Skip to Content
avatar image
Former Member

Kerberos SSO on SAP Mobile Platform

Dear Experts,

We have been trying to configure Kerberos as an SSO mechanism to access back-end resources through SMP, however, we have not been able to get this working. If you could give us pointers as to what we aren't doing right, it could help us resolve this faster.

We have a RESTful Web Service which needs to be accessed through Kerberos SSO for getting the back-end data. By going through the configuration parameters as mentioned in this link, we did the below steps:

  1. We associated the SMP Service user with a Domain User account. We set the SPN for this user as "HTTP/<SMP Server URL>", and assigned this user "Trust this user for delegation to any service (Kerberos only)" rights.
  2. In the Security Profile stack, we configured Authentication using AD/LDAP Authentication Provider(AP). This is followed by the Kerberos AP for SSO.
  3. We ran the below command on the system hosting SMP, and filled in appropriate values in the Kerberos AP.
    ktab -a <Service username>@<realm>:<password>

After configuring this, we went ahead and configured SSO at the connection level as mentioned in this link, by specifying the realm and SPN for the back-end (i.e. HTTP/<backend URL>) as service name.

Here, we have a confusion, that to configure SSO, we would need to uncheck "Internal" option in the Back-End connection definition. We typically keep this checked, as all our web services as exposed as Odata web-services on Integration gateway, which is an internal service to SMP. This would lead SMP to believe that the link provided in the back-end connection, which happens to be the Odata link on Integration gateway, as external. Now, we need to provide the Odata's namespace Security Profile authentication for SSO, as this doesn't accept Kerberos token generated for the Back-end the Odata is communicating with.

So we now tried setting Custom Cookies and Headers as an SSO mechanism as mentioned in the link, so that we can handle the headers once inside the custom coding part of the Odata web-service. However, we required more clarity on how to set app1Realm and app1Service attributes in the below configuration

${spnego.getTicket(app1Realm, app1Service)}

Hoping to find a relevant solution sooner.



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

0 Answers