Skip to Content
0

SSO with logon ticket through SNC enabled SAP GUI

Mar 11, 2017 at 12:02 AM

209

avatar image

Hello,

We have been using logon tickets from our portal to SSO into our ECC system. There is a requirement for an application to activate SNC on ECC, and setup SAP Win GUI with SNC parameters.

We did not find any blogs or SAP Notes as to the compatibility. Does the Logon ticket authentication from Portal to ECC still work, if we enable SNC on ECC/Win GUI?

thanks,

Sudhir

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Sudhir Avirneni Mar 11, 2017 at 04:35 PM
0

I looked at this https://archive.sap.com/discussions/thread/1360538 answer from Tim Alsop, but does not directly answer the question.

Share
10 |10000 characters needed characters left characters exceeded
Christopher Leonard
Mar 15, 2017 at 11:56 AM
0

Hi - I don't believe there is any issue here. Logon tickets will use the System PSE (accessed via transaction STRUSTSSO2) and not the SNC PSE therefore there is no conflict between the two mechanisms. Remember SAP Single Sign On uses the same crypto library SAPCommoncryptolib that is used as standard in the ABAP server.

Regards,

Chris

Share
10 |10000 characters needed characters left characters exceeded
Carsten Olt Mar 15, 2017 at 09:31 PM
0

Hi, the SAP CommonCryptoLib must not be used in Single Sign-On scenarios without the need to acquire the SAP Single Sign-On 3.0 solution from SAP. Same applies for the "special" implementation and function-reduced variant SNC Client Encryption, where the same SNC library may be used on your ECC backend - but you are not allowed to combine SNC from client (SAP GUI) to server with SAP Login Tickets, even though it is technically possible to operate such a scenario. Not talking here about any other 3rd party SNC library implementation, not officially supported by SAP SE.

As soon as you drive SAP GUI with SNC, according to the standard, authentication should be done by standardized security token such as Kerberos Tickets or X.509 certificates.

See SAP Note 2117110: Recommendation to Replace SAP Logon Tickets with SAP Single Sign-On Solution.

Regards,

Carsten

Share
10 |10000 characters needed characters left characters exceeded