Skip to Content
0
Former Member
Jun 04, 2012 at 09:13 AM

SPNego SSO & NW7.3 AS Java

171 Views

Hi experts,

we have a problem with SSO SPNego in NW BI 7.3 Web AS Java as described below.

Description about the current situation:

- We have SPNego configured on BI7.3 Web AS Java

- The NW BI7.3 Web AS Java Portal are using ABAP as UME datasource.

- The users that have the same WIndows Logon-ID and SAP User-ID, they are able to login without problems. SSO works.

- Usernames in ABAP and Active Directory are not always the same. If principal name of Windows Logon-ID is not eq SAP User ID in SU01, SSO doesn't work. Example:

ABAP user name is "G.SCHUSTER", AD logon is "g.schuster" - SSO works fine.

ABAP user name is "D.KUMAR", AD logon is "dharmendra.kumar" - SSO doesn't work.

- ABAP are already using Single Sign On and therefore the SNC field (PNAME) in ABAP for each user is maintained with the logon name in AD. Example:

ABAP user name is "G.SCHUSTER", AD logon is "g.schuster" and the SNC field is g.schuster(at)DOMAIN.COM

ABAP user name is "D.KUMAR", AD logon is "dharmendra.kumar" and the SNC field is dharmendra.kumar(at)DOMAIN.COM

Current SPNego configuration:

User Mapping
Value
Mapping Mode: Principal only Source: Logon-ID

Current Authentication Stack (Template spnego):

Login Module Name / Options of login module
Flag / Value

EvaluateTicketLoginModule

ume.configuration.active

SUFFICIENT

true

SPNegoLoginModule

com.sap.spnego.jgss.name

com.sap.spnego.jgss.name.type

com.sap.spnego.uid.resolution.attr

com.sap.spnego.uid.resolution.dn

com.sap.spnego.uid.resolution.mode

OPTIONAL

j2ee-bi@DOMAIN.COM

1

krb5principalname

dn

simple

CreateTicketLoginModule

ume.configuration.active

SUFFICIENT

true

BasicPasswordLoginModule

ume.configuration.active

REQUISITE

true

CreateTicketLoginModule

ume.configuration.active

REQUISITE

true

Possible solution:

Also the user data SNC name (ABAP field "PNAME") should be handed over from ABAP (user datasource) to Java.

The easiest option would be, if we could use/map the value of SNC name in resolution mode with SPNego config as follows:

Mapping Mode: Principal@REALM

Source: User Attribute

User Attribute: sncname

Please see the attached file.

Thanks for any hints, ideas, solutions in advance,

Gerd

Attachments

1_SSO_works.jpg (158.6 kB)