Skip to Content
avatar image
Former Member

how to find the which SSO method used in the system

Dear Gurus,


We have NW Java Enterprise Portal 7.00 SP20 system, and its UME is LDAP,
SSO configured around in year 2011(but not sure which method used)?
as soon as the url is pasted into browser we are able to login to the system with out entering the uid/pwd, (looks SSO configured, since it is taking the windows login id in portal also)

But when we checked in the portal SPNEGO TABS are blank.

hostname:port/spnego ---> nothing configured (it is asking to enter service user name bla bla......


so SPNego not configured,

Is there any other way to achive this with out SPNego

i guess by using the third party (siteminder or Quest or SAML) , SAML might not available to support on 7.00 SP20.

In the installed component list from the system I did not find siteminder or Quest or SAP-SSO related components.

if so, where can i get the configuration information, since i wanted to find out which SSO method configured in the system?

Regards

RK

ruwng.png (7.5 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Nov 03, 2017 at 09:14 AM

    1.

    You might see which method is used by checking the authentication stack.

    The SSO in NW AS Java is facilitated by ticket. Any ticket consists of logon modules.

    One might achieve SSO without SAML2 or SPNego.

    Secure Login for SAP Single Sign-On Implementation Guide

    Chapter "5.4.1 Overview of Login Modules Supported by SAP Single Sign-On 2.0"

    2.

    Please record the successful SSO logon with TSHW trace. Please do so with the Authentication template.

    More guidance about the usage of tshw in SAP notes

    1332726 - Troubleshooting Wizard

    1921472 - How to use the Troubleshooting Wizard for collecting traces using custom locations [VIDEO]

    3.

    In the trace search for authentication stack or ticket

    Then you will find the logon modules and will confirm what is the authentication mechanism that implements the SSO.

    Add comment
    10|10000 characters needed characters exceeded

  • Nov 05, 2017 at 03:26 PM

    0.

    For 7.0 SPS20 you need to install diagtool trace.

    1045019 - Web diagtool for collecting traces (for SAP AS Java 6.40, 7.00, 7.01, 7.02, 7.10, 7.11)

    1.

    This is SPNEGO authentication. I would have set the policy of the last CreateTicketLoginModule to OPTIONAL, but even like this should create SSO ticket.

    The authentication stack you do display would have implement a SSO logon. This depends however of the Operating System where the browser client runs.

    In order SPNego to work with Windows Vista, Windows 7 and Windows 2008 R2, one needs to apply the patches as described in this SAP note:

    1457499 - SPNego add-on

    2.

    Hence, it is possible SPNEGO to works or not to work - depends on the client. Because there is no ClientCertificate module before the SPNEGO, then the SSO will not be possible for the above mentioned O.S. When the SSO ticket expires there will be no more possible SSO logon. This means even for a new tab will be requested logon credentials.

    Once one enters the user credentials a new ticket will be created. It will last so far the ticket expiration (or the closure of the browser if it does happen before the expiration)

    3.

    You might find more information about the SSO implementation here:

    2273981 - Configuring Authentication stacks for the J2ee Netweaver Application ServerLogin Modules

    For the policies please refer to page here...

    Login Module Configuration - Control Flags:

    4..

    About the implementation of SPNEGO please refer to these sources of information:

    968191 - SPNego: Central Note

    994791 - SPNego Wizard

    1488409 - New SPNego Implementation

    5.

    SSO with siteminder or Quest is not possible with NW AS Java. This is not a supported scenario.

    You might implement SAML2.0 but you do need a NW AS Java 7.2 to be your Identity Provider.

    More details you might find in the guide for the NW AS 7.0:

    https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS+Sharepoint+2010+to+SAP+EP+7.0x

    in this collections of guides:

    Single Sign-On with SAML 2.0

    https://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Thank you very very much for providing the detailed explanation!

      i am able to successfully login to this portal from windows 7 client machine with out entering uid/pwd

      if my server is configured SPNego, why I am getting the below screen

      hostname:port/spnego ---> (it is asking to enter service user name bla bla......

      is this possible SPNego configured using VA/configtool is not replicating at browser level as above?

      Regards

      VRK

  • Nov 06, 2017 at 11:28 PM

    In order SPNego to work with Windows Vista, Windows 7 and Windows 2008 R2, one needs to apply the patches as described in this SAP note:

    1457499 - SPNego add-on

    Add comment
    10|10000 characters needed characters exceeded