2008 Nov 21 1:51 PM
Hi
I would like to how sap single sign on can be configured for user domains not in the domain of sap server.
2008 Nov 27 9:19 AM
Dear Biswajit Chatterjee,
I think that everything has already been told in this thread:
[Alexander Kerwien|https://forums.sdn.sap.com/profile.jspa?userID=3493575] has mentioned about the (technical) feasibility to implement your own SSO solution based on (various) available MIT Kerberos implementations.
[Tim Alsop|https://forums.sdn.sap.com/profile.jspa?userID=2090095] (and [me|https://forums.sdn.sap.com/profile.jspa?userID=167]) have informed you that [SAP is unable to provide support in such cases|https://service.sap.com/sap/support/notes/150380], advising you to consider using "SAP certified partner products". (Of course there is no warranty that this is error-free, but in case of problems you can contact the vendor and demand support).
[Frank Koehntopp|https://forums.sdn.sap.com/profile.jspa?userID=498087] has summarized this, already. And he made you aware that it's up to you to decide which way you want to go. [Frank |https://forums.sdn.sap.com/profile.jspa?userID=498087] also has asked [Alexander |https://forums.sdn.sap.com/profile.jspa?userID=3493575] to post an SDN article describing his solution approach.
Good luck!
Wolfgang
2008 Nov 21 1:56 PM
Hi,
If the domain used to authenticate the user at workstation is a different domain to the domain used by SAP server, then the SAP server domain has to have a one-way trust with the user domain.
Is your SAP system on Windows ?
Thanks,
Tim
2008 Nov 21 2:01 PM
2008 Nov 21 2:03 PM
Hi
Can you give the steps for configuration when user domain and sap server domain is different.will ht e config be done in single sign on server or in the client windows machine?Thanks
2008 Nov 21 2:07 PM
If your SAP servers are on UNIX, then you should use a third-party product from a SAP partner, since SAP do not provide SNC libraries for this functionality unless your SAP system is on a Windows Server.
For example, you can look at this solution: https://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokersecureclient
The configuration required to support more than one domain, is done between authentication servers (e.g.Active Directory). There is no special configuration required on client or SAP server to support this kind of requirement.
Thanks,
Tim
2008 Nov 21 2:13 PM
Hi
So where and what config needs to be done in single sign on server like Netweaver IDM?
2008 Nov 21 2:15 PM
Hi,
NetWeaver IDM is not a Single SignOn server. It is a product which is used for identity management.
As I have explained, to support more than one domain when you are implementing SAP GUI SSO you need to setup a trust relationship between the domains, so that the domain used by the SAP server is trusted by the domain used for user authentication at the workstation where SAP GUI is installed.
Thanks,
Tim
2008 Nov 26 9:22 AM
You can use MIT Kerberos on the SAP server side (Unix) and MS Active Directory authentication on the client side (SAPGUI PC). Both Kerberos implementations work fine with each other; we have already implemented this SSO solution for a couple of customers.
Bye
Alexander
2008 Nov 26 10:41 AM
Alexander,
This may be true, but open source implementation of Kerberos (e.g. MIT code) is not always the best solution. Technically, it can be made to work, but there are also non-technical considerations which companies need to be made aware of. For example, if MIT code stops working when a change is made to SAP, or when Active Directory is upgraded, or when other changes are made, there is often no person/company to fix these issues and allow the customer to logon to their SAP systems again. However, with a vendor provided, supported product there is an agreement between the customer and the vendor to make sure that the essential support is available to help them with any issues they might discover. This is one important reason why SAP encourage their customers to use SAP certified solutions instead of unsupported solutions, such as the solution you are suggesting. Many customers of SAP have a policy where they will only implement products which have been certified by SAP. A certified product will have been tested to be sure it is reliable, and the vendor providing the solution will be able to help the customer should they find problems. It is also true that if SAP technical support are involved in working on any issues with a customer and they discover unsupported solution they will ask the customer to remove the unsupported code to confirm if the problem still exists.
Also, vendor supplied SSO solutions based on Kerberos and using SNC provide essential added features which you would not get with open source Kerberos. This is not the correct forum to discuss these features, but I hope you can now appreciate that the solution required by a customer is sometimes more than the technology.
Thanks,
Tim
2008 Nov 26 12:13 PM
Sorry Tim,
To be honest, you should add in your message that you work for one of those vendors supplying SSO solutions.
>A certified product will have been tested to be sure it is reliable
That is absolutely not a foolproof warranty. We already had lots of problems with such certified products...
Regards,
Olivier
2008 Nov 26 12:21 PM
Olivier,
Why did you start your answer with "Sorry Tim" ?
Anyway, if you have had issues with SAP Certified vendor products, then I suggest you discuss these issues with the vendor concerned. I am not familiar with your name, so I don't think we were the vendor you were referring to. Even if we were, I am sure there is a good explanation for any issues you have had. Anyway, the point I am trying to make clear for people reading this thread now, or in future is that there is no such vendor to help with issues when you are using MIT code. When using this kind of solution, there are exposures which the business using the software needs to be made aware of.
Thanks,
Tim
2008 Nov 26 12:26 PM
2008 Nov 26 2:39 PM
Guys,
while I am very much tempted to get a bag of crisps and just watch where this is going, I'm afraid this is not going to help the original question.
It is perfectly valid to discuss alternative solutions that do not involve any vendor supported products, in fact I'd enjoy a more detailed explanation of this (Alexander, how about a blog on that?).
My take is that there are probably many customers that will make the judgement that this is good enough for them, others will be more likely to rely on vendor supported products. We're all grown ups here (I guess...) who can stand for our own decisons in life.
Ok, you can go on now...
Frank.
2008 Nov 27 8:26 AM
Hi Tim,
I don't know your company and I am not one of your customers.
I just think that you are a little bit too much trying to sell your products.
I don't think that it is the spirit of these community forums.
This is just my personal opinion. If the moderators are OK with this, continue as usual !
Subject closed for me.
Best Regards,
Olivier
2008 Nov 27 8:37 AM
Olivier,
Thankyou for explaining your response. I am using SDN a lot and helping many SAP customers, and my experience is with SAP SSO and SNC, and particularly with Kerberos, since this is what my company does. My main objective is to provide answers to questions asked by SAP customers, and use the benefit of my experience from when I have been working with a large number of SAP customers over the last 8 years, helping them with their SAP security and SSO needs. I know that outside of SAP security forum there are a very large number of vendors who also use SDN forums to help SAP customers, but in SAP security forum there are very few, and perhaps this is why I "stand out" ?
If anybody has issues with the way I respond to threads on SDN, they can report abuse by pressing the triangle icon, or they can contact me directly.
I don't plan to discuss this anymore on SDN since it is not related to the customers requriement that this thread was opened for. The conversation has already been going on longer than it should.
Thanks,
Tim
2008 Nov 27 9:19 AM
Dear Biswajit Chatterjee,
I think that everything has already been told in this thread:
[Alexander Kerwien|https://forums.sdn.sap.com/profile.jspa?userID=3493575] has mentioned about the (technical) feasibility to implement your own SSO solution based on (various) available MIT Kerberos implementations.
[Tim Alsop|https://forums.sdn.sap.com/profile.jspa?userID=2090095] (and [me|https://forums.sdn.sap.com/profile.jspa?userID=167]) have informed you that [SAP is unable to provide support in such cases|https://service.sap.com/sap/support/notes/150380], advising you to consider using "SAP certified partner products". (Of course there is no warranty that this is error-free, but in case of problems you can contact the vendor and demand support).
[Frank Koehntopp|https://forums.sdn.sap.com/profile.jspa?userID=498087] has summarized this, already. And he made you aware that it's up to you to decide which way you want to go. [Frank |https://forums.sdn.sap.com/profile.jspa?userID=498087] also has asked [Alexander |https://forums.sdn.sap.com/profile.jspa?userID=3493575] to post an SDN article describing his solution approach.
Good luck!
Wolfgang