cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAPGUI SSO via SAML2 (Oauth2.0) via Azure Active Directory

aoleary
Explorer

on ‎08-04-2021 8:58 AM

0 Kudos

Hi,

I have a customer that would like to implement SSO connections to the SAPGUI, via SAML2.

They dont want to use Kerberos.

I have seen how to setup SSO to SAP NetWeaver via Azure AD : https://blogs.sap.com/2019/10/17/single-sign-on-for-abap-engine-with-azure-active-directory-using-oa...

Its also mentioned here that SAPGUI SSO is possible: https://answers.sap.com/questions/12887384/enable-azure-active-directory-driven-single-sign-o.html, and also here: https://blogs.sap.com/2016/07/04/secure-login-web-client-slwc-future-proof-architecture-update/

And here: https://blogs.sap.com/2014/06/02/saml-20-and-sap-gui-single-sign-on-in-one-and-the-same-scenario/

A few questions:

1. The customer is buying the SSO3.0 package, but for the above scenario, do they still need the Secure Login Server ?

2. Also, I have not seen anywhere how we must configure the Logon Pad.

3. We need to implement SNC also, I presume. snc/identify/as should be set to the SID of the system, correct ?

Thanks in advance, for your help.

Kind regards,

Anthony

Show replies
Show replies
Answer
View Entire Topic
patelyogesh
Active Contributor
‎08-10-2021 10:52 PM
0 Kudos

Hello aoleary,

As you stated in your note sent by SAP, SAP GUI does not support SAML2.0 authentication.

To answer your questions

1. The customer is buying the SSO3.0 package, but for the above scenario, do they still need the Secure Login Server ?

Although the above scenario is not achievable, you may still accomplish SSO for GUI by using SAP's SSO 3.0 software.

For more information please look at : A quick intro into SAP Single Sign On 3.0 | SAP Blogs

2. Also, I have not seen anywhere how we must configure the Logon Pad.

Please see the page below for complete GUI configuration instructions.

How to configure SAP NetWeaver Single Sign-On with certificates out-of-the box! | SAP Blogs

3. We need to implement SNC also, I presume. snc/identify/as should be set to the SID of the system, correct ?

You can use the same document as in the second question to answer this question.

Thank you

Yogesh

Show replies
Show replies
aoleary
Explorer
‎08-11-2021 7:54 AM
0 Kudos

Hi yogesh.patel3

Thanks for your reply.

I have implemented Kerberos-based SSO before, so I wanted to be sure about the possibility or not of SAPGUI SSO with Oauth2.0, before recommending the final solution to the customer.

One final thing, from my experience, for pure Kerberos-based SSO, I do not need the Secure Login Server, only the Secure Login Client installed on the users desktop PCs.

https://blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/

Kind regards,

Anthony

former_member146669
Participant
‎01-28-2022 12:23 PM
0 Kudos

Hi aoleary,

I have been researching thesame questions to you for long time. I would say all the confusions are came from the terms and wordings that we didnt aware the differences..let me try to summaries my understanding here:

  • "Web-based" SAPGUI (Webgui) SSO - can be implemented with SAML
  • "True" SAPGUI (SAP LOGON application) SSO - can only be implement with Kerberos or X.509 Certifiate
    (and required Secure Login Server (sorry, I'm still not 100% sure for this)...)
    However, Kerberos based SAPGUI SSO only work with environment using Local AD.
    For pure Azure AD environment, Kerberos based SAPGUI SSO is NOT supported.

ref: My wish list for SAP Single Sign-On 4.0 | SAP Blogs

Therefore, when we are checking for any blog/material share on web (even from SAP OSS reply), the first thing we must do is to clarify the scenario very very clearly
(pure Local AD? pure Azure AD? Hybrid AD? pure Azure AD + Azure Domain Service?SAPGUI ? Webgui?......got crazy...)

For exmaple the url you quoted below is talking about Kerberos SSO with AD.There is no "AZURE" appear. that is local AD.....therefore it support Kerberos based SSO.
https://blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/
(and what's more, you even dont require any SAP SSO license prodction to have SAP GUI SSO with Local AD)


You said SAP OSS (BC-SEC-LGN,) replied you Kerberos is not supported method for SAP GUI SSO , it is likely because they aware you are asking for SAPGUI SSO Azure AD..


Actually since nowadays more and more company used Azure AD...many of the old blogs/notes are not longer valid and help.

What's more, there are lack of blog and information about SSO for SAPGUI (client application). When you do research, all of them are talking about SSO for web interface (e.g. Fiori, Webgui, SF) only. While the remains are for SAP SSO method that not recommended or "no long supported" or Azure AD not supported e.g. NTLM , free of charge SSO method...

Even when my teamate check with SAP OSS, they feedback very quickly (suprised) with 3 urls but all of them have nothing to do with SAPGUI SSO. all of them are webgui...fiori...

Unfortunately, the fact is SAPGUI is still the main interface for SAP users nowdays (even for S/4 HANA system)...


Hope the above help.

And I'm very welcome if someone found any of my understanding above is wrong and correct me please....
Thanks

Gary

Ask a Question