Skip to Content

Introduction

Single Sign-On (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple back-end software systems. SSO enables authorized users to reliably and transparently access software resources across technical system boundaries.

This document describes implementing a single sign-on mechanism with SAML 2.0 in a network. The Security Assertion Markup Language (SAML) version 2.0 provides a standards-based mechanism for Single Sign-On (SSO). The primary reason to use SAML 2.0 is to enable SSO across domains.

Prerequisites

You need the following products to try out this scenario:

  • The Service Provider, SAP Netweaver Application Server Java 7.3.
  • An identity provider, such as vendor’s identity provider ADFS 2.0.
  • SAP Netweaver Application Server ABAP system which supports SAP logon tickets.

Integrate SAP Netweaver Application Server Java 7.3 with SAP Netweaver Application Server ABAP system and Configure SSO. SSO between SAP Portal and SAP R/3 refers to the ability of a portal application to access data from a back-end system or application.


Scenario

  • ADFS 2.0 acts as Identity Provider
  • SAP Netweaver Java Application Server 7.3 acts as Service Provider.
  • SAP Netweaver ABAP Application Server is the backend user store for SAP  Java Application Server 7.3.

ADFS 2.0 Login : https://<adfs20host>/adfs/ls/IdpInitiatedSignOn.aspxAfter authenticating with ADFS, access the redirect application hosted on AS Java 7.3 in the same browser window.SAP Enterprise Portal Login : https://hostname:port/irj/portalYou will be redirected to ADFS for authentication. After successful authentication at ADFS, you will be returned back to AS Java 7.3 with SAML 2.0 assertion. The assertion will be evaluated and after being authenticated with SAML 2.0 at AS Java 7.3, an SAP Logon Ticket will be issued and now you can able to access SAP NW Portal and its integrated backend (SAP R/3) Applications.

Configuring AS Java as a Service Provider

  • Start SAP Netweaver Administrator with the quick link /nwa/auth.
  • Choose SAML 2.0.
  • If you have never configured your system for SAML 2.0, the system displays the following message: “System not configured to support SAML 2.0.”
  • Choose the Enable SAML 2.0 Support pushbutton.
  • Enter a name for the provider.
  • Configure the settings for signature and encryption.
  • Select the keystore view and the key pairs you created for the provider.
  • Determine if you want to include the public-key certificate in any digital signatures.

              1. Include the certificate if you are using a public-key infrastructure for your SAML network or if the trusted providers otherwise require the inclusion of certificates to verify                                    digital signatures.                   2.  Do not include a certificate if you are using self-signed certificates.

  • To provide a means for identity providers to validate the metadata of the service provider, sign the configuration metadata of the service provider.
  • Continue through the configuration wizard and enter data as desired.
  • In General Settings –> Miscellaneous –>
  • In Service Provider Setting –> Assertion Consumer Service –> Default Application Path: /irj/portal
  • Choose the Finish button.

Configuring Trust on the SAML 2.0 Identity Provider Side

  • Start “AD FS 2.0 Management”, select “Relying Party Trusts” and action “Add Relying Party Trust”
  • Select metadata file of the service provider.
  • Use all default settings and save the relying party. After that select action “Properties” for the Service Provider system.
  • Go to “Advanced” tab and change the signature algorithm from SHA-256 to SHA-1.
  • Afterwards, select action “Edit Claim Rules” and add claim of type “Send LDAP Attributes as Claims“. Select the incoming and outgoing claims.
  • Add claim of type “Transform an Incoming Claim” and Select to send the “e-mail address” as Name ID.
  • With this final step the trust setup at ADFS 2.0 is completed. In order to do the trust setup at SAP AS Java you will need the metadata of ADFS.
  • ADFS 2.0 federation metadata URL is the following – https://<adfs20host>/FederationMetadata/2007-06/FederationMetadata.xml

Because the metadata document is digitally signed you will need also the signing certificate in order to be able to import the metadata in SAP AS Java. The SAP application server does not allow import of a signed metadata document unless the signature is successfully verified.

  • To download the ADFS signing certificate: In AD FS 2.0 Management select Service -> Certificates and download the “Token-signing” by double clicking on it and then choose “Copy To File …”.

Configuring ADFS 2.0 as Trusted Providers on the SAML 2.0 Service Provider

  • Open https://<java server host>:<port>/nwa -> Configuration -> Authentication and Single Sign-On.
  • Select “SAML 2.0” tab and go to “Trusted Providers” link.
  • Click “Add” pushbutton and choose “Uploading Metadata File”.
  • Browse identity provider metadata file.
  • As metadata is signed by a certificate that is self-signed, in order to verify it we need to select a copy of the certificate used to sign the metadata.
  • Click “Next” pushbutton and you should see identity provider name.
  • Go through the wizard by leaving the default values. At the last step click “Finish” pushbutton and the new trusted identity provider will be created.

Configuring Identity Federation on SAML 2.0 Service Provider

  • Open https://<java server host>:<port>/nwa -> Configuration -> Authentication and Single Sign-On.
  • Select “SAML 2.0” tab and go to “Trusted Providers” link.
  • Select the trusted provider and select the “Identity Federation” Tab.
  • Add the supported NameID format.
  • In the Details Tab below, Enter the data as required
  • Set Default User Attributes, Roles and Groups or Assertion based user Attributes, Roles and Groups

/wp-content/uploads/2013/08/test_260726.png

Authentication Policy Configuration

  • Open https://<java server host>:<port>/nwa -> Configuration -> Authentication and Single Sign-On.
  • Create a new policy configuration named “adfs_saml_sap”
  • Add the Login modules in the Authentication Stack and save it.
EvaluateTicketLoginModule SUFFICIENT
SAML2LoginModule REQUISITE
BasicPasswordLoginModule SUFFICIENT
CreateTicketLoginModule OPTIONAL
  • Search for the policy “uidpwdlogon” and change it used template to “adfs_saml_sap”.
  • Changing the Authschemes.xml file .
  • In the downloaded authschemes.xml file, edit the content as,

<!– authschemes, the name of the node is used –>-<authscheme name=”uidpwdlogon”><!– multiple login modules can be defined –><authentication-template> adfs_saml_sap</authentication-template>

  • Save the file as Authschemes_Modified.xml and upload it to the config tool. Restart the server.
  • Navigate to Configuration -> Authentication and Single Sign-On –> Properties and change

*** Authentication Policy Configuration in done so that Portal (/irj/portal) to be configured with SAML 2.0 authentication and NetWeaver Administration (/nwa) to have authentication as in ticket template.

RESULT

Scenario 1: Login to ADFS – https://<adfs20host>/adfs/ls/IdpInitiatedSignOn.aspxAfter authenticating with ADFS, access the redirect application hosted on AS Java 7.3 in the same browser window.

Scenario 2 :Login to AS Java 7.3 – https://<java server host>:<port>/irj/portal

  • You will be redirected to ADFS for authentication
  • You need to authenticate yourself with ADFS 2.0 user credentials.After successful authentication at ADFS, you will be returned back to AS Java 7.3 with SAML 2.0 assertion. The assertion will be evaluated and after being authenticated with SAML 2.0 at AS Java 7.3, an SAP Logon Ticket will be issued (MYSAPSSO2 cookie).
  • Clicking the link “New Here?Register Now and Federate Accounts” the newly created user is automatically federated with the ADFS account.
To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

    1. Jill Diesman

      Hello Monica,

      I found a blog that provides at least a partial answer to your question: Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x.

      Excerpt from this blog: “The example setup assumes that the user IDs in ADFS 2.0, AS Java 7.2 and SAP Portal 7.0x are the same…

      I don’t know all the versions of AS Java and NW Portal that work with ADFS, but this blog indicates you can use ADFS with AS Java 7.2.  Furthermore, it illustrates using an AS Java 7.2 system and NW Portal 7.0x.

      I have also seen a relevant discussion thread that might be useful:  SAML 2.0 Support for SSO.

      I hope this is helpful.

      Best regards,

      Jill

      (0) 
  1. PRJSYN Portal

    Hi,

    Nice document! It helped us in setting up the ADFS and SAP Portal integration.

    But some reason the SSO between Portal and ECC is not working.

    I guess some thing to do with system object or certificate.If you can update the system object and certificate to be imported in ECC, that really helps.

    Appreciated step by step document.

    Regards,

    Sri

    (0) 

Leave a Reply