Now that you have decided to implement Single Sign On (SSO) with your SAP Sourcing/CLM 9 + deployment, the clear choice for making this user friendly functionality available to your constituents is SAML 2.0. As you probably know SAML 2.0 is the industry standard mechanism for providing SSO, and certainly one of the most popular in the marketplace, and not to mention it is recommended by SAP for all its applications as well. The recommended Identity Provider (IdP) is SAP Netweaver Identity Manager (IDM). SAP Sourcing/CLM 9 and above is also certified to use SAP Netweaver IDM 7.2 + as the IdP.
The reasons why SAML 2.0 is becoming the de facto SSO mechanism of choice and is growing so rapidly is clear; SAML is an XML-based, OASIS standard for exchanging user identity and security attributes information, besides it is an open Industry Standard SSO authentication protocol.
The major advantages for the end user, and our customers is also clear:
- Enhanced User Experience
- Facilitates user convenience with a single point of entry to SAP Sourcing/CLM – their own network
- Fewer Passwords to remember
- Reduced number of logins to access multiple applications
- Advanced Customer Benefits
- Platform Neutrality – Abstract security framework from platform architecture and vendor implementation
- Loose coupling of directories – User information doesn’t need to be maintained and synchronized between directories
- Reduced Total Cost of Ownership (TCO) – User repository maintenance is centralized at the Identity Provider (IdP)
- Security Consideration – Authentication to SAP Sourcing/CLM OnDemand is extraneous and relegated to the IdP maintained by customer IT infrastructure
Caution: This blog is a pointer for the Authentication aspect only, and the authorization schemes in Sourcing/CLM which support the complex requirements and rigors of the application have not been changed at all. All the profiles will function as usual and will still need to be configured regardless of the authentication option or user data repository being used.
Let’s look at the setup, landscape, and the process a SSO attempt using SAML 2.0 would work:
Confused? Well don’t be, the entire mechanism and steps for enabling SAML 2.0 on SAP Sourcing/CLM 9.0 + and SAP Netweaver IDM, has been detailed in the first of a series we want to introduce in SAP Sourcing/CLM – Quick Guides. The Quick Guide – SAP Sourcing 9.0 Quick Guide: Configuring SAP Sourcing for SAML 2.0 is available in the SCN (http://scn.sap.com/docs/DOC-33751). The Guide has great step by step coverage of all the configurations that need to be carried out and are provided in a very brief primer below:
IdP Configuration Steps:
- Activate SAML 2.0 authentication service in your SAP Netweaver IDM environment
- Create a trusted Service Provider (SP) in SAP Netweaver IDM by importing metadata file as extracted from the Sourcing Netweaver instance
- Export IdP metadata from SAP Netweaver IDM
Service Provider (Sourcing/CLM ) Configuration Steps:
- Activate SAML 2.0 authentication service on the SP
- Export SP Metadata and make it available for the IdP to import
- Create trusted entry for IdP, by importing IdP metadata file
- Update Authentication Stack on the SP
- Update directory configuration in Sourcing/CLM application
There are other Quick Guides that are being prepared to make the task of user attribute synchronization between the central user repository being used and SAP Sourcing/CLM easy, with a bonus tasks and jobs that can be deployed on SAP Netweaver IDM, and will be made available shortly. So stay tuned….
The new mantra is – Implement SSO using SAML 2.0.