To support Single Sign On feature on Liquid UI for iOS, you must follow the below configuration steps of either method 1 or method 2.
Liquid UI Server Configuration
Liquid UI Server can be configured based on the Single Sign On method.
- Configure sapproxy.ini file for using Domain\Username
- Configure sapproxy.ini file for using @portal\Username
- Configure sapproxy.ini file for using Key-certificate pair
To Configure SAP GUI, navigate to SU01 transaction and enter username.
Click on Display icon on the toolbar. You will be directed to the below screen:
Add Domain under SNC tab and click Save button. Use this domain name for Single Sign On.
Note: Use this domain name for both method 1 and method 2 while connecting to the SAP server.
Liquid UI supports following methods for establishing secure connection using SSO:
SSO Method 1: Windows Domain Credentials
Secure Network Communication (SNC) strengthens security by using additional authentication functions provided by the Liquid UI, that are not directly available with the SAP systems. You need to map SAP login username with Windows user name (SNC name) to connect through SSO.
As we are using the Kerberos authentication, the system verifies the identity of the Liquid UI server and Liquid UI client and thereby offering minimum protection levels to your SAP ERP system. To make use of this secured authentication, configure gsskrb5.dll and gssntlm.dll to Liquid UI server folder.
Note: This method 1 is only valid to SAP Server on Windows machine.
Map SAP login username with Windows user name (SNC name)
Confirm that SAP SSO feature is enabled by running the sapproxy.exe
Configure sapproxy.ini with domain and SNC name
Make sure that kerberos library files is added to the Environment variables. Follow the path: Control Panel → System and Security → System → Advanced system settings → Advanced tab → Environment Variables.
Finally, connect your Liquid UI Client to the Liquid UI Server, and enter “domain\username”, and enter your domain password (Windows login credentials).
SSO Method 2: Key-certificate
Trust can be established between LUI Server and SAP ERP Server by utilizing the appropriate certificates and private key. This trust relationship enables LUI Server to log into SAP ERP, thereby enabling the use of a common user database, such as Microsoft Active Directory.
Obtaining the Certificate:
If you have an SAP Netweaver Portal that is already set up with a trust relationship with your SAP ERP, you can download the keypair from the Portal and use it in Liquid UI Server. This way, you do not have to set up your SAP ERP.To download the key pair, navigate to “Access SAP NetWeaver Administrator”.
Then, click on Configuration to select the certificates and keys
Click on “Certificates and Keys”. Then, scroll down to the TicketKeyStore
Select the keypair, and click on Export Entry. A popup window will appear. Enter the password, and click on Generate button.
parallely, download the p12 file and import it to SAP ERP transaction.
Import key-certificate pair:
After generating the key-certificate pair, move the key-certificate pair into GuixtWSServer folder / SAP system.
Double click on the key-certificate pair to import the certificate into the SAP system.
Click Next to specify the file you want to import. You will get the following window:
Click Next and provide the password for the private key.
Click Next and then Finish button to complete the certificate import wizard. On successful, you will receive the following message:
Configure key-certificate pair to SAP access control list
Navigate to STRUSTSSO2 transaction, and select Import Certificate.
once imported, you will see the complete details of the Certificate as following:
Now, click on “Add to Certificate List” and click on “Add to ACL”. When selecting “Add to ACL”, a popup will appear. Here, enter the client number and system id of the Liquid UI Server.
After adding the entry to Single Sign On Access Control List window, verify whether the certificate is appearing on ACL or not. If visible, then the SAP ERP setup is successfull.
Finally, connect your Liquid UI Client to the Liquid UI Server, and enter “domain\username”, and enter your domain password.
Note: Make sure that your username matches with the SAP username, and you will be logged in.
Import synssl.dll file into your SAP server folder, viz., GuixtWSServer folder.
Configure SAP Server:
Configure sapproxy.ini with key-certificate pair and Microsoft active directory.
Set up in sapproxy of trust is activated with this key, strustsso2, like:
[proxy1] ListenPort=3200 TargetServer=juneau TargetServerPort=3200 GuiXT = 10 strustsso2=msad,388,LUX,r:\synactive\sapproxy\LuiKeyPair.p12,p12password defaultdomain=syndom
The “strustsso2” option is specified with:
- Msad – to signify authentication through Microsoft Active Directory. (Future versions may support LDAP)
- 000 – is the client number of this Liquid UI Server. It can be any 3 digit number, but this same number must be used to set up in the ACL in the ERP transaction.
- LUX – a 3 character system id of this Liquid UI Server. This will be set up in the ACL of STRUSTSSO2 transaction.
- The encrypted p12 file, containing the private key (this can be exported from a Portal that has an existing trust)
- The password for the p12 file.
To Confirm that SSO is turned on and configured properly, run your sapproxy.exe file. You should get the following message:
Once this is all set up, now connect your Liquid UI client to the Liquid UI Server, and enter “domain\username”, and enter your domain password. Once you are authenticated, make sure that your username matches the SAP username, and you will be logged in.
Liquid UI for iOS: Connection Configuration
- Liquid UI for iOS: v22.214.171.124
- Application Server: Liquid UI Server FQDN or IP
- Username: DOMAIN\username
- Password: domainpassword
The connection details page of iOS is shown below:
Click CONNECT TO MY SAP. You will be navigated to SAP Easy Access screen as following: