SAP WebGUI SSO Implementation

SAP WebGUI SSO Integration

SAP WebGUI SSO Integration

SAP WebGui SSO Integration strengthens security for SAP System and SAP Applications. Enabling SSOgen Single Sign On for SAP NetWeaver Portal would facilitate single password access, and secure and seamless access to SAP NetWeaver Applications – both Java and ABAP applications, SAP Hana Cloud Applications, SAP SaaS Applications such as Concur and SuccessFactors. SSOgen protects SAP on-premise applications using a SSO Client, and SAP Cloud Applications – SaaS Apps using SAML Protocol. Users would login to either SSOgen Portal or SAP NetWeaver Enterprise Portal, and then access both SAP on-premise and SAP Cloud applications without having to login multiple times or to remember multiple passwords. SSOgen offers a free multi-factor authentication to further secure SAP Authentication. SAP Authorization would still function normally, as SSO is involved in the authentication process only. For instance, Success Factors Login would be SSO enabled with multi-factor authentication, while internal SAP Applications are SSO enabled with Active Directory Authentication.

SSOgen Single Sing On Solution brings in many benefits for the end users. Users don’t have to remember multiple passwords for multiple applications anymore. Users don’t have to login multiple times during a work-day, thereby resulting an increased user productivity. SSO also reduces help-desk calls for password resets and lockout issues. SSO is not only mandatory for IT Security Audits, but also highly recommended as a part of SAP Security Best practices to fight against cyber-crime and data thefts.

How to enable SSO for SAP NetWeaver Portal?

SSO Configuration in SAP Portal 7.3 is simplified with SSOgen SSO Implementation. SSO Parameters in SAP need to be adjusted to read SSO Headers for authentication by adding HeaderVariableLoginModule in SAP NetWeaver SSO Configuration. For more information, please read SAP SSO Implementation Guide.

 

  1. Install a Web Server such as Apache Web Server so that SAP Applications are proxied through a Web Server
  2. Configure the proxy rules in the Web Server to forward the traffic to backend SAP Web Servers for SAP context /irj.
  3. $ cat sap_proxy.conf
    
    ProxyPreserveHost On
    ProxyRequests Off
    ProxyPass /irj http://sap.example.com:8080/irj
    ProxyPassReverse /irj http://sap.example.com:8080/irj
    
    $
    
  4. Install SSOGEN – SSO Client in the Web Server to protect the web resources.
  5. Protect the SAP URI /irj
  6. Stop the SAP J2EE Dispatcher and server services
  7. Backup SAP_Engine_Install_Dir\ume\authschemes.xml.bkp to authschemes.xml and open in a text editor to add SSO Scheme to read SSO User Token – HTTP Headers. OB_USER is the default header name for SSO header in SAP, however we recommend using SSOGEN_USER, which is available in SSOgen integrations by default.
  8. <authscheme-refs>
     <authscheme-ref name="default">
      <authscheme>SSO</authscheme>
      <authscheme>uidpwdlogon</authscheme>
     </authscheme-ref>
    </authscheme-refs>
    
    ..
    ..
    
    <authscheme name="SSO">
     <loginmodule>
      <loginModuleName>  
       com.sap.security.core.logon.imp.HeaderVariableLoginModule 
      </loginModuleName>
       <controlFlag>REQUISITE</controlFlag>
       <options>Header=SSOGEN_USER</options>
     </loginmodule>
     <priority>5</priority>
     <frontEndType>2</frontEndType>
     <frontEndTarget>com.sap.portal.runtime.logon.header</frontEndTarget>
    </authscheme>
    
    
  9. Enable SSO Logoff URL
  10. >>Administration interface >> System Administration >> System Configuration >> Configuration >> Direct Editing and add the logoff URLs:

    ume.logoff.redirect.url=http(s)://acme.ssogen.com/ssogen/ssologout
    ume.logoff.redirect.silent=false
    
  11. Update HeaderVariableLoginModule with the following variable
  12.  
    Module Name, Flag, Options
    EvaluateTicketLoginModule, SUFFICIENT, {ume.configuration.active=true}
    HeaderVariableLoginModule, OPTIONAL, {ume.configuration.active=true, Header=SSOGEN_USER}
    CreateTicketLoginModule, SUFFICIENT, {ume.configuration.active=true}
    BasicPasswordLoginModule, REQUISITE, {}
    CreateTicketLoginModule, OPTIONAL, {ume.configuration.active=true}

  13. Add HeaderVariableLoginModule for each application to support SSO
  14.  
    Launch Visual Administrator tool >> Choose Policy Configurations >> Authentication
    Add HeaderVariableLoginModule for each application to support SSO.

     

  15. Restart the whole SAP System and SAP Applications.

SAP SSO with LDAP Authentication

SSOgen supports authentication with many popular LDAP Directory Servers in the market today. With SSOgen, SAP can be SSO enabled with Windows Native Authentication – WNA (a.k.a Kerberos or Desktop Authentication or Zero Touch SSO) or SSO enabled with the following LDAP Directory Servers.

SAP WebGUI SSO with Active Directory Authentication

SAP WebGUI SSO with RadiantLogic Authentication

SAP WebGUI SSO with UnboundID Authentication

SAP WebGUI SSO with OpenDS Authentication

SAP WebGUI SSO with OpenDJ Authentication

SAP WebGUI SSO with CA Directory Authentication

SAP WebGUI SSO with IBM Directory Authentication

SAP WebGUI SSO with NetIQ Authentication

SAP WebGUI SSO with OpenLDAP Authentication

SAP WebGUI SSO with SLAPD Authentication

SAP WebGUI SSO with 389 Directory Server Authentication

SAP WebGUI SSO with Apache Directory Authentication

SAP WebGUI SSO with Oracle Unified Directory - OUD Authentication

SAP WebGUI SSO with Oracle Directory Server - ODS Authentication

SAP SSO Integration with other SSO Solutions

SSOgen supports SAML IDP v1, SAML IDP v2, OpenID Providers for Single Sign-On delegation to other SSO Solutions. With SSOgen, SAP Applications would be easily integrated with other SSO Solutions such as Okta, Oracle Identity Cloud Services – IDCS, OneLogin, Azure SSO, Azure ADFS, Microsoft ADFS, PingFederate, Shibboleth, OpenID Providers, and other popular SSO Solutions such as CA Siteminder, IBM Tivoli Access Manager, and Oracle Access Manager, and many more.

SAP and Okta SSO Integration

SAP and OneLogin SSO Integration

SAP and Shibboleth SAML SSO Integration

SAP and PingFederate SAML SSO Integration

SAP and Oracle Identity Cloud Services – IDCS Integration

SAP and Azure ADFS - Azure SSO Integration

SAP and Microsoft ADFS Integration

SAP and CA Siteminder SSO Integration

SAP and IBM Tivoli SSO Integration

SAP and NetIQ SSO Integration

Unique Benefits

Read more about SSOgen Unique Benefits

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Completely Free POC

Contact us to inquire about our free proof of concept for 30 days

Learn More?

Learn more about product features, unique benefits, and cost savings