cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Force to use SNC authentication via the web interface (UI5)

Go to solution
MikeB
Contributor

on ‎05-04-2018 8:08 AM

0 Kudos

In order to force users to use SNC, there is a parameter snc/accept_insecure_gui in RZ10 (SAP GUI). Once it is set to 0 or U, users are obliged to use SNC over the less secure password authentication method. However, this setting does not prevent the user from being able to perform an authentication with the password via the web interface (UI5😞

https://%HOST_NAME%/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html

Which parameter in SNC/RZ10 is responsible for only SNC-authentication via the web interface of UI5? How can I disable a password authentication via the web interface in favour of SNC?

Thanks.

Show replies
Show replies
patelyogesh
Active Contributor
‎05-04-2018 2:54 PM
0 Kudos

Hello Mike B.

Can you please let us know what is your authentication setup is?

-Yogesh

MikeB
Contributor
‎05-04-2018 6:36 PM
0 Kudos

Hello Yogesh,
the primary one is snc/accept_insecure_gui = U, and it is sufficient for the SAP Logon authentication to force user to use SNC instead of password, but the UI5 web interface ignores this setting.

patelyogesh
Active Contributor
‎05-04-2018 6:44 PM
0 Kudos

As per SAP : insecure logons are permitted on a user-specific basis, depending on the flag in the user master record.

MikeB
Contributor
‎05-07-2018 9:19 AM
0 Kudos

As far as I understand, snc/accept_insecure_gui = U supposed disable password authentication unless it is explicitly allowed by GUI flag in the user master data (USRACL-GUIFLAG). My assumption works for the classical SAP Logon experience, but not for the web-based (Fiori/UI5).

Is there any special/additional setting I have to bear in mind for the web authentication?

patelyogesh
Active Contributor
‎05-07-2018 3:29 PM

For web you can use SAML 2.0

This is you can use as reference : https://blogs.sap.com/2018/01/26/fiori-launchpadsso-made-easy-by-saml-2.0-with-adfs/

-Yogesh

Answer

Accepted Solutions (1)

Accepted Solutions (1)

NabiZamani
Contributor
‎05-07-2018 5:04 PM

I understood you want to disable Basic Authentication (user + pwd). Instead you want to force authentication via certificates. And you are talking about "web authentication" (browser). If I understood correctly, then please try the following:

  • go to transaction SICF
  • go to the node /default_host/sap/bc/ui5_ui5/ui2/ushell
  • press the glasses ("edit")
  • click "Logon Data"
  • Unter "Prodecure" choose what fits best
  • In case you choose "Alternative Logon Procedure"
    - scroll down to "Logon Procedure List (in Order of Execution)"
    - Adapt the list according to your requirements (i.e. remove item you want to disallow, add new items, change the order)
    - save

That should work, unless the SICF node I mentioned above is the wrong one.

Show replies
Show replies
MikeB
Contributor
‎05-08-2018 8:45 AM
0 Kudos

Hi Nabi,

thanks for the manual, I tried to follow the steps, and after I select SICF / default_host / Logon Data / Required with SSL Certificate, I achieve the result that the system doesn't accept username & password authentication but at the same time SNC doesn't work as well, although in SAP GUI Logon everything is working.

Do you have any idea what do I miss to take into account in order make SNC working in UI5 authentication?

Thanks.

NabiZamani
Contributor
‎05-08-2018 8:58 AM

Secure Network Communications (SNC) is not for browser security/authentication:

"SNC protection only applies to connections that use SAP protocols (dialog, RFC or CPIC) protocols. For internet protocols, use SSL for protection."

If you want to avoid Basic Authentication (user + password) then you could use certificates as I already mentioned (of course over SSL).

Best,
Nabi

MikeB
Contributor
‎05-08-2018 9:46 AM
0 Kudos

I checked the subject one more time, the issue is that SICF either completely allows or disables password authentication, while I need to be able to allow selected user using passwords and the rests should be authenticated with the certificates (aka SNC-like auth. experience).

NabiZamani
Contributor
‎05-08-2018 11:05 AM

You just added information that changes the context now. Anyway... Now, I understand you still have web based authentication, while most users should be allowed to authenticate via certificate only and some others should authenticate with basic authentication.

The more I think I believe it's a little weired what you are trying to achive... Maybe that's because you did not describe "why" you are trying to do thi. I'd do the following:

  1. Disable Password authentication in transaction SU01 for all the users for wich you don't want to allow user + password login
  2. In SICF enable Certificate + Basic Authentication (the order is important)

Keep in mind that users with installed certificated will be authenticated via certificate by default. However, they could config their browsers to ask for confirming whcih certificate to use or even not to use certs...

MikeB
Contributor
‎05-08-2018 12:46 PM
0 Kudos

Thanks for the clarification, I actually performed the following steps:

  1. Set snc/accept_insecure_gui = U in RZ10.
  2. Disable GUIFLAG in SU01 via USRACL.
  3. Switched to SICF / default_host / Logon Data / Alternative Logon Procedure and here I'm stacked.

There is a Logon Procedure List with 9 items:

  1. Logon Through HTTP Fields
  2. Logon Through SSL Certificate
  3. SAP Logon/Assertion Ticket
  4. SAP Assertion Ticket
  5. Basic Authentication
  6. SAP RFC Logon
  7. SPNEGO Authentication
  8. SAML Logon
  9. Logon Through Service Data

I tried different combinations of Logon Through SSL Certificate and Basic Authentication, such as:

  • just Logon Through SSL Certificate and Basic Authentication, the rest removed from the list
  • Logon Through SSL Certificate and Basic Authentication on top, the rest on bottom

and some other combinations, but none of them didn't return the wanted outcome.

Is there is something important that I left out of focus?

Thanks.

MikeB
Contributor
‎07-03-2018 2:12 PM
0 Kudos

Hi Nabi,

I checked the subject one more time, and paid attention that the password authorization can be blocked if I remove the following parameters:

  • Logon Through HTTP Fields
  • Basic Authentication

BUT, it works if I do it on a highest level — /default_host.

When I try to remove the Basic Authentication parameter on the /default_host/sap/bc/ui5_ui5/ui2/ushell level, I get a warning: «You have already activated the system logon» and the item is not removed from the list.

Do you know why it's impossible to remove the Basic Authentication parameter on the /default_host/sap/bc/ui5_ui5/ui2/ushell level?

Thanks.

Answers (0)

Ask a Question