Purpose of this blog :
I have explained the steps for configuring Secure Login Service for SAP GUI – BTP SSO with IAS as identity provider. Please make sure to go through the final notes as well.
Steps to be followed :
Activate the SLS Service in BTP cockpit
For activation of Service, use the guide : HELPGUIDE
Go to Security – > Trust Configuration in BTP cockpit. Complete the trust setup between IAS and BTP cockpit.
Go to Security -> Role collection. Create the below collections for the roles in BTP cockpit and assign it to the user. In IAS tenant, go to user&authorisation -> Groups. Create as below and assign to the respective administrator user.
Launch the Secure Login Service application and define the SNC User name Suffix
Make sure you enter the right Client policy group host. Use the base URL of the Secure Login Service tenant in it.
Add the SAP Cloud Root CA certificate to the SNC SAPCryptolib in STRUST tcode
Download SAP CLOUD Root CA cert : http://www.pki.co.sap.com/
Export both SAP Cloud Root CA certificate and Own certificate from the STRUST’s SNC SAPCryptolib and install it in Windows(Local Machine) of all the SSO users.
In IAS tenant , go the application-> Secure login service. Go to the Subject name identifier setting and set the primary attribute as EMAIL.
Note : Make sure to use Email in IAS and S4hana’s SNC as well.
In addition to above 7th point, the Conditional Authentication setting can be set to Corporate Identity provider if in case you are using Azure or etc as AD. In our case, we set it to Identity Authentication as IAS was our primary identity provider.
Install Secure Login Client with version 3.0.2.21 and make sure your GUI is in latest version as well.Maintain the following Windows Registry entries in the devices of all SSO users.
[HKEY_LOCAL_MACHINESOFTWAREPoliciesSAPSecureLoginapplicationsCLOUD-APPLICATION ]
“GSSTargetName”=”*”
“profile”=”CLOUD-LOGIN”
“allowFavorite”=dword:00000000
[HKEY_LOCAL_MACHINESOFTWAREPoliciesSAPSecureLoginprofilesCLOUD-LOGIN]
“profileName”=”SLS”
“pseType”=”browser”
“enrollURL0″=”https://<base domain url of sls>/slc/v1/login”
“sslHostCommonNameCheck”=dword:00000000
“sslHostAlternativeNameCheck”=dword:00000001
“showErrorMsg”=dword:00000001
“useWindowsHttpProxy”=”dword:00000001
Once registry is made, restart your device. You should be seeing a profile entry in Secure login client. If note, please add it like the below.Make the SNC entry in SU01 for all users. Use the transaction SNC1 for mass maintenance of SNC in su01 for all users.
Format : p:CN= email, L=<IAS tenant url>, OU=cf-us20-secure-login-service, OU=SAP BTP Clients, O=SAP SE, C=DE
Go the GUI entry settings and add the SNC entry.
Tip : use the same name as STRUST own certificate in this above step with “p:”
Now try the GUI SSO.
Note :
1. To avoid issue with existing Kerberos SSO, set the “GSSTargetName” registry entry only for SNC’s of systems which will be used with the BTP SSO.
Purpose of this blog : I have explained the steps for configuring Secure Login Service for SAP GUI – BTP SSO with IAS as identity provider. Please make sure to go through the final notes as well.Steps to be followed : Activate the SLS Service in BTP cockpitFor activation of Service, use the guide : HELPGUIDE Go to Security – > Trust Configuration in BTP cockpit. Complete the trust setup between IAS and BTP cockpit.Refer to : https://help.sap.com/docs/btp/sap-btp-neo-environment/setting-up-trust-between-identity-authentication-and-sap-btp Go to Security -> Role collection. Create the below collections for the roles in BTP cockpit and assign it to the user. In IAS tenant, go to user&authorisation -> Groups. Create as below and assign to the respective administrator user.Launch the Secure Login Service application and define the SNC User name SuffixMake sure you enter the right Client policy group host. Use the base URL of the Secure Login Service tenant in it. Add the SAP Cloud Root CA certificate to the SNC SAPCryptolib in STRUST tcodeDownload SAP CLOUD Root CA cert : http://www.pki.co.sap.com/Export both SAP Cloud Root CA certificate and Own certificate from the STRUST’s SNC SAPCryptolib and install it in Windows(Local Machine) of all the SSO users.In IAS tenant , go the application-> Secure login service. Go to the Subject name identifier setting and set the primary attribute as EMAIL.Note : Make sure to use Email in IAS and S4hana’s SNC as well.In addition to above 7th point, the Conditional Authentication setting can be set to Corporate Identity provider if in case you are using Azure or etc as AD. In our case, we set it to Identity Authentication as IAS was our primary identity provider. Install Secure Login Client with version 3.0.2.21 and make sure your GUI is in latest version as well.Maintain the following Windows Registry entries in the devices of all SSO users.[HKEY_LOCAL_MACHINESOFTWAREPoliciesSAPSecureLoginapplicationsCLOUD-APPLICATION ]”GSSTargetName”=”*” “profile”=”CLOUD-LOGIN””allowFavorite”=dword:00000000 [HKEY_LOCAL_MACHINESOFTWAREPoliciesSAPSecureLoginprofilesCLOUD-LOGIN]”profileName”=”SLS””pseType”=”browser””enrollURL0″=”https://<base domain url of sls>/slc/v1/login””sslHostCommonNameCheck”=dword:00000000″sslHostAlternativeNameCheck”=dword:00000001″showErrorMsg”=dword:00000001″useWindowsHttpProxy”=”dword:00000001Once registry is made, restart your device. You should be seeing a profile entry in Secure login client. If note, please add it like the below.Make the SNC entry in SU01 for all users. Use the transaction SNC1 for mass maintenance of SNC in su01 for all users. Format : p:CN= email, L=<IAS tenant url>, OU=cf-us20-secure-login-service, OU=SAP BTP Clients, O=SAP SE, C=DEGo the GUI entry settings and add the SNC entry.Tip : use the same name as STRUST own certificate in this above step with “p:” Now try the GUI SSO. Note :1. To avoid issue with existing Kerberos SSO, set the “GSSTargetName” registry entry only for SNC’s of systems which will be used with the BTP SSO. Read More Technology Blogs by Members articles
#SAP
#SAPTechnologyblog
