In Duet Enterprise, user authentication between SharePoint server and SCL(Service Consumption Layer) is done using SAML and the SCL uses SAML token provided by the STS service in the SharePoint server. Since the name of token issuer in all SharePoint servers is “SharePoint”, SCL system will not be able to validate tokens from multiple SharePoint servers. So you will be able connect only one SharePoint server to any SCL system by default.

This blogs explains set of steps which will help you to connect multiple SharePoint server farm to single SCL / Gateway system.  

1. Execute WSS_SETUP program: During Duet Enterprise configuration in SCL system, WSS_SETUP program needs to be executed to Enable Message-Based Authentication. Details descriptions of these steps are mentioned in Duet Enterprise deployment guide under “Configuring the SCL Host to use SAML Authentication” section. (http://www.service.sap.com/instguides -> Duet -> Duet Enterprise 1.0 -> Duet Enterprise SAP Deployment Guide).  Follow below steps to execute WSS_SETUP program. 

1. On the SCL, open the Service Consumption Layer Administration IMG. Click the Display icon.
2. Select Connection Settings > SCL to Consumer > Configure Web Service Message-Based Authentication. Click the Execute icon. The Configuration of WSS_SETUP page is displayed.
3. Select ICF Node Update.
4. Select Provider Configuration in the Secure Token Service (Service Conversation) section.
5. Specify the following in the WS Security Options section:

              - Algorithm Suite: Select TripleDesSha256RSA15 for the algorithm suite.

              - Clock Skew: Specify the value 32676.

              - Select Detect message replays.

              - SAML 1.1 Trust: Choose “Use Logon Ticket Trust”.

     6. In the Test Run section, unselect Test Run, and click Execute.

2. Export STS certificate from all SharePoint servers: In SharePoint server, go to “Microsoft Management Console” > Add “Certificates” snap-in > “Computer Account” . Under “Certificates > SharePoint > Certifidates” node you will be able to find “SharePoint Security Token Service” certificate. Export this certificate from all SharePoint servers and upload to SCL (Step 4).

3. Export SSL certificate from all SharePoint servers: In SharePoint server, go to “Internet Information Service(IIS) Manager  and export SSL certificate assigned to the Duet Enterprise web application and upload to SCL system (Step 5).

4. Import STS certtificate imported from all SharePoint servers (Step 2) to “System PSE” section in SCL system.

1. On the SCL, open the Service Consumption Layer Administration IMG, and select Connection Settings > SCL to Consumer > Manage Security Trust.
2. Click the Execute icon - The Trust Manager page is displayed.
3. Double click on System PSE.
4. Click Import Certificate. The Import Certificate page is displayed.
5. Enter the SharePoint STS server certificate.
6. Click Add to Certificate List.
7. Click Save.

5. Import SSL certtificate from all SharePoint servers to “SSL Client SSL Client (Anonymous)” section in SCL system:

1. On the SCL, open the Service Consumption Layer Administration IMG, and select Connection Settings > SCL to Consumer > Manage Security Trust.
2. Click the Execute icon - The Trust Manager page is displayed.
3. Double click on SSL Client SSL Client (Anonymous).
4. Click Import Certificate. The Import Certificate page is displayed.
5. Enter the SharePoint SSL server certificate.
6. Click Add to Certificate List.
7. Click Save.

6. Export SSL server certificate from SCL system and import to “Manage Trust” section in all SharePoint server central administration.

1. On the SCL, open the Service Consumption Layer Administration IMG, and select Connection Settings > SCL to Consumer > Manage Security Trust.
2. Click the Execute icon - The Trust Manager page is displayed.
3. Under SSL server (Standard), double-click the certificate displayed. The Own certificate is displayed.
4. Double click on the certificate. The certificate is displayed in the Certificate area.
5. Click Export Certificate.
6. In the File path field, enter a file name.
7. In the File format section, select the Binary radio button.
8. Click the checkmark to export the certificate to the file system.

Once the above mentioned steps are completed, you will be able to access SAP data in multiple SharePoint servers which are connected to same SCL system. Hope this document is helpful to you.