11/26/2021

Sap Webgui Sso

Symptom

The WebSEAL SSO solution for AS-Java is simple to configure and easily managed. The WebSEAL SSO solution for AS-ABAP, however, requires the use of the TAM Global Sign-On (GSO) Lockbox as it does now allow for a method of SSO that is based on trust, except when using the SAP logon ticket. 2366776-SAP CRM WebUI: Transaction WUISSO (Single Sign-On) or SMCRM runs only in Internet Explorer Symptom Even though default browser has been set as Mozilla Firefox or Google Chrome, on accessing SAP CRM WebUI with transaction WUISSO or SMCRM, SAP CRM WebUI launches in. Okta Cloud Connect lets you extend AD to SAP. With Okta, you can connect SAP to your AD using the Okta agent, and solve a multitude of login and user administration issues in a matter of minutes. No more password reset fiascos. No more profile synchronization challenges.

SSO is achieved through the use of PAS provided by SAP. PAS supports several types of external authentication methods, including X.509 Certificates, NTLM, NTPassword, LDAP, HTTP and dynamic libraries (DLL). This SSO solution, using Sun ONE Identity Server, uses the DLL method for external authentication. SPNego is configured for AS ABAP using SAP Single Sign-On product and the authentication (sso) is not working only for Fiori Launchpad. For example: Single sign-on using SPNego for SAP GUI for HTML (Web Gui) works just fine, but for Fiori Launchpad it fails.

After opening a transaction or web dynpro app in a new tab and returning to the fiori launchpad tab, a pop up asking for credentials is returned although:

  • SSO is configured correctly and was working before performing this action.
  • The security session cookie SAP_SESSION_<SID>_<CLIENT> is still valid and sent by the browser.

Looking closer at the pop-up asking for credentials, it shows that these are required by the frontend system but for the backend client.

This can happen under the following circumstances:

  • You are using the same web dispatcher to reach both the frontend (to run the FLP) and backend system (to run the transaction/web dynpro)
  • The client in the frontend system is different from the client of the backend system.

Read more...

Environment

Product

SAP Fiori all versions

Keywords

sap-usercontext, sap-client, transaction, 'web dynpro', sso, 'security session', credentials, pop-up, fiori launchpad, webgui, webdynpro , KBA , CA-UI2-INT-BE , Please use CA-FLP-ABA , BC-CST-WDP , Web Dispatcher , Problem

Sso

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.

Fiori

Instead of using the user ID and password to access a service from the Web Application Server ABAP via HTTPS, it is possible to use a client certificate for authentication purposes.

Sap Webgui Sso


Import the CA certificate into the SSL server Standard

Sap webgui sso login

As a given user ID holds a certificate from a trusted CA, the certificate from the CA must be imported into the SSL server Standard PSE via STRUST. Just click on the button highlighted by the red rectangle:



Once the certificate is loaded, just click in the “Add to Certificate List” button (see “1” in red); the certificate will be displayed in the “Certificate List” section (see “2” in red):



Maintain the client certificate

It is necessary to map the client certificate with the actual user ID in the ABAP system. It is time to use transaction code SM30, loading maintenance view “VUSREXTID“:



The “External ID type” is “DN”:



Sap Webgui Sso App

Click on the “New Entries” button to add the client certificate (DN) and map to the existent user ID in the ABAP side:



Inform the External ID (the DN field of the client certificate), the user ID (as created in transaction code SU01), then mark the “Activated” checkbox and save the entry. The information presented is:



There are cases where the DN length from the user ID exceeds the length of column EXTID in table USREXTID. This is not a problem: just use the button highlighted (red square) above to load the actual certificate. The system is able to store the entire subject name in the database table or calculates a hash value (and store the original subject name in a second database table).

Sap Webgui Sso

At last, but not least, profile parameter icm/HTTPS/verify_client must be set to 1 (if the system should accept the client certificate) or 2 (the use of client certificates is mandatory).

Sap Webgui File Browser


Test if the SSO is working

For testing purposes, I used the WEBGUI internet service (via HTTPS) to test if the SSO works (assuming that the WEBGUI was correctly setup in the system): https://<FQDN>:<HTTPS port>/sap/bc/gui/sap/its/webgui

The SM50 logon trace (SAP note 495911) shows the following:



Webgui File Browser

You can read more about the use of X.509 certificates in AS ABAP in the SAP Help page.

Sap Fiori Webgui Sso