on 02-02-2010 5:46 AM
Hi All,
We are in the process of implementing a SAML based SSO solution between a CRM system and a portal system.
In this scenario EP system will be the Identity provider and CRM system is going to be the Resource provider.
Issue -
For the same we have done the necessary settings in VA for CRM Portal as well as EP. Now the issue that we are facing is that when we are not choosing the option of fallback mechanism in VA, we are getting an error as below -
Stack trace of log message with ID "0017A47740080030000000EB0000381A00047E216937A9E8" written to trace
[EXCEPTION]
com.sap.security.core.server.saml.jaas.exception.SAMLLoginModuleException: com.sap.engine.services.security.exceptions.BaseUnsupportedCallbackException: <--Localization failed: ResourceBundle='com.sap.engine.services.security.exceptions.SecurityResourceBundle',..
On the other hand when we choose the fallback mechanism as 'User id and Password' then we donu2019t get any error message, but the link that we want to access does ask for UID and PWD on accessing, hence the concept of SSO doesnu2019t get implemented here.
Seems we are missing something here in configurations part.
Pls. do guide us for the same.
Regards,
Shailesh
Hi Shailesh,
For SAML 1.x, the AS Java cannot act as an identity provider. It can act as a destination site. See [Using SAML Assertions for Single Sign-On|http://help.sap.com/saphelp_nw04/helpdata/EN/94/695b3ebd564644e10000000a114084/frameset.htm].
For SAP NetWeaver AS Java 7.2 there is support for SAML 2.0. There are plan to support an identity provider as part of the SAP NetWeaver Identity Management solution.
-Michael
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Shailesh,
You can either use a third-party product to operate as an identity provider, or you wait until spring of 2010 for the arrival of the SAML 2.0 identity provider that SAP wants to release, according to a recent SAP Insider article.
Or you choose another authentication method....logon tickets, x509, kerberos, etc.
-Michael
Hi Shailesh
Could you please give me a hint, how you did manage to redirect un-authenticated requests from ABAP to JAVA?
We are using Kerberos on Java for a long time now, but cannot find a practical way to include JAVA SPNEGO as authentication layer only, when using ABAP Web.
- I don't like to communicate directly to JAVA and redirect / proxy everything from there to ABAP
- I don't like to put a Reverse Proxy in front of both and decide their which path to go on (in dependence of SAPSSO2 cookie existance)
- I'd like to communicate directly to ABAP, within ABAP check if already authenticated and if not => make a roundtrip to Java to fetch a SAPSSO2 cookie.
Any suggestions?
Martin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi experts,
I have one quesion now and will appreciate if you can give me the answers.
I can be redirected to the destination URL .
But when i am redirected to the destination URL, it always been poped up and I need to logon with user/password as the anthutication.
I want to know if it is designed as demo as the right result? or is there some config i need to do for the demo.
I am always using the default setting up for SAML SSO demo.
Thanks
Eric
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.