'? Are you referring to http://<hostname>:<httpport>/ ?
    If so, by default this is the J2EE start page and it does not require authentication.
    You can set a redirection in ICM so that access to J2EE start page goes to /irj .

    If I misunderstood your requirement, please let me know more details.ℹī¸

    BR, Tom

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Oh, did I? Sorry for that, wasn't supposed to be posted there.

      First let me thank you for your response 😉

      Enterprise Portal is working fine, no problems here. We activated SNC on our SAP Systems and we use SAP Secure Login Client with our kerberos token from our domain for authentication via SAP Logon to SAP Gui. What I wanted to know was what other applications do when you try to perform an authentication with them.
      What does the QueryDesigner do for example, does it use the data provided by Secure Login Client or is it always requesting a password.

      And what about access to web services ( without any EP in between ), would I have to enter a password or does it (somehow) get the data from SAP Secure Login Client and SAP Logon and log me on automatically?

      Actually I was asking for some experienced admins regarding multiple applications - but EP, that's not concerned.

  • avatar image
    Former Member
    Mar 19, 2015 at 03:02 PM

    Hey Nicolai,

    Did you end up using the SAP SSO solution or did you choose the Kerberos SSP? We're doing a cost/benefit analysis with each solution and wanted to learn how you guys came to the decision and what the business user feedback was on the SSO.

    Did you consider other methods (x.509, SAML)?


    Add comment
    10|10000 characters needed characters exceeded