- We are working on a project about SharePoint 2010 integration with SAP. The project will use Single Sign On to authenticate between Sharepoint 2010 and SAP using ADFS. We expect that after end users login SharePoint 2010, they will integrate to SAP without login SAP again in Sharepoint system (using WebPart).
- I am seeking a documentation or an article so that it shows me how to configure ADFS for SAP.
- Please help me and let me know if you have any documentation about my expected things above.
I'm not sure what you reffer to when you say SAP.
Is it an integration to the SAP Portal or an SAP Backend system?
What are you integrating? Do you want to access data from SAP Backend from a WebPart or do you want to show html generated from backend (such as BSP, WebDynpro).
There are several options to do this. SSO using Kerberos is supported in both WebAS Java and ABAP since some time ago (was it 7.0?). SAML authentication is supported in WebAS ABAP since 7.02, and in Java from some version (might also be 7.02).
If you are using older Backend versions, you would need to use some layer in between. This is enabled by Duet Enterprise.
If you are using the SAP Portal, it is possible to use SSO for instance with Kerberos, but you would have to integrate this in SharePoint with iframes or something equivalent to that.
Usually SharePoint integration to SAP backend systems would go through some integration bus, depending on your company policy for accessing data from SAP. Usually you would choose from SAP PI or SAP Duet Enterprise.
Hope this gives you some hints!
Thank you for your response.
It is an integration to the SAP portal system.
I are setting up a portal SharePoint 2010 Integration with SAP iView. I used webpart to show iView of SAP but we need to apply ADFS by using Single Sign On. But I do not know how to configure ADFS for SAP.
please let me know if you have any documentation or article how to do that.
Here is an older help about SSO.
I'm not so familliar with ADFS, but as I understand it, it is designed to work together with SAML 2.0.
This is avalible in Java WebAS and briefly described here
Hope it helps!
Added a few extra links:
Unleash the Power of Single Sign-On with Microsoft and SAP:
SAP iView Integration with Microsoft Office SharePoint 2007:
Edited by: Mikael Löwgren on Mar 4, 2011 11:43 AM
I think I can help you with this. I specialise in Kerberos with SAP
When user logs onto Sharepoint, they will typically be authenticated using Integrated Windows Authenticaiton, which means the Kerberos credentials of the user who is logged on at the workstation will be used for authenticating the user. If the Sharepoint server is setup correctly in the domain, credential delegation will be used, meaning that the Kerberos TGT of the user will be available (e.g. delegated/forwarded) to Sharepoint after the user logs on, and can be used by code on Sharepoint server to authenticate to SAP servers on behalf of the user at the authentication, as long as the SAP server support Kerberos.
The above is applicable if the Sharepoint server is communicating directly with the SAP system, but if you want the user to logon to Sharepoint and click on links which take the user to SAP URLs (e.g. portal) via redirection, then the best way to do this is to make SAP Portal use Integrated Windows Authentication, and then there is no need to delegate credentials to Sharepoint and not need to use SAML or anything like that.
I hope above is clear ?
Hi Tim, Mikael
Thank you for your response,
You give me 2 solutions.
"When user logs onto Sharepoint, they will typically be authenticated using Integrated Windows Authenticaiton, which means the Kerberos credentials of the user who is logged on at the workstation will be used for authenticating the user. If the Sharepoint server is setup correctly in the domain, credential delegation will be used, meaning that the Kerberos TGT of the user will be available (e.g. delegated/forwarded) to Sharepoint after the user logs on, and can be used by code on Sharepoint server to authenticate to SAP servers on behalf of the user at the authentication, as long as the SAP server support Kerberos."
"If you want the user to logon to Sharepoint and click on links which take the user to SAP URLs (e.g. portal) via redirection, then the best way to do this is to make SAP Portal use Integrated Windows Authentication, and then there is no need to delegate credentials to Sharepoint and not need to use SAML or anything like that."
I do not know how to do that. Would you please write a document with Step by step to show me how to configure for each of solution?
I do not know the steps which we should do.
Edited by: voxuvi on Mar 7, 2011 7:22 AM
For the first option, you would need to install a product on the sharepoint server and on the SAP server, that uses SNC interface and Kerberos protocol. The one I am familiar with most is described at http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokersecureclient
For the second option, you would need to install a product on the SAP server only to handle the browser authentication of user via Kerberos (e.g. Integrated Windows Authentication). The product I recommend is described at http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter
I am sure you won't need both - do you know which method you need ? Anyway, both products are commercially supported and SAP certified so you will get help and documentation from the vendor.
Recently there was a similar request from a customer to support SSO from EP 7.0 to Sharepoint 2010 and vice versa. This customer has users that authenticates to EP and Sharepoint with SPNEGO/Kerberos but also users that authenticate manually with username and password. So it is not sufficient to setup Integrated Windows Authentication on both portals but you have also to propagate the current logged in user from one portal to another one. For this customer we have recommended to use setup with ADFS 2.0 (Microsoft) and CE 7.2 (SAP) and establish SAML 2.0 trust between the Microsoft and SAP worlds. I have attached a PPT in SAPMats which describes this setup - [here|https://sapmats-de.sap-ag.de/download/download.cgi?id=17FWTCQJ01UOHJFYCGS2LBTT3NU1WGZDD79S9UFXXCW44VIX26]. Upon request I could provide further technical details.
Can you please provide more details? on how you implemented it?
When we ever we talk about ADFSv2 or federation we always say Comapny A users tried to access Company B resources. If I understood you correctly you are stating that this is all with in same company. Which is Company C users access Company C resources which are SAP and SharePoint.
My customer has few scenarios..
- SharePoint should be able to go to SAP and get the data on behalf of the user and publish in SharePoint Portal.
- User logs to SharePoint and clicks on a link on SAP it needs to work
Question is user could be coming from a domain joined machine and non-domain joined machine, from a domain joined machine I believe IWA(integrated windows authentication) will work and also Kerberos option might work.
From a non-domain joined machine IWA nor Kerberos token will not work (correct me if I am wrong). This is where you are talking about Claims n which case I understand that user has to submit credentials to either SharePoint or SAP. Once they submit the credentials to one of the system lets say SharePoint and when they try to go to SAP, the cliam will be sent to that SAP by the SharePoint and after validating the claim user can access the data in SAP. If this is true it solves the issue of user clicking links...
Are you also stating that SharePoint using Cliams can pull data from SAP and publish in SharePoint or are you stating that when User clicks on a link in SharePoint Portal which is a link on SAP user will be sent to SAP portal and SSO will Work?
Tomorrow I'll prepare a document with screenshots what should be done on the SAP systems - EP 7.0x and CE 7.2. Meanwhile you can check the articles from Microsoft regarding ADFS - [ADFS 2.0 Steb-by-Step and How To Guides|http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides%28WS.10%29.aspx] and especially the one for integration with Shibboleth - [Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies|http://go.microsoft.com/fwlink/?LinkId=207916].
This is all about web browser SSO - e.g. directly showing content from EP in Sharepoint or vice versa. Could you provide more details about the pull scenario you mention? Is it based on direct system-to-system communication?
Sorry for the delay but it took some time to make all ~40 screenshots :). You can download the step-by-step guide from the following SAPMats container - [https://sapmats-de.sap-ag.de/download/download.cgi?id=ZZUR8O45JCL1DLCE2NRLSI56Z37JW6MBU1PCBODDTYW4UIU94J].
Let me know if you have further questions.
Dimitar - the presentation link has expired - any way for you to post it again? We are in the beginning / design stage for adding Sharepoint 2010 to our NW 7.0 landscape and have yet to determine who will be authenticating where and with what tool(s). For our SAP SSO, we currently use AD for employees / suppliers (aka named users) and ADAM for customers and will be introducing Sharepoint now.
Thank you in advance
Here is the new download container - [SSO from Sharepoint 2010 to SAP EP 7.0x|https://sapmats-de.sap-ag.de/download/download.cgi?id=8LC6Y86OLCDQ8CRC1CNLABMFX9WLDONISWLIZ3BQCYJEKNOA6W]. The document describes the setup only in one direction from Sharepoint to EP however technically it is possible to have also SSO from EP to Sharepoint. Let me know if you are interested in this scenario too and I'll update the document or create a new one. Also if you would like to discuss further details about your scenario you may contact me per email: <firstname>.<lastname> AT sap.com.
Edited by: Dimitar Mihaylov on Jun 1, 2011 5:12 AM
Thanks for all the good information. I too am working through similar issues. At some point we will want to accomplish a sharepoint integration as above. For now I'm trying to confirm what SSO can be achieved using ADFS 2.0 against our NW 7.01 portal java.
We already have SSO for domain connected/authenticated devices on our network via Kerberos but wish to provide same to other devices. We have ADFS 2.0 installed and would like those people to be directed to ADFS for authentication against AD and then proceed to Netweaver 7.01 / Portal 7.0 with a SAML token. From my research it seems that SAML 1.1 is supported for 7.01, and I am in the middle of researching the details. I'm confused between statements on the 1.1 token formats which I think are compatible whereas the 1.1 protocols are not (ADFS 2.0 only supports SAML 2.0 protocols). Is my understanding below correct?
NW7.01 / ADFS 2.0 SAML 1.1 token format compatibility - OK
NW7.01 / ADFS 2.0 SAML 1.1 or 2.0 protocols to establish trust - OK
NW7.01 / ADFS 2.0 SAML 1.1 protocols to exchange assertions - not supported
If this is the case I believe I need to address ADFS/SAML 2.0 compatibility by either...
Install a light standalone instance of 7.02 ABAP which can accept SAML tokens (SAML 2.0 profile)
stall 7.2 CE system instead
These would issue SAP Logon tickets for access to 7.01 portal.
Your thoughts are appreciated.
Sorry for the delayed answer but I was on vacation. To your question - I do not think ADFS 2.0 can issue SAML 1.1 tokens for web browser SSO. The STS functionality in ADFS 2.0 could issue such tokens for web services (WS-Trust), however this should not be relevant for your scenario. Just check the official documentation of ADFS in order to be sure.
If only SAML 2.0 tokens could be used then your proposal is correct - use either CE 7.2 system or ABAP 7.02 to consume the SAML 2.0 tokens from ADFS, 'convert' them to SAP Logon Tickets and redirect to the 7.01 Portal.
The download link expires would you re-enable again?
I am trying to configure SSO for users accessing AS-ABAP 7.02 system with browser. All users are authenticated against Windows 2008 R2 ADFS and would like to configure SSO between browser to AS ABAP 7.02 using SAML as Idp as ADFS.
I couldnt identify proper information in help.sap.com or SDN which talks about SAML based SSO between ADFS as IDP and AS-ABAP as service provider. Could some on guide me to right documentation or any tips are appreciated.
I configured ABAP engine to request name-id format as Windows Domain fully qualified name and SAP is sending request like below:
SAML20 <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName" />
SAML20 <samlp:RequestedAuthnContext Comparison="better">
SAML20 <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
Do any on ehave an idea how claim rule should look like in ADFS. We did lot of experiments with claim rules but in sap i was always seeing error message "
SAML: Path "/sap/bc/bsp/sap/it00", Code 222, Class SAML, Number 011, Text: Error when logging on for external ID "": Error during SAML 2.0 logon
I am suspecting claim rule in ADFS was incorrect. If any one have an idea how claim rule should be which can match this request. Could you please help.
I was unable to decrypt SAML response that SAP got from ADFS to view what exactly SAP received (even i disabled encryption on SAP as well as at ADFS, SAML response is still encrypted). Do we have any tool where we can decrypt message in SAP and see what response was received from IDP.
At least you can switch on the debug mode at the ABAP side (SAML2 UI -> Local Provider -> Service Provider Settings -> Enable Debugging) in order to see details why the authentication fails.
Or use the security diagnostic tool to collect detailed traces - https://<host>:<port>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=<client>.
Without knowing the exact reason why the response is rejected it will be difficult to fix a problem in the ADFS claim configuration.
P.S. In order to disable the encryption in the ADFS just delete the encryption certificate of the ABAP system in ADFS 2.0 configuration (Trust Relationships -> Relying Party Trusts -> Double click on the ABAP system trust -> Encryption -> Remove
Edited by: Dimitar Mihaylov on Aug 24, 2011 1:11 PM
The configuration screenshots were published to an SDN wiki here - http://wiki.sdn.sap.com/wiki/display/Security/Step-by-StepguideforSSOfromMSSharepoint2010toSAPEP+7.0x.
I just saw the wiki link..thanks any way..
I tried to access your step-by-step guide, but the reponse was an error page saying that "download expired".
Could you please make your guide re-accessable? It would also be very helpful for me.
Edited by: TC Jiang on Feb 29, 2012 2:11 PM
Can we use this scenario on internet, does it requires acces to local resorces like active directory, so only works in intranet or VPN scenario?
And our sharepoint's user source is active directory, portal's source is ABAP and usernames are different in these. Can we make it work in this way?
In order to get the scenario working in Internet the following systems should be moved to the DMZ: SAP NW AS Java (CE) 7.2, SAP Portal, ADFS 2.0, Sharepoint 2010. You have also to allow connections from CE 7.2 and SAP Portal to the ABAP system which is used as user store. The same applies for the ADFS 2.0 (and eventually Sharepoint) - they should be able to connect to AD in order to check username/password and read user data. The SAML 2.0 communication itself is done completely through the user browser. Regarding the user mapping - you can maintain it at either places - in AD as an additional user attribute and send the value of this attribute in the SAML assertion or in ABAP as Logon Alias or in CE 7.2 as an additional user attribute in UME.
In case the user mapping is maintained in AD you can also use in-memory/transient users in CE 7.2 system. This way the CE 7.2 system won't need to use the ABAP system as user store. More details about similar but more complex scenario with in-memory users could be found at the following wiki: http://wiki.sdn.sap.com/wiki/display/Security/SingleSign-OnwithSAML2.0andABAPSystemsSupportingSAPLogon+Tickets.
Yet another option is to send the email of the user in the SAML2 assertion. This will work if it is the same in AD and ABAP.
Thanks for your step-by-step which I followed for integration of ADFS, NW AS Java and then Portal 7.01. In my scenario, I just need a user to authenticate first against ADFS, then to browse to the AS Java (NW 7.3 SPS3) for the redirect to the eventual portal.
The trust/SSO from AS Java 7.3 SPS3 to Portal 7.01 is working fine, however, when I'm trying the redirect app route, there is no SSO taking place on to the AS Java 7.3 intermediary. Do you know of a way to check why that the ADFS/SAML2 SSO isn't working?
Perhaps one thing you might confirm is, the intermediary AS Java 7.3 has SSL enabled, but it doesnt have a signed certificate so then I wonder if the ADFS doesn't like this and that would be the issue?
When I access the redirect app I am getting a system response "Request requires authentication"from the AS Java 7.3. All 3 system components are hooked up to the same AD as UME sources.
You can collect SAML2 related trace from AS Java 7.3 in the followign way:
2. Select incident type "SAML 2.0 (Info)" or "SAML 2.0 (Debug)" and start the tool
3. Reproduce the problem
4. Stop the tool and check the collect traces for a possible cause of the problem
If you cannot find such just post here some of the traces that you think might be relevant - perhaps such with severity warning or error.
Thank you - I collected the traces from SAML debug.
Firstly, I have tried using the ADFS IdpInitiatedSignOn page to access the relying party trust. I dont expect this to get very far because how does that relying party understand how and when to call the redirectapp (I added the redirectapp call as an identifier in ADFS configuration and got no further). So going for the ADFS sign on page and accessing the relying trust there, I see the following error in the diagnostics:
Service Provider ACS endpoint has no default entrance location configured.
Reading between the lines, this looks like it means the default ACS application path, which I then set to
This then hooked up the ADFS login page with the target application - but what if I want more than one target host behind the AS Java with the SAML? Do I need a dedicated AS Java per targetted host system?
And the interesting warnings in the SAML debug looks like this:
Service Provider has received SAML2Response from Identity Provider [http://myadfssso/adfs/services/trust] that contains an error status code \[urn:oasis:names:tc:SAML:2.0:status:Responder]. Status message: [<null>]
IP Address: 172.25.67.52
Authentication Stack: sap.com/redirectapp*redirectapp
Rejected Signon Response
Reason: Error SAML2Response received. ID: _777a3f24-f197-4534-b207-a92adf315066
In Response To: S28a54017-9798-4872-9e01-dd4e954da4c7
Issue Instant: Thu Aug 11 10:03:41 EDT 2011
Top Level Status Code: urn:oasis:names:tc:SAML:2.0:status:Responder
Second Level Status Code:
In httpwatch I can see the redirects between adfs and the first server. It looks to me like one small piece of information is missing in the conversations that the partners are having.
TIA for your feedback.
After quite some time in the keyboard and a well known search engine, I've got my scenario working.
ADFS IDP initiaited Sign On -to- NW AS Java 7.3 w SAML 2.0 redirectapp -to- NW 7.01 Portal
with SSO all along the way
The keys to this success:
1. Correctly enabled SSL in the NW AS Java with a properly signed SSL certificate
2. ADFS trusting the SSL certificate of NW AS Java as a trusted root certificate
3. Correctly (re) installing the JCE unlimited ppolicy files in the recently (24 hrs ago!) patched SAP JVM
4. Configure a default ACS application path in SAML service provider in the NW AS Java to call the redirectapp
5. Only passing one claim rule from ADFS
For step 4, I am not convinced this is the right way forward and need to look at the Relay State or other mechanism in ADFS perhaps so that we dont have to have a one to one mapping of the AS Java 7.3 and an incapable of SAML 2.0 web application.
For step 5, this is not so good in my scenario because I will have my AS Java's connected to multiple LDAP sources (as will the ADFS be), and be using a different LDAP attribute to uniquely identify a user in each LDAP connection.
#2 - Why is it necessary that the ADFS trusts the SSL certificate of the AS Java system. Normally all the SAML2 communication between the IdP (ADFS) and SP (AS Java) should go through the user browser. There shall be no direct communication from the IdP to the SP which will require trust of the SSL certificate.
#4 - If you use IdP-initiated SSO then you have to maintain either a default application path or mappings from RelayState to application path or both. In both cases you can enter URL parameters in the "(Default) Application Path" fields. Could you please explain why this might not be sufficient for your scenario? I believe you can specify a RelayState parameter when you trigger IdP-initiated SSO from ADFS - perhaps just an additional RelayState parameter in the URL?
#5 What is the error that you get if multiple claims are sent by ADFS? Wouldn't it be possible to use one and the same UME attribute mapped to different physical attributes in the respective LDAP servers? Could you provide more details about the exact scenario.
#2 - Sorry, you are correct, here it was trusting the cert and root of the self-signed SSL ofr the AS Java in the client browser to get past the certificate errors in IE. But wouldn't this be required if back-channel communications were used instead of front-channel?
#4 - So far I have only been able to get the integration working by completing the default application path. Therefore if there are more than one SAML protected appliction or service behind the intermediary AS Java 7.3 and the redirect app, as there are in our situation - a landscape of sandbox, development, training, testing, support and production systems, some of which are hosting more than one application (such as ISA, Portal, EBPP ...) in a single J2EE system, I need to find a way to integrate these all into the AS Java service provider. I guessed that RelayState was the way to go, but as yet haven't discovered how to configure an IDP service in ADFS to make use of that.
#5 - We have several AD domains and there can be a duplicate samAccountName across the domains.This arises either by mistake, or genuinely because some (of our) systems (according to our naming rules) generate user id's (samAccountname) when more than one user does have the same name. So, to avoid indeterminacy especially when logging in or SSO into an AS Java I have one domain that uses samAccountName (it can't be changed) and the remainder to use user principal name in the LDAP connectors. So my approach was to have two claims rules, one for each principal both typed as Name ID. When there are more than one claim of the same type, it's ADFS that throws an error - not the SAP side.
Next steps ...
. How to do #4.
. Add SAP Web Dispatchers to the landscape.
. SSO offloading before the AS Java SP.
. How to redirect unauthenticated clients back to ADFS IDP from a target service/application (i.e. enforce a SAML/ADFS IDP policy throught the service/application landscape) should they approach the application directly (JAAS stack?)
#2 - It is very unusual to have back-channel communication initiated by the IdP to the SP. As ADFS does not support SOAP binding for SLO there are even no theoretical use cases with ADFS as an IdP. In the other direction from the SP to the IdP, yes for HTTP-Artifact binding. The AS Java system by default won't check the server certificate unless you go to the destination service and explicitly configure it. Then you will need the certificate of the CA that has signed the SSL certificate of the ADFS.
#4 - It seems that really ADFS does not support sending a RelayState when IdP-initiated SSO is done. I searched in Google and found some articles but all require code changes. I haven't tested them yet so I cannot recommend any :(. Have you considered to use SP-initiated SSO and what would prevent you to do so?
#5 - I see at least two options:
- use the email of the user if unique accross all domains
- introduce new user attribute that is generated and unique accross all domains
#4 - either code changes in ADFS or use SP-initiated SSO
Web Dispatcher - afterwards you need to export new metadata with the host name of the web dispatcher
SSO offloading - what do you mean?
How to redirect... - Do you mean to start for example from an ABAP BSP/WDP application then be redirected to the AS Java 7.3 SP and then to the IdP and afterwards all the way back?
The download link is expired for the "proxy" application. Would you please re-enable again?
I'm about to configure the same scenario, but I miss the redirect application.
I configured ADFS as identity provider and AS-ABAP as Service provider and ABAP is getting SAML response.
I want to map NT user account which is in the format of DOMAIN\username with SAP user using VUSREXTID view or table USREXTID.
I didnt find any class in SAML configuration at ABAP engine, which is requesting NT user from ADFS2.0. Can some one help me to do this configuration.