cancel
Showing results for 
Search instead for 
Did you mean: 

SAP BI: SAML and SSO with Kerberos together

former_member189724
Participant
0 Kudos
632

Hi is it possible to have two SSO mechanism?

We have already configured SSO with Kerberos.

Now we need SAML also for a special project. We have a VPN tool, with this tool it is only possible to connect over SAML.

Now the questions is it possible tu use both authentication type over the same web server (Apache Tomcat Standard)?

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member189724
Participant
0 Kudos

Hi we have now configured SAML on the BI System, it works 🙂

Now I have an other question, before we configured SAML we use 'SSO with kerberos'.

Now it looks so that only SAML is active für the web url (cmc, bi, opendocument).

I use the Parameter sso.types.and.order but this is not working. The Thing is, if the Identitiy provider is not available the logon with 'SSO with Kerberos' is not working… 😞

Is this normal, or is there a other way, that both authentication will work?

Reagards Stefan

BasicTek
Advisor
Advisor
0 Kudos

Try to simplify if you have set the sso.types.and.order to trustedmethod (SAML) then switch it to vintela, this should break saml and allow kerberos to work. If it doesn't then you need to fix SSO https://apps.support.sap.com/sap/support/knowledge/preview/en/2629070, once that works you should be able to set both seperated by comma, the SSO will try the 1st then 2nd, etc.

If vintela works then this may represent a bug or issue with the new SAML and would need further investigation.

-Tim

BasicTek
Advisor
Advisor
0 Kudos

all our web applications support multiple SSO types as of 4.1 https://apps.support.sap.com/sap/support/knowledge/preview/en/2041379

However we have only recently added some libraries to better assist in integrating with SAML 4.2 SP5 or later https://apps.support.sap.com/sap/support/knowledge/preview/en/1795949

SAML integration with trusted authentication is available before 4.2 SP2 but we had no libraries to it falls on the customer/consulting to deliver the username to trusted authentication

-Tim