Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

BPC SSO using Client Certificates

Former Member

on ‎2014 Mar 31 2:36 PM

0 Likes
3,134

I am planning on using client certificates to implement SSO with BPC 10.  Has anyone out there taken this approach?  Which document/video provieds the best guidance on how to do this?

Thanks in advance for any assistance

dennisb

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (2)

Answers (2)

donka_dimitrova
Employee
Employee
‎2014 Apr 10 11:35 AM
0 Likes

Hello Dennis,

Please, find here the Security Guide for BPC 10 version for SAP NetWeaver:

https://websmp102.sap-ag.de/~sapidb/011000358700001239962013E

     ->Look at the chapter 5.2 Integration Into Single Sign-on Environment

Please, find here the Security Guide for BPC 10 version for MS platform:

https://websmp107.sap-ag.de/~sapidb/011000358700000470172011E

    -> Look at the chapter 5 User authentication process

I would like to let you know also that Single Sign-On with BPC 10 is easily possible in conjunction with the SAP NetWeaver Single Sign-On product (license required). This is about re-using the Windows Logon (Kerberos, SPNego).

You can find more details here: SAP NetWeaver Single Sign-On --> Single Sign-On with Kerberos

The implementation is described step-by-step in the How-To videos.

I hope this will help you to find the answers on your questions.

Best regards,

Donka Dimitrova

Show replies
Show replies
Former Member
‎2016 Aug 03 5:17 PM
0 Likes

This message was moderated.

ChrisGela
Participant
‎2014 Apr 09 1:55 PM
0 Likes

Hi Dennis,

Are you planning to use the BPC on Microsoft or Netweaver?

If you are planning to use BPC on NetWeaver you can follow the current SSO guides for NetWeaver on SDN.

e.g. :

I know with BPC 10 on NetWeaver there is also an Excel plugin, if you get SSO working with the SAP GUI, then the excel plugin will also work. (similar to Business analyser etc)

Kind Regards,

chris

Show replies
Show replies
tim_alsop
Active Contributor
‎2014 Apr 09 6:50 PM
0 Likes

Chris,

The Excel plugin (EPM add-in) for BPC 10 does not use SNC. It uses HTTP authentication with SAP password, or asks user for certificate.

Thanks

Tim

ChrisGela
Participant
‎2014 Apr 09 7:25 PM
0 Likes

Hi Tim,

Yes you're correct. If you configure the ABAP spengo (needed for http SSO) then EPM add-in will work with SSO.

Kind Regards,

Chris

tim_alsop
Active Contributor
‎2014 Apr 09 8:03 PM
0 Likes

Chris,

Are you sure it will ? Have you tried it ?

How do you stop EPM add-in from showing the Sign-On screen if you are using SPNEGO ?

Thanks

Tim

ChrisGela
Participant
‎2014 Apr 10 11:27 AM
0 Likes

Tim,

I have tried it.

See the screen shots here:

EPM-addin.pdf - Google Drive

I'm not sure what you mean by the sign-on screen. However, when testing Business explorer Analyzer or any of the Bex designers, a logon screen does pop up, but the password text is grayed out. You can log on without having to enter a password.

screen shots here: BusExplorer.pdf - Google Drive

Kind Regards,

chris

tim_alsop
Active Contributor
‎2014 Apr 10 11:32 AM
0 Likes

yes, BEX Analyzer works with SNC. This is not being discussed. We are discussing the EPM add-in used with BPC10.

I cannot access your PDF on Google Drive. When I click on the link it is not showing the PDF.

ChrisGela
Participant
‎2014 Apr 10 11:45 AM
0 Likes

Apologies, only mentioned BEX because thats the place I saw a popup.

I've attached the pdf's to the thread, hopefully you can access them now ...

(I've had to change the file extension to .text as this site does not allow .pdf - Please unzip first and then change the doc's to .pdf )

EPM-addin.text.zip
BusExplorer.text.zip
tim_alsop
Active Contributor
‎2014 Apr 10 12:37 PM
0 Likes

Thank you. I now have your PDF for EPM add-in. This is what we are discussing, since there are no doubts about BEx using SNC for SSO. I have therefore ignored your PDF for BEx.

In your PDF you show Connection being created and no Sign-On screen. This is not same as when I try... Maybe you can help me find out why.

Here's what I tried:

  1. I open excel
  2. I select EPM tab
  3. I press Log On button
  4. Screen opens allowing me to select a connection. I haven't created a connection yet, so I press ...
  5. On Connection Manager screen I press Create button
  6. I give the connection a name and put the URL into the Server URL field.
  7. I am unable to press OK on the Create Connection screen since OK button is greyed out. I therefore press the Connect button.
  8. When I press Connect button on Create Connection screen I am shown a Sign-On screen asking me for User Name and Password.

How does above differ from what you are doing ?

Thanks for your help.

Regards,

Tim

ChrisGela
Participant
‎2014 Apr 10 1:08 PM
0 Likes

Okay, I understand your issue better now.

Yes, you first need to connect before you can click Okay.

But for me, when I click connect, I do not get a popup.

Could you confirm that the web gui is correctly working for your BPC ABAP backend ?

You can do this by opening a browser and going to a this url :

e.g. : http://<hostname>:<port>/sap/bpc/

When I do this I get this in my browser:

But the important thing is there is no additional log on screen or prompt

e.g. a logon screen with a system that is not configured with ABAP HTML SPNEGO:

I hope this helps...

Kind Regards,

chris

tim_alsop
Active Contributor
‎2014 Apr 10 1:23 PM
0 Likes

Yes, when I access http://<hostname>:<port>/sap/bpc/ I am logged in. I configured SPNEGO in the SICF service at default_host/sap/EPM_BPC.

The info you have provided has given me a few ideas. I will do some more tests and get back to you soon. Thank you so far for your help.

@Dennis - sorry to take over your thread. Hopefully the info Chris has provided has given you what you needed ?

tim_alsop
Active Contributor
‎2014 Apr 10 7:40 PM
0 Likes

Chris,

I have made some progress, but still having some difficulty with the EPM add-in. I wondered if you could send me a fiddler trace showing the logon working so I can compare with my trace and check for differences ?

Thanks

Tim

Former Member
‎2014 Apr 11 5:15 PM
0 Likes

Hi Tim,

Yes I can confirm the SSO is working as soon as the SPNEGO is configured on server side.

In fact, when the logon screen switches to SSO mode (without prompting for a user/pwd), it only depends on the server configuration.

Each time the user selects a specific connection, the EPM Add-In sends a first request (without any authentication info) to the server in order to know which authentication methods it is compatible with.

And in the case the server returns the header "WWW-Authenticate: Negotiate", then it means the SPNEGO is active and the EPM Add-In won't prompt the user to enter credentials...

This is a valid scenario for EPM Add-In with BPC MS and NW.

To answer Dennis, I just would like to confirm it is also possible to use HTTP Cient Certificate authentication from EPM Add-In.

I guess you will find all the information you need in the documentation Donka has provided, but to summarize, when creating your BPC connection in the EPM Add-In, you just have to click on the check box "Client Certificate" and to click on the Button "Choose Certificate" in order to pick up a certificate.

When conneting to the server, you won't be prompted for entering credentials...

Hope it helps...

Best Regards,

David.

tim_alsop
Active Contributor
‎2014 Apr 11 6:35 PM
0 Likes

David,

I have noticed that when using SPNEGO for EPM add-in authentication, there is no MYSAPSSO2 cookie issued, but instead a SAP_SESSIONID cookie is issued. Is this SESSIONID cookie being used instead of the SSO2 cookie ? I noticed that when using Basic Authentication instead of SPNEGO there is a MYSAPSSO2 cookie used.

Thanks

Tim

former_member395983
Participant
‎2015 Jul 07 3:37 AM
0 Likes

Hi Christopher,

Can you please help me on how you implemented SSO in your EPM add-in? We don't have enterprise portal that's why I cannot use that documentations in implementing SSO for our EPM add-in.

Do you have documentations that can help me do it step by step? I'm confused on all the documentations I'm seeing in forums

Really appreciate if you can help me on this.

Thank you and have a good day ahead.

Regards,

Jenilyn

ChrisGela
Participant
‎2015 Jul 07 10:25 AM
0 Likes

Hi Jenilyn,

We got SSO EPM-in to work using SAP NW SS0 2.0

NW SSO 2.0 will require a seperate license - please contact your SAP account manager for more information.

NW SSO 2.0 basically allows SSO for GUI and web html access. Because the EPM-addin for EXCEL uses an HTML connection, you will need to implement NW SS0 2.0.

(Hence all the links on this thread point o NW SSO 2.0 documentation.)

Let me know if you have further questions...

Kind Regards,

chris

former_member395983
Participant
‎2015 Jul 08 5:44 AM
0 Likes

Hi Chris,

Thanks for your response. What if we don't want to buy license for SSO 2.0? Is there any other way to implement SSO for EPM add-in? We are using SSO Kerberos on our other systems.

Thank you again.

Regards,

Jenilyn

former_member395983
Participant
‎2015 Jul 08 6:44 AM
0 Likes

Hi David,

Can you please help me on how you implemented SSO in your EPM add-in? We don't have enterprise portal that's why I cannot follow the documentation from SAP. Do you have documentations that can help me do it step by step? I'm confused on all that I'm seeing in forums.

Really appreciate if you can help me on this.

Thank you and have a good day ahead.

Regards,

Jenilyn

tim_alsop
Active Contributor
‎2015 Jul 08 7:11 AM
0 Likes

Jenilyn

You can implement SSO for BPC 10 and EPM add-in without buying SAP SSO 2.0 license. You can instead buy a different product. It is not possible to implement this for free unless you use a portal and require users to logon to portal, login to BPC Web and launch Excel from the link provided. Of course, it is much better if the end user just opens Excel and logs into BPC without needing any additional credentials or needing to login to portal.

Thanks

TIm

former_member395983
Participant
‎2015 Jul 08 7:22 AM
0 Likes

Hi Tim,

Thanks for your quick response. The thing here is we don't want to buy license for SSO that's why we used SSO Kerberos for our other systems. Where can I see how much is the SSO license? do you have any idea?

For enterprise portal, we just have AS ABAP and don't have AS Java so we also cannot implement it.

Can I have a copy of your documentation for implementing SSO 2.0? Really appreciate your help.

Thank you so much.

Regards,

Jenilyn

donka_dimitrova
Employee
Employee
‎2015 Jul 08 7:25 AM
0 Likes

Hello Jenilyn,

Pricing topics are not discussed in the forum. Please, get in contact with your SAP Account Executive or the SAP office in your area.

Please, find also the link to the documentation for SAP Single Sign-On 2.0 here: SAP Single Sign-On 2.0 – SAP Help Portal Page

Regards,

Donka Dimitrova

tim_alsop
Active Contributor
‎2015 Jul 08 7:26 AM
0 Likes

Hi

The price of SSO products which are designed for use with SAP applications are listed on SAP Store (http://store.sap.com). The SAP SSO 2.0 product is listed as well as others that are SAP certified.

As far as I know, all products listed support Kerberos for use with BPC and don't require AS JAVA.

Thanks

Tim

former_member395983
Participant
‎2015 Jul 08 7:39 AM
0 Likes

Thanks Donka for your response. I will check on this.

former_member395983
Participant
‎2015 Jul 08 8:05 AM
0 Likes

Thanks Tim. I will check how hard is the implementation of Enterprise Portal.

Ask a Question