cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP IDM and ABAP SSO

Go to solution
JMorozowski
Active Participant

on ‎2013 Feb 20 4:19 PM

0 Kudos
376

I am doing some research on a solution that may or may not exist for our scenario.  At the moment we have several different ABAP backends that users log into (ECC, CRM, BW, SCM, SNC, etc.) and we are trying to find an "SSO" solution that will require the user to only log into one system through SAPGui and then be trusted to access the other systems that they are assigned to without having to log in separately to 3 or 4 different systems.  Is IDM something that would be useful for us?  I've read through much of the documentation, but am having trouble finding specific information on our scenario.  Any help would be greatly appreciated.

Regards,

Jon

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

tim_alsop
Active Contributor
‎2013 Feb 20 4:26 PM
0 Kudos

Hi

An IdM product would help you manage the identities in each of the systems, but would not help with authentication / SSO. You need to look at SSO solutions to help you. Any SSO product which is able to use the SNC interface for SAP GUI logon would allow you to logon to one system and then logon to other systems without re-authenticating.

Thanks,

TIm

Show replies
Show replies

Answers (2)

Answers (2)

JMorozowski
Active Participant
‎2013 Feb 20 4:30 PM
0 Kudos

Tim and Michael,

Thanks for the info.  I should have also included in my original message that we are also looking into using SAML 2.0 as we have some systems that exist in different domains.  SAP Netweaver Single Sign On can also be used as an Identity Provider with SAML 2.0, correct?  I think I remember reading that you need to have either SAP Netweaver SSO or IDM in order to be able to use SAML.

Regards,

Jon

Show replies
Show replies
tim_alsop
Active Contributor
‎2013 Feb 20 4:37 PM
0 Kudos

Hi,

SAML 2.0 is supported in certain versions of NetWeaver, so you can use SAML to authenticate, but this is normally for web browser logon. You mentioned that you wanted to logon using SAP GUI, so SAML will not be useful there.

Also, it is worth mentioning that SAML support in SAP products is free, and you don't need to buy any software. If you want SAP GUI SSO then you need to choose an SSO product and buy licenses. The SAP NetWeaver SSO product is one of many products which will meet your needs, so I suggest you look carefully at the various solutions available for SSO with SAP GUI, and consider SAML for your web browser SSO needs if you like, or use other technology which is supported by NetWeaver.

Thanks,

Tim

tim_alsop
Active Contributor
‎2013 Feb 20 4:44 PM
0 Kudos

You can use Kerberos if the users are internal, when the users/systems are in different domains, so SAML is not the only technology which should be considered.

JMorozowski
Active Participant
‎2013 Feb 20 4:46 PM
0 Kudos

Tim,

Thanks again for the info.  The need for SAML 2.0 and the scenario I described in my OP are sort of two different scenarios for us.  I just noticed that looking through the SAML 2.0 documentation that you need to have either IDM or SSO installed in your landscape as an Identity Provider so I figured that we might be able to kill two birds with one stone since we need to use SAML 2.0 with our portals since they reside in different domains, but would also like to find a solution to allow SSO between our ABAP systems.  Here is a linke to the documentation that I referenced earlier. The section is 2.1 System Requirements.

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c01e7a05-1956-2d10-53a9-9501c6b62...

Regards,

Jon

JMorozowski
Active Participant
‎2013 Feb 20 4:47 PM
0 Kudos

We are looking into using kerberos as well.  We are stil lin the exploratory phase so we have not ruled anything in or out.

tim_alsop
Active Contributor
‎2013 Feb 20 4:52 PM
0 Kudos

Jon,

You can implement SAML for web browser logon, and this will require an IdP, and the IdP might be a SAP NetWeaver system, or Active Directory, or some other authentication server that supports SAML protocol. This can be implemented, but you do not need to invest in an IdM product for this. It would be useful if you did, since managing identities is important, but I think you need to separate looking at IdM from your other requirements. The IdM, SAP GUI SSO and SAML SSO requirements are all separate and not dependant on each other.

Also, as I have mentioned, you don't need SAML just because you have multiple domains.

Thanks,

Tim

tim_alsop
Active Contributor
‎2013 Feb 20 4:52 PM
0 Kudos

Good - best not to rule anything out - it is a complex area and lots of options to consider.

Thanks,

Tim

Former Member
‎2013 Apr 10 11:24 PM
0 Kudos

Thanks for your reply Tim,

Now I'm wondering, where would I go to find the docs on configuring Web Dynpro ABAP apps to accept SAML tokens from a third party provider?  All I can find is docs on NW SSO and NW IDP and allied products.

Thanks.

tim_alsop
Active Contributor
‎2013 Apr 11 7:44 AM
0 Kudos

I suggest you open a new thread on an appropriate forum in SCN if you have a new question. This thread has already been marked as answered.

Former Member
‎2013 Feb 20 4:27 PM
0 Kudos

Look for "SAP NetWeaver Single Sign On", this will help.

IdM is "too much" for your requirement, although one may say it's a starting point

http://scn.sap.com/community/netweaver-sso

Show replies
Show replies
Ask a Question