Skip to Content
4
Former Member
Jun 11, 2012 at 02:12 PM

Supported ways of achieving SSO to NWBC?

490 Views

Hi,

I am currently investigating what possibilities exist for achieving Single Sign On to NWBC and important criteria is that it is supported by SAP.

As far as I can see this is not straightforward, and I'm finding it difficult to make a recommendation.

What are the experiences people have had providing SSO to NWBC?

Here are some thoughts I have about the alternatives.

Since NWBC uses HTTP as the base protocol, all authentication will have to use standard HTTP authentication mechanism.

(ref http://help.sap.com/saphelp_nw70ehp3/helpdata/en/4c/5bdec897817511e10000000a42189b/frameset.htm). This means SNC (use for SAP GUI SSO) is not a candidate.

In my case, the first application will be a custom NWBC cockpit, but the principles should be possible to apply for all NWBC usage.

There are already several SAP NW Portal with SPNEGO Kerberos in the landscape, so they can also be utilized for this purpose.

Alternative 1: Use SAML for authentication on ABAP AS

New versions on ABAP AS supports SAML as a service provider (ref. http://help.sap.com/saphelp_nw70ehp2/helpdata/en/4a/b6df333fec6d83e10000000a42189c/frameset.htm )

This requires that you have an SAML identity provider in your landscape. If you don't already have one, SAP NW Single Sign On 1.0 can be setup for this purpose (as far as I understand). (Not sure how well SAP NW ABAP AS works with Microsoft AD Federation Services)

Drawback of this alternative is that you need to have a SAML identity provider.

Alternative 2: Use X.509 certificate for authentication on ABAP AS

Requires the roll-out of a full-blown PKI solution. Big undertaking and not relevant in my case.

Alternative 3: Use error page configuration in ICF ABAP to redirect to a Portal for login and then back again

Same method as described in SSO to BSP.

Instead of custom developed JSP code on the portal, it is possible to use this partner software http://ecohub.sap.com/catalog/#!solution:trustbrokeradapter

(ref http://scn.sap.com/thread/1962162)

Drawback of this alternative is the custom or 3rd party solution required for redirecting back again after the portal login.

Alternative 4: Custom Single Sign On component on SAP NW Java which redirects to the NWBC

In this alternative, the url to the custom single sign on component is used in the NWBC client.

The custom single sign on component will be responsible to perform the authentication, before redirecting to the NWBC client.

We looked into this approach and had some problems due to url-encoding of parameters to the sso component.

(which could be solved by a hack)

The major drawback is the effort required for the customer single sign on component and that the portal now is a SPOF (single point of failure) for all NWBC usage.

Alternative 5: Integrate NWBC cockpit as an iView in the portal

In this alternative, the url to the portal is used in the NWBC client.

I'd prefer having one portal that is used for all NWBC uses, each cockpit/area with its own role.

(If you have other roles, they will also show up in NWBC. Not always what you'd like).

However, I don't see a suitable iView type for an NWBC component. You can use URL iView or one of the SAP integration iViews, but they are not tailored for NWBC usage.

Drawback is that you should have a new portal line and that you may experience problems when running NWBC in an iView (not sure if those problems would be supported).

Any advice and experience would be very welcome