SAML 2.0 and SAP GUI Single Sign-On in one and the same scenario
Have you already experienced benefits such as Web single sign-on (SSO) and identity federation using Security Assertion Markup Language (SAML)? Do you know about the most common advantages of SAML? If yes, then you most probably know that SAML is an XML-based framework for user authentication, entitlement, and attribute information.
In the last decade, when all industry segments reconsidered their IT investments, focused heavily on Web solutions, and implemented their first cross-domain business processes, SAML was gaining more and more trust and supporters.
IT experts love SAML because it is secure, interoperable, easy to implement and support. But when it comes to heterogeneous landscapes, for which the IT team has to integrate large systems and applications with various old and new technologies, SAML could not be the standard of choice in all the cases.
Here SAP has a solution to offer to their customers by supporting a scenario in which the interoperable SAML assertion could be used for the issuance of a well-known X.509 client certificate and then the certificate to be used for authentication to applications such as SAP GUI that do not support SAML authentication mechanisms, but accept X.509 client certificates.
The main idea of the sample scenario is to implement SSO to the SAP AS ABAP systems, with SAP GUI as the frontend, using SAML 2.0 assertion. The SAML assertion is issued by the SAP NetWeaver Single Sign-On Identity Provider (SAP IDP) and is used for authentication to the Secure Login Server, and then the Secure Login Server issues an X.509 client certificate acceptable for authentication via the SAP GUI. This is an identity provider initiated single sign-on scenario.
The implementation of such scenarios is possible using the SAP IDP and the web-based Secure Login Web Client (SLWC) – a feature of the Secure Login Server. These components are available via the SAP NetWeaver Single Sign-On product.
The scenario includes the following steps:
- A user starts a browser
- The user authenticates at the SAP IDP. Here two cases are possible:
- Assertion is created automatically: If there is an actively running session for this user on the SAP IDP because of previous authentication request for another service provider, the user will get the new SAML 2.0 assertion for the respective service provider without additional authentication.
- Assertion is created after successful authentication to the SAP IDP: If the user has no running session at the SAP IDP, the authentication will be forced once the request for SAML 2.0 assertion is received. When the user authenticates successfully the assertion will be provided. The authentication to the SAP IDP could be basic authentication or other, for example authentication with a Kerberos token.
- A SAML 2.0 assertion for the SAP NW AS Java system is issued. (This is the system where the Secure Login Server is installed and configured.)
- The user is successfully authenticated at the SAP NW AS Java system with the SAML 2.0 assertion. A page which contains the Secure Login Web Client is loaded in the user’s browser. Secure Login Web Client generates a key-pair and issues a certificate signing request to the Secure Login Server.
- Based on the authentication at the previous step the Secure Login Server recognizes the user, issues a X.509 client certificate and returns it back to the Secure Login Web Client. The Secure Login Web Client imports the key-pair and the X.509 client certificate into the Windows Certificate Store.
- The user starts SAP GUI
- The user is authenticated automatically (through SSO) to a required SAP NetWeaver AS ABAP system using the X.509 client certificates imported in the previous step. The same X.509 client certificates can be used for Web SSO also to SAP and non-SAP systems if they do not support SAML 2.0 yet.
This scenario could be implemented also with SAML 2.0 identity providers from other vendors because SAP Secure Login Server capabilities include integration with different identity providers. However, we recommend the SAP IDP because of the competitive advantages the SAP product offers. For more information about these advantages, see Competitive advantages of SAP Identity Provider.
The SAP IDP also supports the service provider initiated single sign-on. Here the service provider will be the Secure Login Server, because the SAML 2.0 base communication for these scenarios is between the SAP IDP and the Secure Login Server. The service provider initiated single sign-on starts again from the browser but the second step is when the user requests the Secure Login Web Client, and based on this request the user is redirected to the SAP IDP for authentication. All steps afterwards are the same as with identity provider initiated single sign-on scenario, described in details above.
Hi Donka,
Thanks for sharing this approach. My only concern here would be performance, there seems to be a lot going on during the initial creation of the X.509 cert - my experience using SAML right here on SCN isn't great (it's quite slow really). Do you have any comments regarding performance of such a scenario?
How long would you recommend the X.509 certificates are valid for?
Thanks again,
Simon
I have also reservations on having to open a browser to access Secure Login Web Client for the X.509 certificate to be issued. Maybe if the browser is opened minimized and closed as soon as the X.509 certificate is issued, it could work. All triggered by a logon script, for example. But then again why not use the native Secure Login Client (if running one of the supported platforms), maybe this solution is more theoretical for most customers. Nice nevertheless and I appreciate the contribution.
Hi Samuli,
The question about "using" SAML 2.0 for SAP GUI came from customers who already have SAML 2.0 infrastructure for web browser SSO and would like to extend it for non-browser scenarios (SAP GUI). So the assumption is that you anyway use a browser as a starting point and in this case best integration point is in some Portal system (SAP or non-SAP). From there you can start SAP GUI using SAP shorcuts, you may be familiar with this feature in SAP Portal.
SAML 2.0 support is not possible directly in SLC because the underlying DIAG protocol does not support it. If we extend it then it will be available only for the latest releases and its adoption will take "ages" 🙂 .
Best regards,
Dimitar Mihaylov
Hi Simon,
You may experiense performance issues with SAML 2.0 only because of network delays, there are redirects between SP and IDP, but not because of the issuing or validation of the assertion. Especially in Intranet scenario this should not be a problem and Donka's blog describes such use case. You may see example performance measurements using SAP identity provider in the following blog: http://scn.sap.com/community/sso/blog/2013/02/28/competitive-advantages-of-sap-identity-provider.
The default validity of short-lived X.509 certificates issued by SLS is 10 hours which should cover to a regular working day.
Best regards,
Dimitar Mihaylov
Hello
I Installed SAP NetWeaver AS Java 7.4 SR1 - 90 days trial version. We are facing issue with "Uploading Metadata File”. Error mention below
“Metadata contains trusted provider which is not an identity provider”
We referred following document for Configuration :::: http://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0+and+ABAP+Systems+Supporting+SAP+Logon+Tickets?focusedCommentId=377389831#comment-377389831
Please suggest if any configuration is require?
Tejas Gandhi
Hi,
You are trying to import a metadata of a service provider system however you shall import metadata of an identity provider system. Make sure you have exported the metadata of the correct system and it is really acting as an SAML 2.0 identity provider. The metadata should contain the following descriptor in this case:
<ns3:EntityDescriptor ID="Sf16ae1ea-bb87-49db-95ac-8df3e411b184" entityID="https://idp.company.com" xmlns:ns2="http://www.w3.org/2001/04/xmlenc#" xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns3="urn:oasis:names:tc:SAML:2.0:metadata">
<ns3:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
...
</ns3:IDPSSODescriptor>
</ns3:EntityDescriptor>
Best regards,
Dimitar Mihaylov
Hello,
I would like to integrate this scenarion with IVIEWS from the Java Portal to abap backend system, using saplogon for windows. Do you know any documentation that could help me?
Hi Donka !
I would be interested if you continued to follow this approach especially in connection with saplogon.
Is it possible to get in contact with you directly to discuss this topic?
Best regards,
Peter
Hi Peter,
Yes, I will be glad to help.
I just sent you a personal message with the details.
Regards,
Donka Dimitrova
Hi Donka,
I'm just trying to make sure SAML 2.0 is working with SAP ABAP only stack and it does support SAP WIN GUI.
Thanks
Osama Khalifa
Hello Osama,
The AS ABAP enables you to use a number of authentication options for integrating Web-based user access (for example SAP GUI for HTML) in SSO environments and SAML is one of them.
Please, find the documentation that describes how to configure SAP NetWeaver Application Server (AS) ABAP as a Security Assertion Markup Language (SAML) 2.0 service provider:
http://help.sap.com/saphelp_nw73/helpdata/en/4a/b6df333fec6d83e10000000a42189c/frameset.htm
Regards,
Donka Dimitrova
Hi Donka
We are trying to implement SSO 2.0. We are planning to use SAML 2.0 to authenticate SAP Portal and SAP GUI. Based on your blog, it looks like we will have to call SAP Secure Login Web Client first and then try to login to SAP Portal to log in. But instead, can we set up the below scenario?
1. User tries to login to SAP Portal
2. Portal checks for certificate in the browser, if the certificate exists, then the user gets logged in.
3. If the certificate doesn't exist, then the user is redirected to the Secure Login Web Client. Once the user authenticates SLWC (using basic password or SPNEGO), the certificate is downloaded and added into the users browser and the user gets logged into the portal.
Please suggest if this can be achieved or not.
Thanks
Sasi
Hello Sasi,
If you want to use the SAML technology for authentication to SAP Portal it is not necessary to go over Secure Login Web Client & Secure Login Server. You can simply use the SAML assertion. You just need to configure the trust between SAP Portal (SAML SP) and the SAML IDP. The scenario here describes how to do this for SAP GUI.
Regards,
Donka
Hello Donka,
I am working on SSO 2.0 implementation. below is my scenario.
1. NW sso 2.0 is available
2. IDM 8 is available and it will be used as user source.
3. there is no other user source available ex. AD etc.. so users are manually getting created in IDM with no further authentication.
I am planning to use IDM as data source but my concern over is ...
How IDM user will be verified by SSO with backend ABAP system?
Can you give some thoughts over here?
If you need any further information to understand this scenario, please let me know.
Regards,
Yatin Phad
Hi Donka, Secure Login Web Client relies on a JAVA plugin to be available in all users' browsers. All modern browsers have dismissed JAVA plugin support, so Secure Login Web Client has lost much of it's value. Are there any plans to modernise the web client (I have no idea how) to make it compatible with Edge, Chrome and Firefox again?
Regards,
Lutz
Hello Lutz,
We are aware about this demand and we are currently running a research project on this topic.
Regards,
Donka Dimitrova
HI Donka
We have  slightly unusual scenario. SPNego for ABAP is configured for SAP GUI as well as HTTP  I.E FIORI services that are called via browser. That works well. This is scenario for customers that are on internal network and have user IDs in our network AD.
Now we also have customers that aren't in AD. Those are from other closed networks in need of access to our system. Those customers use SAML over ADFS to authenticate. They USER IDs are in SU01 of ABAP system
In JAVA system this works well as we have ticket policy set as follows
EvaluateTicketLogin Module
SPNegoLoginModule
CreateTicketLoginModule
SAML2LoginModule
CreateTicketLoginModule
BasicPasswordLoginModule
CreateTicketLoginModule
Basically whatever is presented to in request get the authentication. No issues 🙂
In ABAP however this doesn't work as expected. SPNego works well however when SAML is tested it authenticates but then attempts to do SPNego as well and fails. If I disable SPNego SAML works well.
In short SPNEGO and SAML does't work well togheter. I wonder if there is a trick to stop SPNego kicking in while SAML is authenticating?
Regards
Patrick Rezek
Well, there's no trick - that's documented in note 1798979:
By intend, that's the same opt-out mechanism as used by the Java server.
If you are using an Apache-style reverse proxy (like SAP Web Dispatcher) you can also use the RewriteEngine to modify URLs of requests (by adding such URL parameters).
Alternatively you can modify the ICF service configuration (or create a so-called "external alias" in t-code SICF for the service - with identical path, resulting in an "overlay"): simply activate the option "[x] Use All Logon Procedures".
By default only one logon attempt is made (with the first credential found in the order of the configured "Logon Procedure" - by default "SPNego" comes before "SAML 2.0"). If it fails, then immediately the configured "logon error" handling (either "Basic Authentication" or "FORM-based authentication" aka "System Logon") is triggered - and no attempt is made to evaluate / trigger other credentials / logon methods.
I hope this answer helps you to solve the problem.
Kindly keep in mind that SCN is not the channel to report issues - there's no SLA (Service Level Agreement), so don't expect any timely response.
All answers are provided on a voluntary basis and without any warranty.
Best regards, Wolfgang
Hi Patrick,
I have similar scenario in my environment. I suppose to configure Single Sign-on using Secure login server (SSO 3.0).
SPNego works fine for abap environment, but I am facing issues to authenticate Fiori services using SPNego Protocol (Embedded system).
In my case, end-users will be accessing only Fiori services and they will not login to Abap application, so I am trying to configure SAML 2.0 Authentication for Fiori serices. My Fiori services is connected to stand-alone HANA engine, BOBJ and Tableau applications.
SAML2 authenticates into Fiori services using windows AD credentials, but Single sign-on is not working for the same. I am wondering which profile need to be used for single sign-on.
Experts, Please suggest your approach to achieve the result.
Thanks in advance
Regards
Arun
I'm wondering if anyone had a chance to look at my post. 🙂
Donka:
We are working with an organization that has deployed the latest version of the SAP GUI. Â This organization has also deployed the AS ABAP application server version 7.5. Â SAP Hana FPS 12 is the database for the SAP solution.
The organization has NOT deployed NetWeaver Secure Login Server.
We have been asked to investigate how SSO might be provided for the SAP GUI users.
We have been examining whether the AS ABAP server could be Used as an Identity Service Provider, working with a Third Party Identity Provider. Â These 2 Entities, the Identity Provider and the Service Provider, would communicate via SAML 2.0.
Would the AS ABAP server, through the use of SAP Logon tokens, be able to establish SSO with the SAP GUI?
Is there a better approach that you are aware of to provide SSO to the SAP GUI?
Would you be available for a discussion by phone the week of 8/28?
Regards,
Chris
Why not use Kerberos with AD groups?
Dear Christopher,
sure there are very easy approaches for SAP GUI SSO. Just get in touch if you require additional information.
Regards, Carsten
Hi Donka,
in your blog you say, "The same X.509 client certificates can be used for Web SSO as well for SAP."
we have configured the same scenario you described for SAP GUI SSO login. Now we want to extend the configuration to FIORI web access.
how should we proceed to use the same certificate for accessing the Fiori Launchpad ?
Thanks in advance
Hi Vito,
The blog above explains how you can use SAML also for SSO with SAP GUI (as the SAP GUI desktop client is not compatible with the SAML protocol). By using the Secure Login Web Client, this component can accept a SAML assertion as security token and in return provision an X.509 certificate for SSO of desktop applications such as SAP GUI.
If you have browser-based applications, such as Fiori, then you can directly use SAML for SSO. You could use either an existing corporate identity provider or SAP’s Identity Authentication service, which is our strategic cloud-based SAML identity provider.
Regards,
Martina