Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Single Sign-On (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple back-end software systems. SSO enables authorized users to reliably and transparently access software resources across technical system boundaries.
This document describes implementing a single sign-on mechanism with SAML 2.0 in a network. The Security Assertion Markup Language (SAML) version 2.0 provides a standards-based mechanism for Single Sign-On (SSO). The primary reason to use SAML 2.0 is to enable SSO across domains.
Prerequisites
You need the following products to try out this scenario:
The Service Provider, SAP Netweaver Application Server Java 7.3.
An identity provider, such as vendor’s identity provider ADFS 2.0.
SAP Netweaver Application Server ABAP system which supports SAP logon tickets.
Integrate SAP Netweaver Application Server Java 7.3 with SAP Netweaver Application Server ABAP system and Configure SSO. SSO between SAP Portal and SAP R/3 refers to the ability of a portal application to access data from a back-end system or application.
Scenario
ADFS 2.0 acts as Identity Provider
SAP Netweaver Java Application Server 7.3 acts as Service Provider.
SAP Netweaver ABAP Application Server is the backend user store for SAP Java Application Server 7.3.
ADFS 2.0 Login : https://<adfs20host>/adfs/ls/IdpInitiatedSignOn.aspxAfter authenticating with ADFS, access the redirect application hosted on AS Java 7.3 in the same browser window.SAP Enterprise Portal Login : https://hostname:port/irj/portalYou will be redirected to ADFS for authentication. After successful authentication at ADFS, you will be returned back to AS Java 7.3 with SAML 2.0 assertion. The assertion will be evaluated and after being authenticated with SAML 2.0 at AS Java 7.3, an SAP Logon Ticket will be issued and now you can able to access SAP NW Portal and its integrated backend (SAP R/3) Applications.
Configuring AS Java as a Service Provider
Start SAP Netweaver Administrator with the quick link /nwa/auth.
Choose SAML 2.0.
If you have never configured your system for SAML 2.0, the system displays the following message: “System not configured to support SAML 2.0.”
Choose the Enable SAML 2.0 Support pushbutton.
Enter a name for the provider.
Configure the settings for signature and encryption.
Select the keystore view and the key pairs you created for the provider.
Determine if you want to include the public-key certificate in any digital signatures.
1. Include the certificate if you are using a public-key infrastructure for your SAML network or if the trusted providers otherwise require the inclusion of certificates to verify digital signatures. 2. Do not include a certificate if you are using self-signed certificates.
To provide a means for identity providers to validate the metadata of the service provider, sign the configuration metadata of the service provider.
Continue through the configuration wizard and enter data as desired.
In General Settings --> Miscellaneous -->
In Service Provider Setting --> Assertion Consumer Service --> Default Application Path: /irj/portal
Choose the Finish button.
Configuring Trust on the SAML 2.0 Identity Provider Side
Start “AD FS 2.0 Management”, select “Relying Party Trusts” and action “Add Relying Party Trust”
Select metadata file of the service provider.
Use all default settings and save the relying party. After that select action “Properties” for the Service Provider system.
Go to “Advanced” tab and change the signature algorithm from SHA-256 to SHA-1.
Afterwards, select action “Edit Claim Rules” and add claim of type “Send LDAP Attributes as Claims“. Select the incoming and outgoing claims.
Add claim of type "Transform an Incoming Claim" and Select to send the “e-mail address” as Name ID.
With this final step the trust setup at ADFS 2.0 is completed. In order to do the trust setup at SAP AS Java you will need the metadata of ADFS.
Because the metadata document is digitally signed you will need also the signing certificate in order to be able to import the metadata in SAP AS Java. The SAP application server does not allow import of a signed metadata document unless the signature is successfully verified.
To download the ADFS signing certificate: In AD FS 2.0 Management select Service -> Certificates and download the “Token-signing” by double clicking on it and then choose “Copy To File …”.
Configuring ADFS 2.0 as Trusted Providers on the SAML 2.0 Service Provider
Select “SAML 2.0” tab and go to “Trusted Providers” link.
Click “Add” pushbutton and choose “Uploading Metadata File”.
Browse identity provider metadata file.
As metadata is signed by a certificate that is self-signed, in order to verify it we need to select a copy of the certificate used to sign the metadata.
Click “Next” pushbutton and you should see identity provider name.
Go through the wizard by leaving the default values. At the last step click "Finish" pushbutton and the new trusted identity provider will be created.
Configuring Identity Federation on SAML 2.0 Service Provider
Open https://<java server host>:<port>/nwa -> Configuration -> Authentication and Single Sign-On.
Select “SAML 2.0” tab and go to “Trusted Providers” link.
Select the trusted provider and select the “Identity Federation” Tab.
Add the supported NameID format.
In the Details Tab below, Enter the data as required
Set Default User Attributes, Roles and Groups or Assertion based user Attributes, Roles and Groups
In the downloaded authschemes.xml file, edit the content as,
<!-- authschemes, the name of the node is used -->-<authscheme name="uidpwdlogon"><!-- multiple login modules can be defined --><authentication-template> adfs_saml_sap</authentication-template>
Save the file as Authschemes_Modified.xml and upload it to the config tool. Restart the server.
Navigate to Configuration -> Authentication and Single Sign-On --> Properties and change
*** Authentication Policy Configuration in done so that Portal (/irj/portal) to be configured with SAML 2.0 authentication and NetWeaver Administration (/nwa) to have authentication as in ticket template.
You need to authenticate yourself with ADFS 2.0 user credentials.After successful authentication at ADFS, you will be returned back to AS Java 7.3 with SAML 2.0 assertion. The assertion will be evaluated and after being authenticated with SAML 2.0 at AS Java 7.3, an SAP Logon Ticket will be issued (MYSAPSSO2 cookie).
Clicking the link "New Here?Register Now and Federate Accounts" the newly created user is automatically federated with the ADFS account.