cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO2Generator with LDAP

Go to solution
Former Member

on ‎05-31-2016 9:37 AM

0 Kudos

Hello experts

I'm trying to configure SSO with SSO2Generator on SMP. Please find details below:

  • SMP3.0 SP08
  • Backend is an SAP Netweaver Gateway
  • The SSO technique for my application in the Cockpit is configured as SSO2
  • The application has a security profile composed by 2 authentication providers:
    • LDAP/AD
    • SSO2Generator
  • I'm testing my configuration through a REST client (postman)

I followed every single step of this guide


I'm able to authenticate and register a user, but when I try to request data I get an HTTP403 error

Here is my log

#2.0#2016-05-31 07:45:14.868#+0:00#DEBUG#RequestResponse###Serviceability#1464680714385329#110490f4-135e-4060-ae9a-e04868e6dfb0#swfm_ssogen#org.eclipse.virgo.web.enterprise.services.accessor.WebAppBundleClassLoaderDelegateHook:doFindApiClass#TESTSWFM1#######643###Exception occurred while trying to find class [com.sap.mobile.platform.server.proxy.core.handler.DirectProxy]. Exception message: com.sap.mobile.platform.server.proxy.core.handler.DirectProxy#

#2.0#2016-05-31 07:45:14.853#+0:00#DEBUG#RequestResponse###Other#1464680714385322#110490f4-135e-4060-ae9a-e04868e6dfb0#swfm_ssogen#sun.reflect.GeneratedMethodAccessor126:invoke#TESTSWFM1#######643###No SsoContext found.#

#2.0#2016-05-31 07:45:14.853#+0:00#DEBUG#RequestResponse###Serviceability#1464680714385324#110490f4-135e-4060-ae9a-e04868e6dfb0#swfm_ssogen#org.eclipse.virgo.web.enterprise.services.accessor.WebAppBundleClassLoaderDelegateHook:doFindApiClass#TESTSWFM1#######643###Exception occurred while trying to find class [com.sap.mobile.platform.server.proxy.core.handler.DirectProxy]. Exception message: com.sap.mobile.platform.server.proxy.core.handler.DirectProxy#

#2.0#2016-05-31 07:45:14.837#+0:00#DEBUG#RequestResponse###Other#1464680714385317#110490f4-135e-4060-ae9a-e04868e6dfb0#swfm_ssogen#sun.reflect.GeneratedMethodAccessor126:invoke#TESTSWFM1#######643###get SsoContext for configs: #

#2.0#2016-05-31 07:45:14.837#+0:00#DEBUG#RequestResponse###Other#1464680714385318#110490f4-135e-4060-ae9a-e04868e6dfb0#swfm_ssogen#sun.reflect.GeneratedMethodAccessor124:invoke#TESTSWFM1#######643###SsoConfiguration: %s#

#2.0#2016-05-31 07:45:14.837#+0:00#DEBUG#RequestResponse###Other#1464680714385320#110490f4-135e-4060-ae9a-e04868e6dfb0#swfm_ssogen#sun.reflect.GeneratedMethodAccessor124:invoke#TESTSWFM1#######643###No NamedCredential found for MYSAPSSO2#

#2.0#2016-05-31 07:45:14.837#+0:00#DEBUG#RequestResponse###Other#1464680714385321#110490f4-135e-4060-ae9a-e04868e6dfb0#swfm_ssogen#sun.reflect.GeneratedMethodAccessor126:invoke#TESTSWFM1#######643###No SSO2 token found.#

#2.0#2016-05-31 07:45:14.821#+0:00#DEBUG#RequestResponse###Other#1464680714385309#110490f4-135e-4060-ae9a-e04868e6dfb0#swfm_ssogen#sun.reflect.GeneratedMethodAccessor125:invoke#TESTSWFM1#######643###header: key=cache-control    value=no-cache#

#2.0#2016-05-31 07:45:14.821#+0:00#DEBUG#RequestResponse###Other#1464680714385310#110490f4-135e-4060-ae9a-e04868e6dfb0#swfm_ssogen#sun.reflect.GeneratedMethodAccessor125:invoke#TESTSWFM1#######643###header: key=postman-token    value=697db856-5ad6-bd1f-af63-805db9e3d668#

#2.0#2016-05-31 07:45:14.821#+0:00#DEBUG#RequestResponse###Other#1464680714385311#110490f4-135e-4060-ae9a-e04868e6dfb0#swfm_ssogen#sun.reflect.GeneratedMethodAccessor125:invoke#TESTSWFM1#######643###header: key=accept    value=*/*#

#2.0#2016-05-31 07:45:14.821#+0:00#DEBUG#RequestResponse###Other#1464680714385312#110490f4-135e-4060-ae9a-e04868e6dfb0#swfm_ssogen#sun.reflect.GeneratedMethodAccessor125:invoke#TESTSWFM1#######643###header: key=accept-encoding    value=gzip, deflate, sdch#

#2.0#2016-05-31 07:45:14.806#+0:00#INFO#RequestResponse###Other#1464680714385303#110490f4-135e-4060-ae9a-e04868e6dfb0#swfm_ssogen#sun.reflect.GeneratedMethodAccessor271:invoke#TESTSWFM1#######643###URL rewrite in SMP enabled?: true#

#2.0#2016-05-31 07:45:14.806#+0:00#DEBUG#RequestResponse###Other#1464680714385305#110490f4-135e-4060-ae9a-e04868e6dfb0#swfm_ssogen#sun.reflect.GeneratedMethodAccessor124:invoke#TESTSWFM1#######643###----Application Id sent from client is-------- swfm_ssogen#

#2.0#2016-05-31 07:45:14.79#+0:00#DEBUG#RequestResponse###Other#1464680714385297#110490f4-135e-4060-ae9a-e04868e6dfb0#swfm_ssogen#sun.reflect.GeneratedMethodAccessor125:invoke#TESTSWFM1#######643###Start handling request, using stream buffer size 65536 and inProxy Compression is false#

Forbidden No matched SSO credentials is found for not allowAnonymousAccess endpoint [swfm_ssogen]

Could you please help me?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-31-2016 11:40 AM
0 Kudos

Hey guys I finally got a solution

It was an issue related to the Control Flag of the LDAP/AD authentication provider. I set it up to "Sufficient" and this was generating the error. Changing the flag to "Required" (or other value) does the trick.

Is it a SMP bug?

Show replies
Show replies
nageshcaparthy
Product and Topic Expert
Product and Topic Expert
‎05-31-2016 11:52 AM
0 Kudos

Good...!!!

Looks like something missing configurations. I have the flag set to Optional and its working fine for me. Not a bug for sure.

Regards,

Nagesh

Answers (3)

Answers (3)

nageshcaparthy
Product and Topic Expert
Product and Topic Expert
‎05-31-2016 9:57 AM
0 Kudos

Also ensure see this, after importing the .p12 certificate, it is important to restart the SMP Server.

No matched SSO credentials is found for not allowAnonymousAccess endpoint

2015 08 09 01:56:22#+0200#ERROR#com.sap.mobile.platform.server.proxy.core.handler.DirectProxy##marvin#http-bio-8080-exec-6##b14f4cc4-1f50-443e-9e42-8641b5429b3f#com.sap.mit.sapsso2test#4f154ee6-a137-41b1-a585-3b9737bb0430#RequestResponse### Exception caught while trying to set  credentials for anonymous access com.sap.mobile.platform.server.proxy.core.handler.exception.AnonymousAccessException: No matched SSO credentials is found for not allowAnonymousAccess endpoint [com.sap.mit.sapsso2test].

This error is telling you that SMP was not able to produce a MYSAPSSO2 credential, that means that there is no credential available that could be attached by SMP. SMP will now block the request and respond with an HTTP 403 Fordbidden error.

I had some cases where this was related to the use of a wrong certificate type. Certificate needs to be DSA encrypted. If you increase the security logging component to DEBUG you can find this log entry:

2015 08 09 01:56:22#+0200#DEBUG#com.sap.mobile.platform.server.foundation.security.providers.sso2generation.SAPSSO2GenerationLoginModule###http-bio-8080-exec-6##b14f4cc4-1f50-443e-9e42-8641b5429b3f#com.sap.mit.sapsso2test#4f154ee6-a137-41b1-a585-3b9737bb0430#RequestResponse###The algorithm of private key must be DSA. |

Regards,

Nagesh

Show replies
Show replies
Former Member
‎05-31-2016 11:17 AM
0 Kudos

Thank you all guys for replying

I found it was an issue with the certificate generation. I missed this step:

The common name (CN) in the certificate should match the SID of your system (in my case SMP)

I tested the scenario (System login + SSO2Generator) proposed in the guide SMP 3 Security - SAPSSO2 and it works fine! That means the certificate is OK and SMP i generating correct tickets toward the Gateway.

However I've to replace System login with LDAP/AD, but If I do that I still get errors (I attach the full log file for completeness)

09:11:59.392#+0:00#ERROR#RequestResponse#403##Other#1464685918565473#7880ebe3-1598-4912-b3f5-2b83b2a31299#swfm_ssogen#sun.reflect.NativeMethodAccessorImpl:invoke0#TESTSWFM1#######655###Exception caught while trying to set credentials for anonymous access#
#2.0#2016-05-31



Are there specific LDAP configurations to make it work with SSOGenerator?


Here a bunch of screenshots of my app config





TraceFile(2).txt.zip
nageshcaparthy
Product and Topic Expert
Product and Topic Expert
‎05-31-2016 11:25 AM
0 Kudos

Hi,

Can you also share the SID details added in SMP and GW please. Also ensure you have added the .p12 certificate to SMP and .cer file to GW. pls share the screen shot of certificate in SMP and GW.

It should not exceed more than 3 char. Log shows No SSO2 token found. Are you able to ping the application configured?

Regards,

Nagesh

NareshChittoor
Participant
‎05-31-2016 9:51 AM
0 Kudos

Hi Andrea,

Did you generated SSo2 certificate through Open source, followed that it needs to import in SMP Cockpit and followed that the same cer* need to upload in NW server to became trust of both the servers.

Regards

Naresh

Show replies
Show replies
nageshcaparthy
Product and Topic Expert
Product and Topic Expert
‎05-31-2016 9:46 AM
0 Kudos

Hi Andrea,

Please check your SSO Mechanism and Authentication, also ensure you have your AD And GW Password similar just in case.:

Let me know how it looks.

Regards,

Nagesh

Show replies
Show replies
Ask a Question