Thursday, December 17, 2015

Disabling SSO in SAP app

Single Sing On (SSO) is a great thing. It saves us from slave labor of entering passwords into many different systems every time as we are already logged into trusted system (e.g. operating system) already.

However there are scenarios that we don’t need to be authenticated via SSO and we would like the system asks us for logon credentials. Most basic case is when we are testing something. And in such a cases it comes handy when we know how to suppress e.g. temporarily the SSO.

With regards to many SAP applications which are accessed by web browser there is a special parameter supplied that supports SSO disabling.  Usually name of the parameter is SPNEGO. It stands for Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). This thing actually serves as a protocol used to determine whether common GSSAPI (Generic Security Services Application Program Interface) mechanisms are available. If so it selects it and dispatches all security operations to it.

Whenever SPNEGO is used we are authenticated by SSO and there is no need to enter password again. The parameter is provided via URL of the application. How to use the parameter to disable the SSO?

1. SAP Portal usage:

2. NWBC usage:

3. example case for JAVA AS usage:

4. example of common app usage:

No comments: