Skip to Content

Now that you have decided to implement Single Sign On (SSO) with your SAP Sourcing/CLM 9 + deployment, the clear choice for making this user friendly functionality available to your constituents is SAML 2.0. As you probably know SAML 2.0 is the industry standard mechanism for providing SSO, and certainly one of the most popular in the marketplace, and not to mention it is recommended by SAP for all its applications as well. The recommended Identity Provider (IdP) is SAP Netweaver Identity Manager (IDM). SAP Sourcing/CLM  9 and above is also certified to use SAP Netweaver IDM 7.2 + as the IdP.

The reasons why SAML 2.0 is becoming the de facto SSO mechanism of choice and is growing so rapidly is clear; SAML is an XML-based, OASIS standard for exchanging user identity and security attributes information, besides it is an open Industry Standard SSO authentication protocol.

The major advantages for the end user, and our customers is also clear:

  • Enhanced User Experience
    • Facilitates user convenience with a single point of entry to SAP Sourcing/CLM  – their own network
    • Fewer Passwords to remember
    • Reduced number of logins to access multiple applications
  • Advanced Customer Benefits
    • Platform Neutrality – Abstract security framework from platform architecture and vendor implementation
    • Loose coupling of directories – User information doesn’t need to be maintained and synchronized between directories
    • Reduced Total Cost of Ownership (TCO) – User repository maintenance is centralized at the Identity Provider (IdP)
    • Security Consideration – Authentication to SAP Sourcing/CLM  OnDemand is extraneous and relegated to the IdP maintained by customer IT infrastructure

Caution: This blog is a pointer for the Authentication aspect only, and the authorization schemes in Sourcing/CLM which support the complex requirements and rigors of the application have not been changed at all. All the profiles will function as usual and will still need to be configured regardless of the authentication option or user data repository being used.

Let’s look at the setup, landscape, and the process a SSO attempt using SAML 2.0 would work:

SAML2.jpg

Confused? Well don’t be, the entire mechanism and steps for enabling SAML 2.0 on SAP Sourcing/CLM  9.0 + and SAP Netweaver IDM, has been detailed in the first of a series we want to introduce in SAP Sourcing/CLM  – Quick Guides. The Quick Guide – SAP Sourcing 9.0 Quick Guide: Configuring SAP Sourcing for SAML 2.0 is available in the SCN (http://scn.sap.com/docs/DOC-33751). The Guide has great step by step coverage of all the configurations that need to be carried out and are provided in a very brief primer below:

IdP Configuration Steps:

  • Activate SAML 2.0 authentication service in your SAP Netweaver IDM environment
  • Create a trusted Service Provider (SP) in SAP Netweaver IDM by importing metadata file as extracted from the Sourcing Netweaver instance
  • Export IdP metadata from SAP Netweaver IDM

Service Provider (Sourcing/CLM ) Configuration Steps:

  • Activate SAML 2.0 authentication service on the SP
  • Export SP Metadata and make it available for the IdP to import
  • Create trusted entry for IdP, by importing IdP metadata file
  • Update Authentication Stack on the SP
  • Update directory configuration in Sourcing/CLM  application

There are other Quick Guides that are being prepared to make the task of user attribute synchronization between the central user repository being used and SAP Sourcing/CLM easy,  with a bonus tasks and jobs that can be deployed on SAP Netweaver IDM, and will be made available shortly. So stay tuned….

The new mantra is – Implement SSO using SAML 2.0.

To report this post you need to login first.

9 Comments

You must be Logged on to comment or reply to a post.

    1. Amish Shah Post author

      Hi Matt

      Yes SSO for user authentication using SAML 2.0 is supported in the hosted implementations with the caveat that we are currently certified and support only when SAP Netweaver IDM is implemented as the IdP within the customers infrastructure.

      Hope that helps.

      Amish

      (0) 
      1. Former Member

        Hello Amish,

        We are in process to establish the SSO between SAP EP & SAP Sourcing 9.0.

        In our landscape we have installed

        We have installed

        1.SAP  EP 7.0 with NW 7.1 (implemented way back 2005 & integrated with SRM (EBP,SUS & other ABAP systems) with SSO ticket authentication

        2. Now we have installed SAP sOurcing 9.0 SP05 on demand with  on NW7.3 to SP03 on separate host .

        Can you guide us whether we should go for SAM 2.0 otherwise how to proceed with SSO ?

        Regards,

        Santosh

        (0) 
        1. Amish Shah Post author

          Hi Santosh

          Can you clarify the statement above:

          SAP sOurcing 9.0 SP05 on demand with  on NW7.3 to SP03 on separate host

          Do you have Sourcing within your landscape implemented on NW 7.3 and so Sourcing On Premise? The words On Demand in your statement is throwing me off.

          It seems so, but could you confirm?

          Regards

          Amish

          (0) 
          1. Former Member

            Hi Amish,

              Sorry for the delay .   Yes we have installed SAP sourcing (Version 9.0 and patch level SP05 with NW7.3) in our premises , hosted by customer.

            For my curiosity does there any functionality wise changes apart
            from h/w & system support differences between (premises & on demand) .

            We are implementing sourcing for forward auction process which
            is missing in SRM . 
            So want to integrate it with existing srm portal for buyers &
            bidders access.

            I have come across various approaches

            1. SAM 2.0 implemnetation

            2. URLbased EP iView for this
                 we have referred blog http://scn.sap.com/community/sourcing/blog/2012/10/10/sap-sourcing-configuring-the-portal-iview-for-netweaver-73
            .
            …Not understood how ticket information passed to sourcing or do we need to
            perform changes in sourcing login page.

            3. For
            keystore LOGON ticket mechanism referred blog https://scn.sap.com/people/arun.kumar118/blog

            But not able to find complete end to end approach all are one side either EP or
            sourcing side , so need experts advise to proceed with SSO.

            Regards,

            Santosh

            (0) 
            1. Amish Shah Post author

              Hi Santosh

              The one thing to keep in mind with using SAML along with SAP Portal and other SAP applications in the landscape is that the recommended option would be to have SSO for all the applications be set up to use SAML.

              So from my point of view, the 2 options for SSO are to either use SAML, keeping in mind the above statement or to use the 2nd option you have found in the SCN, which is using SAP Logon Tickets for authentication in conjunction with NW configuration on the server where Sourcing is implemented, and finally using NW UME driver in Sourcing Directory Configiration.

              The ticket information is passed by following directions for setting up SSO on Netweaver Application Server.

              Amish

              (0) 
  1. Former Member

    Hi Amish,

    1) Does this configuration support user creation on Sourcing? Generally SAML2.0 can be used to federate identities and allow user creation on the service provider system if the user does not exist already.

    http://help.sap.com/saphelp_nw70ehp2/helpdata/EN/46/631b92250b4fc1855686b4ce0f2f33/frameset.htm

    2) Can we use the Netweaver CE on which Sourcing is installed both as IDP and the SP? I believe there is an component which can be installed on Netweaver to make it work as an IDP.

    Regards,

    Subramaniam Iyer

    (0) 
    1. Amish Shah Post author

      Hi Subramaniam

      Sorry for the delayed response.

      1. User provisioning within SAP Sourcing still needs to be done as a separate activity and needs to be in sync with the user store being used to store the credentials that the IdP authenticates against. We are working and will be publishing very shortly a user syncrhroniation guide, which will have some automated tasks and jobs that will allow for the synchronization to be carried out seamlessly. So stay tuned.

      2. The answer to your question regarding CE is yes.

      Hope this answers your questions, else please feel free to get in touch with me,

      Thanks

      Amish Shah

      (0) 
  2. Former Member

    Hi Amish

    We also need to do SAML 2.0 SSO with IBM tivoli Idp to our souricng 9.0 which we have installed on portal 7.3 sp08

    We tried to do configuration as suggesed by doc

    http://scn.sap.com/docs/DOC-33751

    Still we are just getting the logon screen of sourcing. We have successfully did the Customer IDp to SAP portal SSO with SAML.

    1. We have created Login template SourcingSAML2 & added

    SAML2LoginModule to the same. We have also added

    BasicPasswordLoginModule to the same so that the user who are coming

    without SSO can also able to login. Attached is the snapshot for the

    same in document

    2. We have tried to test the SSO but it is still failing. We have

    attached the esourcing debug log files , default trace files and tshw

    trace files

    We have below Queries :

    1. Before we did changes for SAML2 , whenever we create user in

    sourcing it will automatically get created in portal UME and we used to

    get the mails with auto generated password. However After we had

    changed driver as SAML2 in directory we are only able to create user in

    sourcing however we are not able to see it in portal UME and we are

    also not getting any mail for its password. We know password in not

    required for SAML login, but still our concern, where this user is

    created.

    2. We have two identity providers for our sourcing system. How we can

    configure two Idp in sourcing directory.

    Thanks

    Atul

    (0) 

Leave a Reply