cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

how to find the which SSO method used in the system

former_member390209
Discoverer

on ‎11-03-2017 4:08 AM

0 Kudos

Dear Gurus,


We have NW Java Enterprise Portal 7.00 SP20 system, and its UME is LDAP,
SSO configured around in year 2011(but not sure which method used)?
as soon as the url is pasted into browser we are able to login to the system with out entering the uid/pwd, (looks SSO configured, since it is taking the windows login id in portal also)

But when we checked in the portal SPNEGO TABS are blank.

hostname:port/spnego ---> nothing configured (it is asking to enter service user name bla bla......


so SPNego not configured,

Is there any other way to achive this with out SPNego

i guess by using the third party (siteminder or Quest or SAML) , SAML might not available to support on 7.00 SP20.

In the installed component list from the system I did not find siteminder or Quest or SAP-SSO related components.

if so, where can i get the configuration information, since i wanted to find out which SSO method configured in the system?

Regards

RK

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

former_member189220
Active Contributor
‎11-06-2017 11:28 PM
0 Kudos

In order SPNego to work with Windows Vista, Windows 7 and Windows 2008 R2, one needs to apply the patches as described in this SAP note:

1457499 - SPNego add-on

Show replies
Show replies
former_member189220
Active Contributor
‎11-05-2017 3:26 PM
0 Kudos

0.

For 7.0 SPS20 you need to install diagtool trace.

1045019 - Web diagtool for collecting traces (for SAP AS Java 6.40, 7.00, 7.01, 7.02, 7.10, 7.11)

1.

This is SPNEGO authentication. I would have set the policy of the last CreateTicketLoginModule to OPTIONAL, but even like this should create SSO ticket.

The authentication stack you do display would have implement a SSO logon. This depends however of the Operating System where the browser client runs.

In order SPNego to work with Windows Vista, Windows 7 and Windows 2008 R2, one needs to apply the patches as described in this SAP note:

1457499 - SPNego add-on

2.

Hence, it is possible SPNEGO to works or not to work - depends on the client. Because there is no ClientCertificate module before the SPNEGO, then the SSO will not be possible for the above mentioned O.S. When the SSO ticket expires there will be no more possible SSO logon. This means even for a new tab will be requested logon credentials.

Once one enters the user credentials a new ticket will be created. It will last so far the ticket expiration (or the closure of the browser if it does happen before the expiration)

3.

You might find more information about the SSO implementation here:

2273981 - Configuring Authentication stacks for the J2ee Netweaver Application ServerLogin Modules

For the policies please refer to page here...

Login Module Configuration - Control Flags:

4..

About the implementation of SPNEGO please refer to these sources of information:

968191 - SPNego: Central Note

994791 - SPNego Wizard

1488409 - New SPNego Implementation

5.

SSO with siteminder or Quest is not possible with NW AS Java. This is not a supported scenario.

You might implement SAML2.0 but you do need a NW AS Java 7.2 to be your Identity Provider.

More details you might find in the guide for the NW AS 7.0:

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS+Sharepoint+2010+to...

in this collections of guides:

Single Sign-On with SAML 2.0

https://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0

Show replies
Show replies
former_member390209
Discoverer
‎11-06-2017 3:40 PM
0 Kudos

Thank you very very much for providing the detailed explanation!

i am able to successfully login to this portal from windows 7 client machine with out entering uid/pwd

if my server is configured SPNego, why I am getting the below screen

hostname:port/spnego ---> (it is asking to enter service user name bla bla......

is this possible SPNego configured using VA/configtool is not replicating at browser level as above?

Regards

VRK

former_member189220
Active Contributor
‎11-03-2017 9:14 AM
0 Kudos

1.

You might see which method is used by checking the authentication stack.

The SSO in NW AS Java is facilitated by ticket. Any ticket consists of logon modules.

One might achieve SSO without SAML2 or SPNego.

Secure Login for SAP Single Sign-On Implementation Guide

Chapter "5.4.1 Overview of Login Modules Supported by SAP Single Sign-On 2.0"

2.

Please record the successful SSO logon with TSHW trace. Please do so with the Authentication template.

More guidance about the usage of tshw in SAP notes

1332726 - Troubleshooting Wizard

1921472 - How to use the Troubleshooting Wizard for collecting traces using custom locations [VIDEO]

3.

In the trace search for authentication stack or ticket

Then you will find the logon modules and will confirm what is the authentication mechanism that implements the SSO.

Show replies
Show replies
former_member390209
Discoverer
‎11-05-2017 1:19 PM
0 Kudos

Hi Milen Dontchef Thanks for information

Still we are unble to find the SSO method it is using

unfortunately we are still using AS Java 7.00 SP20

where this note (1332726 - Troubleshooting Wizard) works only on 7.20 or above

below are the details from authentication stack:

can i get some info from the below?

Many Thanks

VRK

LutzR
Active Contributor
‎11-08-2017 7:54 AM
0 Kudos

Hi VRK, the authentication stack tells the truth: SPNego is configured and active. Visual Admin and Config-Tool are the points of truth concerning authentication configuration.

So this is more kind of a "why does wizard not reflect the configuration" question. But I think this discussion does not make a lot of sense for a release that will be out of support in 8 weeks.

Regards,

Lutz

former_member189220
Active Contributor
‎11-08-2017 11:15 AM
0 Kudos

... it is clear why the SPNego is not working - the reason is of the SPS. If it is lower than SPS23, then a patch should be applied (1457499 - SPNego add-on). I have explained this already yesterday.

LutzR
Active Contributor
‎11-08-2017 4:37 PM
0 Kudos

well VRK kind of "complains" that some kind of SSO is working but he does not know which technology and wants to find out. SPNEGO is obviously configured and nothing else. And if they applied Microsoft Knowledge Base Article 977321 the old solution would still be working, wouldn't it?

former_member189220
Active Contributor
‎11-08-2017 6:22 PM
0 Kudos

The new SPNego implementation is part of the standard releases as of the Support Packages of NetWeaver 04S (7.00) SP23 .

They do run with AS Java 7.00 SP20

This means they do need to install the SPNego Add-On from this note:

1457499 - SPNego add-on

Ask a Question