Thursday, December 17, 2015

Disabling SSO in SAP app

Single Sing On (SSO) is a great thing. It saves us from slave labor of entering passwords into many different systems every time as we are already logged into trusted system (e.g. operating system) already.

However there are scenarios that we don’t need to be authenticated via SSO and we would like the system asks us for logon credentials. Most basic case is when we are testing something. And in such a cases it comes handy when we know how to suppress e.g. temporarily the SSO.

With regards to many SAP applications which are accessed by web browser there is a special parameter supplied that supports SSO disabling.  Usually name of the parameter is SPNEGO. It stands for Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). This thing actually serves as a protocol used to determine whether common GSSAPI (Generic Security Services Application Program Interface) mechanisms are available. If so it selects it and dispatches all security operations to it.

Whenever SPNEGO is used we are authenticated by SSO and there is no need to enter password again. The parameter is provided via URL of the application. How to use the parameter to disable the SSO?

1. SAP Portal usage:

2. NWBC usage:

3. example case for JAVA AS usage:

4. example of common app usage:


Mihel said...

Hi Martin
can SSO be disable for a single user?
So that only certain users are allowed to use SSO?

Many thanks
Best Regards

Martin Maruskin said...

Hi Mihel,

As far as I know in general it is not possible.
Also it depends against what SAP product you would want to disable the SSO for a single user.
Perhaps in case of connection via SAP GUI to SAP NetWeaver based system user can disable the SSO in SAP Logon Pad for particular SAP system.