Configuring SAML2.0 based Single Sign-On for NetWeaver 7.3 Portal
Until now we had the option of configuring single sign-on(SSO) for netweaver portal using available options like X.509 certificates, SPNego etc… with version NetWeaver 7.3, SAML2.0 is available as an alternative provided you have an identity provider in your landscape. Unlike the existing SSO mechanism SAML2.0 is based on open standards.
Before you jump into the configuration steps, I would highly recommend you to go over the SAP Help link to understand how SAML2.0 works and the associated terminologies. By default netweaver portal can act as a service provider(SP) and hence it not required to do any additional installation. All you will need is access to NetWeaver Administration(NWA) as an administrator and SSO end points from the identity provider.
Step 1: Login to NWA and navigate to Configuration->Authentication and Single Sign-On->SAML2.0
Step 2: Enable SAML2.0 support and name your SP
Step 3: You need to create a self signed key pair and certificate under SAML2 keystore
Step 4: Navigate to Service Provider Settings step. Here you will need to setup your ACS service. Since in my case, SSO will be initiated when user hits the portal Url, I have selected SSO initiated by SP rather than IdP.
Step 5: This completes your SP settings. You can now save the settings and also taken an export of the certificate from General Settings tab in X509 certificate format. Also you download the SP settings by clicking on “Download Metadata”. These 2 things needs to be send your IdP server administrator for him/her to setup a SSO end point for you. Ask the administrator for a self signed IdP certificate as well at this time.
Step 6: Navigate to Trusted Providers to configure your IdP.
Step 7: In case you receive a similar metadata file from IdP administrator, you may click on Add and upload the file. Else select to configure manually.
Name you IdP with an alias at this time.
In case the metadata file is provided, IdP certificate would be upload automatically to SAML keystore. If that is no the case, you will need to manually import the certificate and select the same in Signing Certificate.
Step 8: Select the appropriate SSO end point from IdP.
Step 9: You can now move the final step and save the settings. Note – I haven’t covered the single log-out configuration here.
Step 10: Click on edit selecting your IdP configuration and click on Identity Federation tab. Here you will need to identify based on what parameter you will authenticate the user.
In my case, I would be receiving the windows ID from IdP which would be my logon ID in portal as well.
Step 11: Finally you can save the settings and activate by clicking on Enable button
Step 12: Now for your portal to authenticate based on SAML, you will need to add SAML login module as part of your portal’s policy configuration.
Once this done, your portal is ready to accept SAML2.0 assertions to authenticate the user. You can always bypass the SAML authentication by appending Url parameter saml2=disabled with the portal Url.