Skip to Content

Until now we had the option of configuring single sign-on(SSO) for netweaver portal using available options like X.509 certificates, SPNego etc… with version NetWeaver 7.3, SAML2.0 is available as an alternative provided you have an identity provider in your landscape. Unlike the existing SSO mechanism SAML2.0 is based on open standards.

Before you jump into the configuration steps, I would highly recommend you to go over the SAP Help link to understand how SAML2.0 works and the associated terminologies. By default netweaver portal can act as a service provider(SP) and hence it not required to do any additional installation. All you will need is access to NetWeaver Administration(NWA) as an administrator and SSO end points from the identity provider.

Step 1: Login to NWA and navigate to Configuration->Authentication and Single Sign-On->SAML2.0

/wp-content/uploads/2014/06/1_465090.png

Step 2: Enable SAML2.0 support and name your SP

/wp-content/uploads/2014/06/2_465091.png

Step 3: You need to create a self signed key pair and certificate under SAML2 keystore

/wp-content/uploads/2014/06/3_465098.png

Step 4: Navigate to Service Provider Settings step. Here you will need to setup your ACS service. Since in my case, SSO will be initiated when user hits the portal Url, I have selected SSO initiated by SP rather than IdP.

/wp-content/uploads/2014/06/4_465099.png

Step 5: This completes your SP settings. You can now save the settings and also taken an export of the certificate from General Settings tab in X509 certificate format. Also you download the SP settings by clicking on “Download Metadata”. These 2 things needs to be send your IdP server administrator for him/her to setup a SSO end point for you. Ask the administrator for a self signed IdP certificate as well at this time.

/wp-content/uploads/2014/06/6_465100.png

Step 6: Navigate to Trusted Providers to configure your IdP.

/wp-content/uploads/2014/06/7_465101.png

Step 7: In case you receive a similar metadata file from IdP administrator, you may click on Add and upload the file. Else select to configure manually.

/wp-content/uploads/2014/06/8_465102.png

Name you IdP with an alias at this time.

/wp-content/uploads/2014/06/9_465103.png

In case the metadata file is provided, IdP certificate would be upload automatically to SAML keystore. If that is no the case, you will need to manually import the certificate and select the same in Signing Certificate.

/wp-content/uploads/2014/06/10_465104.png

Step 8: Select the appropriate SSO end point from IdP.

/wp-content/uploads/2014/06/11_465105.png

Step 9: You can now move the final step and save the settings. Note – I haven’t covered the single log-out configuration here.

Step 10: Click on edit selecting your IdP configuration and click on Identity Federation tab. Here you will need to identify based on what parameter you will authenticate the user.

/wp-content/uploads/2014/06/12_465106.png

In my case, I would be receiving the windows ID from IdP which would be my logon ID in portal as well.

Step 11: Finally you can save the settings and activate by clicking on Enable button

/wp-content/uploads/2014/06/13_465107.png

Step 12: Now for your portal to authenticate based on SAML, you will need to add SAML login module as part of your portal’s policy configuration.

/wp-content/uploads/2014/06/14_465108.png

Once this done, your portal is ready to accept SAML2.0 assertions to authenticate the user. You can always bypass the SAML authentication by appending Url parameter saml2=disabled with the portal Url.

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

Leave a Reply