2008 Oct 07 4:48 PM
Hi All,
We are investigating the possibility for implementing SSO . We have workitems in workflow which then triggers a BSP application, this then prompts user for uname and pwd. We want user to be authenticated without logging in.
What would be the simplest and most standard approach ?
thanks,
2008 Oct 07 4:57 PM
For BSP applications, I assume a web browser is used to access the application, and for other applications SAP GUI will be used. What you are asking for is very common, and often asked on this forum. Can you confirm if the user logged onto worstation is logged onto an Active Directory domain account ? Also, can you mention what operating system your SAP systems are running on ? With this information I will explain to you the options available.
Thanks,
Tim
2008 Oct 07 4:57 PM
For BSP applications, I assume a web browser is used to access the application, and for other applications SAP GUI will be used. What you are asking for is very common, and often asked on this forum. Can you confirm if the user logged onto worstation is logged onto an Active Directory domain account ? Also, can you mention what operating system your SAP systems are running on ? With this information I will explain to you the options available.
Thanks,
Tim
2008 Oct 07 5:02 PM
Thanks for your reply.
Our Os is Windows NT.
And we are not looking to use SSO via active directory - do u think that wud be more feasible option ?
2008 Oct 07 5:53 PM
>
> Thanks for your reply.
>
> Our Os is Windows NT.
ok, then you can use the SNC libraries provided by SAP as it sounds like they will be what you need for SAP GUI SSO. For BSP pages you would use the SPNEGO login module from SAP, included in NetWeaver 2004 or 2004s.
>
> And we are not looking to use SSO via active directory - do u think that wud be more feasible option ?
Yes, very much. Any other approach would be insecure and problematic.
2008 Oct 08 11:26 AM
Do I still need to do the above if I want SSO without portal ? I am looking for very basic SSO, from R/3 to BSP..
I am technically an abaper, should I ask Basis to do the installations you mentioned ?
2008 Oct 08 11:38 AM
I recommend that you get your Basis team to implement this, and then your users will enjoy SSO benefits for both SAP GUI and also for Web access to your applications (including BSP applications).
Thanks,
Tim
2008 Oct 08 11:43 AM
Just before I close this question, I had one last bunch of questions to throw at you..
I actually dont want windows authentication i.e if a user is logged in the windows and then clicks the link, it should still ask for uname and pwd...But if a user logs into sap r/3 via SAP GUI for windows, then only the SSO ticket should be generated..
Is it feasible and what would be the basic requirements for that, so that I can give some pointers to our team
2008 Oct 08 11:48 AM
So, you want SSO but you don't want SSO This is confusing.
Is this correct:
1. User logs onto BSP application, and gets asked for userid and password
2. User logs onto SAP using SAP GUI and gets SSO
3. User logs onto SAP GUI and then logs onto BSP application from SAP GUI link, and gets authenticated without logging in again.
If above is correct, which userid and password do you want to use ? I assume you want to use Active Directory userid and password so that the user uses same login password for their workstation as they do when logging onto SAP applications.
I know how to implement all of above using third party software, but I am not sure if all of these requirements are possible using off-the-shelf functionality from SAP. I am especially not sure about option 3.
Thanks,
Tim
2008 Oct 08 12:31 PM
Yes,
We dont have portal, so we want the SSO cookie to be created only when user logs into SAP R/3 GUI.
So the only point of creating cookie should be SAP GUI, and further BSP visits from there should not ask for uname and pwd
And ideally we want to use SAP uname and pwd
2008 Oct 08 12:45 PM
I am not sure if it is possible to get SAP ABAP AS to issue an SSO2 ticket after a user has logged into SAP using SAP GUI. The approach I was suggesting instead, is to allow user to be authenticated to ABAP AS with the same secure method, regardless of whether they access it via browser or via GUI. This is what I have seen other customers do with similar requirements to yours.
Maybe somebody else can confirm if it is possible to issue an SSO2 ticket when a user is logged on via SAP GUI ? I cannot think technically how this might be possible, but I might be surprised ...
Thanks,
Tim
2016 Jul 18 11:45 AM
Hi Tim,
Tim Alsop wrote:
For BSP applications, I assume a web browser is used to access the application, and for other applications SAP GUI will be used. What you are asking for is very common, and often asked on this forum. Can you confirm if the user logged onto worstation is logged onto an Active Directory domain account ? Also, can you mention what operating system your SAP systems are running on ? With this information I will explain to you the options available.
Thanks,
Tim
I have a very similar requirement, as u mentioned,
Our user is logged on to Active Directory Domain Account and we are using Windows.
Can u please help me with the step by step process in order to achieve this requirement.
Below is my scenario:
We don't have an EP portal. We have created a BSP application that serves as a launchpad for various applications. Now once the user logs into the workstation and tries to use our application, they are prompted to enter their R3 user id password which is something they don't like.
1. Is it possible to use the application without entering username and password. (SSO functionality - here the domain user id is same as their R3 user id).
2. If at all they are prompted to enter their user id and password, then it should be their workstation user id and password.
Kindly guide.
2008 Nov 26 9:47 AM