on 11-03-2017 4:08 AM
Dear Gurus,
We have NW Java Enterprise Portal 7.00 SP20 system, and its UME is LDAP,
SSO configured around in year 2011(but not sure which method used)?
as soon as the url is pasted into browser we are able to login to the system with out entering the uid/pwd, (looks SSO configured, since it is taking the windows login id in portal also)
But when we checked in the portal SPNEGO TABS are blank.
hostname:port/spnego ---> nothing configured (it is asking to enter service user name bla bla......
so SPNego not configured,
Is there any other way to achive this with out SPNego
i guess by using the third party (siteminder or Quest or SAML) , SAML might not available to support on 7.00 SP20.
In the installed component list from the system I did not find siteminder or Quest or SAP-SSO related components.
if so, where can i get the configuration information, since i wanted to find out which SSO method configured in the system?
Regards
RK
In order SPNego to work with Windows Vista, Windows 7 and Windows 2008 R2, one needs to apply the patches as described in this SAP note:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
0.
For 7.0 SPS20 you need to install diagtool trace.
1045019 - Web diagtool for collecting traces (for SAP AS Java 6.40, 7.00, 7.01, 7.02, 7.10, 7.11)
1.
This is SPNEGO authentication. I would have set the policy of the last CreateTicketLoginModule to OPTIONAL, but even like this should create SSO ticket.
The authentication stack you do display would have implement a SSO logon. This depends however of the Operating System where the browser client runs.
In order SPNego to work with Windows Vista, Windows 7 and Windows 2008 R2, one needs to apply the patches as described in this SAP note:
2.
Hence, it is possible SPNEGO to works or not to work - depends on the client. Because there is no ClientCertificate module before the SPNEGO, then the SSO will not be possible for the above mentioned O.S. When the SSO ticket expires there will be no more possible SSO logon. This means even for a new tab will be requested logon credentials.
Once one enters the user credentials a new ticket will be created. It will last so far the ticket expiration (or the closure of the browser if it does happen before the expiration)
3.
You might find more information about the SSO implementation here:
2273981 - Configuring Authentication stacks for the J2ee Netweaver Application ServerLogin Modules
For the policies please refer to page here...
Login Module Configuration - Control Flags:
4..
About the implementation of SPNEGO please refer to these sources of information:
1488409 - New SPNego Implementation
5.
SSO with siteminder or Quest is not possible with NW AS Java. This is not a supported scenario.
You might implement SAML2.0 but you do need a NW AS Java 7.2 to be your Identity Provider.
More details you might find in the guide for the NW AS 7.0:
in this collections of guides:
Single Sign-On with SAML 2.0
https://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you very very much for providing the detailed explanation!
i am able to successfully login to this portal from windows 7 client machine with out entering uid/pwd
if my server is configured SPNego, why I am getting the below screen
hostname:port/spnego ---> (it is asking to enter service user name bla bla......
is this possible SPNego configured using VA/configtool is not replicating at browser level as above?
Regards
VRK
1.
You might see which method is used by checking the authentication stack.
The SSO in NW AS Java is facilitated by ticket. Any ticket consists of logon modules.
One might achieve SSO without SAML2 or SPNego.
Secure Login for SAP Single Sign-On Implementation Guide
Chapter "5.4.1 Overview of Login Modules Supported by SAP Single Sign-On 2.0"
2.
Please record the successful SSO logon with TSHW trace. Please do so with the Authentication template.
More guidance about the usage of tshw in SAP notes
1332726 - Troubleshooting Wizard
1921472 - How to use the Troubleshooting Wizard for collecting traces using custom locations [VIDEO]
3.
In the trace search for authentication stack or ticket
Then you will find the logon modules and will confirm what is the authentication mechanism that implements the SSO.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Milen Dontchef Thanks for information
Still we are unble to find the SSO method it is using
unfortunately we are still using AS Java 7.00 SP20
where this note (1332726 - Troubleshooting Wizard) works only on 7.20 or above
below are the details from authentication stack:
can i get some info from the below?
Many Thanks
VRK
Hi VRK, the authentication stack tells the truth: SPNego is configured and active. Visual Admin and Config-Tool are the points of truth concerning authentication configuration.
So this is more kind of a "why does wizard not reflect the configuration" question. But I think this discussion does not make a lot of sense for a release that will be out of support in 8 weeks.
Regards,
Lutz
... it is clear why the SPNego is not working - the reason is of the SPS. If it is lower than SPS23, then a patch should be applied (1457499 - SPNego add-on). I have explained this already yesterday.
The new SPNego implementation is part of the standard releases as of the Support Packages of NetWeaver 04S (7.00) SP23 .
They do run with AS Java 7.00 SP20
This means they do need to install the SPNego Add-On from this note:
User | Count |
---|---|
89 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.