38 Replies Latest reply: Aug 29, 2011 12:39 PM by Dimitar Mihaylov RSS

Single Sign On - Sharepoint 2010 to SAP using ADFS

Vinh Vo
Currently Being Moderated

hi folks,

 

- We are working on a project about SharePoint 2010 integration with SAP. The project will use Single Sign On  to authenticate  between Sharepoint 2010 and SAP using ADFS. We expect that after end users login SharePoint 2010, they will integrate to SAP without login SAP again in Sharepoint system (using WebPart).

- I am seeking a documentation or an article so that it shows me how to configure ADFS for SAP.

 

- Please help me and let me know if you have any documentation about my expected things above.

 

Thank you

Regs,

Vinh.Vo

  • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
    Vinh Vo
    Currently Being Moderated

    please help me.....

  • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
    Mikael Löwgren
    Currently Being Moderated

    Hello.

     

    I'm not sure what you reffer to when you say SAP.

    Is it an integration to the SAP Portal or an SAP Backend system?

     

    What are you integrating? Do you want to access data from SAP Backend from a WebPart or do you want to show html generated from backend (such as BSP, WebDynpro).

     

    There are several options to do this. SSO using Kerberos is supported in both WebAS Java and ABAP since some time ago (was it 7.0?). SAML authentication is supported in WebAS ABAP since 7.02, and in Java from some version (might also be 7.02).

    http://help.sap.com/saphelp_nw70ehp1/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/content.htm

     

    If you are using older Backend versions, you would need to use some layer in between. This is enabled by Duet Enterprise.

     

    If you are using the SAP Portal, it is possible to use SSO for instance with Kerberos, but you would have to integrate this in SharePoint with iframes or something equivalent to that.

     

    Usually SharePoint integration to SAP backend systems would go through some integration bus, depending on your company policy for accessing data from SAP. Usually you would choose from SAP PI or SAP Duet Enterprise.

     

    Hope this gives you some hints!

  • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
    Tim Alsop
    Currently Being Moderated

    Hi,

     

    I think I can help you with this. I specialise in Kerberos with SAP

     

    When user logs onto Sharepoint, they will typically be authenticated using Integrated Windows Authenticaiton, which means the Kerberos credentials of the user who is logged on at the workstation will be used for authenticating the user. If the Sharepoint server is setup correctly in the domain, credential delegation will be used, meaning that the Kerberos TGT of the user will be available (e.g. delegated/forwarded) to Sharepoint after the user logs on, and can be used by code on Sharepoint server to authenticate to SAP servers on behalf of the user at the authentication, as long as the SAP server support Kerberos.

     

    The above is applicable if the Sharepoint server is communicating directly with the SAP system, but if you want the user to logon to Sharepoint and click on links which take the user to SAP URLs (e.g. portal) via redirection, then the best way to do this is to make SAP Portal use Integrated Windows Authentication, and then there is no need to delegate credentials to Sharepoint and not need to use SAML or anything like that.

     

    I hope above is clear ?

     

    Thanks,

    Tim

    • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
      Vinh Vo
      Currently Being Moderated

      Hi Tim, Mikael

      Thank you for your response,

       

      @Hi Tim:

      You give me 2 solutions.

      - First:

      "When user logs onto Sharepoint, they will typically be authenticated using Integrated Windows Authenticaiton, which means the Kerberos credentials of the user who is logged on at the workstation will be used for authenticating the user. If the Sharepoint server is setup correctly in the domain, credential delegation will be used, meaning that the Kerberos TGT of the user will be available (e.g. delegated/forwarded) to Sharepoint after the user logs on, and can be used by code on Sharepoint server to authenticate to SAP servers on behalf of the user at the authentication, as long as the SAP server support Kerberos."

       

      - Second

      "If you want the user to logon to Sharepoint and click on links which take the user to SAP URLs (e.g. portal) via redirection, then the best way to do this is to make SAP Portal use Integrated Windows Authentication, and then there is no need to delegate credentials to Sharepoint and not need to use SAML or anything like that."

       

      I do not know how to do that. Would you please write a document with Step by step to show me how to configure for each of solution?

      I do not know the steps which we should do.

       

      Thank you

       

      Edited by: voxuvi on Mar 7, 2011 7:22 AM

  • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
    Dimitar Mihaylov
    Currently Being Moderated

    Hi,

     

    Recently there was a similar request from a customer to support SSO from EP 7.0 to Sharepoint 2010 and vice versa. This customer has users that authenticates to EP and Sharepoint with SPNEGO/Kerberos but also users that authenticate manually with username and password. So it is not sufficient to setup Integrated Windows Authentication on both portals but you have also to propagate the current logged in user from one portal to another one. For this customer we have recommended to use setup with ADFS 2.0 (Microsoft) and CE 7.2 (SAP) and establish SAML 2.0 trust between the Microsoft and SAP worlds. I have attached a PPT in SAPMats which describes this setup - [here|https://sapmats-de.sap-ag.de/download/download.cgi?id=17FWTCQJ01UOHJFYCGS2LBTT3NU1WGZDD79S9UFXXCW44VIX26]. Upon request I could provide further technical details.

     

    Regards,

     

    Dimitar

    • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
      prashm reddy
      Currently Being Moderated

      Can you please provide more details? on how you implemented it?

      When we ever we talk about ADFSv2 or federation we always say Comapny A users tried to access Company B resources. If I understood you correctly you are stating that this is all with in same company. Which is Company C users access Company C resources which are SAP and SharePoint.

       

      My customer has few scenarios..

      -     SharePoint should be able to go to SAP and get the data on behalf of the user and publish in SharePoint Portal.

      -     User logs to SharePoint and clicks on a link on SAP it needs to work

      Question is user could be coming from a domain joined machine and non-domain joined machine, from a domain joined machine I believe IWA(integrated windows authentication) will work and also Kerberos option might work.

       

      From a non-domain joined machine IWA nor Kerberos token will not work (correct me if I am wrong). This is where you are talking about Claims n which case I understand that user has to submit credentials to either SharePoint or SAP. Once they submit the credentials to one of the system lets say SharePoint and when they try to go to SAP, the cliam will be sent to that SAP by the SharePoint and after  validating  the claim user can access the data in SAP. If this is true it solves the issue of user clicking links...

       

      Are you also stating that SharePoint using Cliams can pull data from SAP and publish in SharePoint or are you stating that when User clicks on a link in SharePoint Portal which is a link on SAP user will be sent to SAP portal and SSO will Work?

       

       

      Thanks

      M

    • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
      Murat Temizer
      Currently Being Moderated

      Hello,

       

      Can we use this scenario on internet, does it requires acces to local resorces like active directory, so only works in intranet or VPN scenario?

       

      And our sharepoint's user source is active directory, portal's source is ABAP and usernames are different in these. Can we make it work in this way?

       

      Best Regards,

      Ali AVCI

      • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
        Dimitar Mihaylov
        Currently Being Moderated

        Hi Ali,

         

        In order to get the scenario working in Internet the following systems should be moved to the DMZ: SAP NW AS Java (CE) 7.2, SAP Portal, ADFS 2.0, Sharepoint 2010. You have also to allow connections from CE 7.2 and SAP Portal to the ABAP system which is used as user store. The same applies for the ADFS 2.0 (and eventually Sharepoint) - they should be able to connect to AD in order to check username/password and read user data. The SAML 2.0 communication itself is done completely through the user browser. Regarding the user mapping - you can maintain it at either places - in AD as an additional user attribute and send the value of this attribute in the SAML assertion or in ABAP as Logon Alias or in CE 7.2 as an additional user attribute in UME.

        In case the user mapping is maintained in AD you can also use in-memory/transient users in CE 7.2 system. This way the CE 7.2 system won't need to use the ABAP system as user store. More details about similar but more complex scenario with in-memory users could be found at the following wiki: http://wiki.sdn.sap.com/wiki/display/Security/SingleSign-OnwithSAML2.0andABAPSystemsSupportingSAPLogon+Tickets.

        Yet another option is to send the email of the user in the SAML2 assertion. This will work if it is the same in AD and ABAP.

         

        Regards,

         

        Dimitar

        • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
          Stuart Begg
          Currently Being Moderated

          Hi Dimitar,

           

          Thanks for your step-by-step which I followed for integration of ADFS, NW AS Java and then Portal 7.01. In my scenario, I just need a user to authenticate first against ADFS, then to browse to the AS Java (NW 7.3 SPS3) for the redirect to the eventual portal.

           

          The trust/SSO from AS Java 7.3 SPS3 to Portal 7.01 is working fine, however, when I'm trying the redirect app route, there is no SSO taking place on to the AS Java 7.3 intermediary. Do you know of a way to check why that the ADFS/SAML2 SSO isn't working?

           

          Perhaps one thing you might confirm is, the intermediary AS Java 7.3 has SSL enabled, but it doesnt have a signed certificate so then I wonder if the ADFS doesn't like this and that would be the issue?

           

          When I access the redirect app I am getting a system response "Request requires authentication"from the AS Java 7.3.  All 3 system components are hooked up to the same AD as UME sources.

          • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
            Dimitar Mihaylov
            Currently Being Moderated

            Hi Stuart,

             

            You can collect SAML2 related trace from AS Java 7.3 in the followign way:

            1. Access the Security Troubleshooting Wizard as described in the following note https://service.sap.com/sap/support/notes/1332726 (e.g. http://<host>:port/tshw)

            2. Select incident type "SAML 2.0 (Info)" or "SAML 2.0 (Debug)" and start the tool

            3. Reproduce the problem

            4. Stop the tool and check the collect traces for a possible cause of the problem

             

            If you cannot find such just post here some of the traces that you think might be relevant - perhaps such with severity warning or error.

             

            Regards,

             

            Dimitar

            • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
              Stuart Begg
              Currently Being Moderated

              Dimitar,

               

              Thank you - I collected the traces from SAML debug.

               

              Firstly, I have tried using the ADFS IdpInitiatedSignOn page to access the relying party trust. I dont expect this to get very far because how does that relying party understand how and when to call the redirectapp (I added the redirectapp call as an identifier in ADFS configuration and got no further). So going for the ADFS sign on page and accessing the relying trust there, I see the following error in the diagnostics:

               

              Service Provider ACS endpoint has no default entrance location configured.

               

              Reading between the lines, this looks like it means the default ACS application path, which I then set to

              /redirectapp/index.jsp?schema=http&host=myhost&port=80&path=%2fmypath

               

              This then hooked up the ADFS login page with the target application - but what if I want more than one target host behind the AS Java with the SAML? Do I need a dedicated AS Java per targetted host system?

               

              And the interesting warnings in the SAML debug looks like this:

               

               

              Warning:

              Service Provider has received SAML2Response from Identity Provider [http://myadfssso/adfs/services/trust] that contains an error status code \[urn:oasis:names:tc:SAML:2.0:status:Responder]. Status message: [<null>]

               

              and

               

              LOGIN.FAILED

              User: N/A

              IP Address: 172.25.67.52

              Authentication Stack: sap.com/redirectapp*redirectapp

               

              Login Module

              1. com.sap.security.saml2.sp.SAML2LoginModule

               

              Flag

              REQUISITE

               

              Initialize OK

               

              Login

              exception

               

              Abort

              true

               

              Details

              Rejected Signon Response

              Reason: Error SAML2Response received.                                                                                ID: _777a3f24-f197-4534-b207-a92adf315066

              Issuer: http://myadfssso/adfs/services/trust

              Destination: https://myhost/saml2/sp/acs

              In Response To: S28a54017-9798-4872-9e01-dd4e954da4c7

              Issue Instant: Thu Aug 11 10:03:41 EDT 2011

              Top Level Status Code: urn:oasis:names:tc:SAML:2.0:status:Responder

              Second Level Status Code:

              Status Message:

              Consent: urn:oasis:names:tc:SAML:2.0:consent:unspecified

               

               

              In httpwatch I can see the redirects between adfs and the first server. It looks to me like one small piece of information is missing in the conversations that the partners are having.

               

              TIA for your feedback.

              • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
                Stuart Begg
                Currently Being Moderated

                Hi Dimitar,

                 

                After quite some time in the keyboard and a well known search engine, I've got my scenario working.

                 

                ADFS IDP initiaited Sign On -to- NW AS Java 7.3 w SAML 2.0 redirectapp -to- NW 7.01 Portal

                with SSO all along the way

                 

                The keys to this success:

                 

                1. Correctly enabled SSL in the NW AS Java with a properly signed SSL certificate

                2. ADFS trusting the SSL certificate of NW AS Java as a trusted root certificate

                3. Correctly (re) installing the JCE unlimited ppolicy files in the recently (24 hrs ago!) patched SAP JVM

                4. Configure a default ACS application path in SAML service provider in the NW AS Java to call the redirectapp

                5. Only passing one claim rule from ADFS

                 

                For step 4, I am not convinced this is the right way forward and need to look at the Relay State or other mechanism in ADFS perhaps so that we dont have to have a one to one mapping of the AS Java 7.3 and an incapable of SAML 2.0 web application.

                 

                For step 5, this is not so good in my scenario because I will have my AS Java's connected to multiple LDAP sources (as will the ADFS be), and be using a different LDAP attribute to uniquely identify a user in each LDAP connection.

                • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
                  Dimitar Mihaylov
                  Currently Being Moderated

                  Hi Stuart,

                   

                  #2 - Why is it necessary that the ADFS trusts the SSL certificate of the AS Java system. Normally all the SAML2 communication between the IdP (ADFS) and SP (AS Java) should go through the user browser. There shall be no direct communication from the IdP to the SP which will require trust of the SSL certificate.

                  #4 - If you use IdP-initiated SSO then you have to maintain either a default application path or mappings from RelayState to application path or both. In both cases you can enter URL parameters in the "(Default) Application Path" fields. Could you please explain why this might not be sufficient for your scenario? I believe you can specify a RelayState parameter when you trigger IdP-initiated SSO from ADFS - perhaps just an additional RelayState parameter in the URL?

                  #5 What is the error that you get if multiple claims are sent by ADFS? Wouldn't it be possible to use one and the same UME attribute mapped to different physical attributes in the respective LDAP servers? Could you provide more details about the exact scenario.

                   

                  Regards,

                   

                  Dimitar

                  • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
                    Stuart Begg
                    Currently Being Moderated

                    Hi Dimitar,

                     

                    #2 - Sorry, you are correct, here it was trusting the cert and root of the self-signed SSL ofr the AS Java in the client browser to get past the certificate errors in IE. But wouldn't this be required if back-channel communications were used instead of front-channel?

                     

                    #4 - So far I have only been able to get the integration working by completing the default application path. Therefore if there are more than one SAML protected appliction or service behind the intermediary AS Java 7.3 and the redirect app, as there are in our situation - a landscape of sandbox, development, training, testing, support and production systems, some of which are hosting more than one application (such as ISA, Portal, EBPP ...) in a single J2EE system, I need to find a way to integrate these all into the AS Java service provider. I guessed that RelayState was the way to go, but as yet haven't discovered how to configure an IDP service in ADFS to make use of that.

                     

                    #5 - We have several AD domains and there can be a duplicate samAccountName across the domains.This arises either by mistake, or genuinely because some (of our) systems (according to our naming rules) generate user id's (samAccountname) when more than one user does have the same name. So, to avoid indeterminacy especially when logging in or SSO into an AS Java I have one domain that uses samAccountName (it can't be changed) and the remainder to use user principal name in the LDAP connectors. So my approach was to have two claims rules, one for each principal both typed as Name ID. When there are more than one claim of the same type, it's ADFS that throws an error - not the SAP side.

                     

                    Next steps ...

                    . How to do #4.

                    . Add SAP Web Dispatchers to the landscape.

                    . SSO offloading before the AS Java SP.

                    . How to redirect unauthenticated clients back to ADFS IDP from a target service/application (i.e. enforce a SAML/ADFS IDP policy throught the service/application landscape) should they approach the application directly (JAAS stack?)

                    • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
                      Dimitar Mihaylov
                      Currently Being Moderated

                      Hi Stuart,

                       

                      #2 - It is very unusual to have back-channel communication initiated by the IdP to the SP. As ADFS does not support SOAP binding for SLO there are even no theoretical use cases with ADFS as an IdP. In the other direction from the SP to the IdP, yes for HTTP-Artifact binding. The AS Java system by default won't check the server certificate unless you go to the destination service and explicitly configure it. Then you will need the certificate of the CA that has signed the SSL certificate of the ADFS.

                       

                      #4 - It seems that really ADFS does not support sending a RelayState when IdP-initiated SSO is done. I searched in Google and found some articles but all require code changes. I haven't tested them yet so I cannot recommend any :(. Have you considered to use SP-initiated SSO and what would prevent you to do so?

                       

                      #5 - I see at least two options:

                      - use the email of the user if unique accross all domains

                      - introduce new user attribute that is generated and unique accross all domains

                       

                      Next steps:

                      #4 - either code changes in ADFS or use SP-initiated SSO

                      Web Dispatcher - afterwards you need to export new metadata with the host name of the web dispatcher

                      SSO offloading - what do you mean?

                      How to redirect... - Do you mean to start for example from an ABAP BSP/WDP application then be redirected to the AS Java 7.3 SP and then to the IdP and afterwards all the way back?

        • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
          Ove Stavland
          Currently Being Moderated

          Hi Dimitar,

           

          The download link is expired for the "proxy" application. Would you please re-enable again?

           

          I'm about to configure the same scenario, but I miss the redirect application.

           

          https://sapmats-de.sap-ag.de/download/download.cgi?id=7D4RGZG7I8O5WY9BM6QT7KSRVMYZ97IBR702GDV5I22CS44BBO

           

          Thanks!

           

          Ove

  • Re: Single Sign On - Sharepoint 2010 to SAP using ADFS
    Kiran Vejendla
    Currently Being Moderated

    Hi,

     

    I configured ADFS as identity provider and AS-ABAP as Service provider and ABAP is getting SAML response.

     

    I want to map NT user account which is in the format of DOMAIN\username with SAP user using VUSREXTID view or table USREXTID.

     

    I didnt find any class in SAML configuration at ABAP engine, which is requesting NT user from ADFS2.0. Can some one help me to do this configuration.

     

    Best regards,

    Kiran.

Actions