Skip to Content

Configuring SAML 2.0 Authentication for your Secure Login Server

How to “exchange” a SAML assertion for an X.509 client certificate and to implement end-to-end single sign-on also for non-SAML systems in a SAML enabled network.

If SAML (Security Assertion Markup Language) is the single sign-on technology of choice for your corporate but you are still running applications that accept only X.509 client certificates, we have already a simple solution for you. With the latest patch of the SAP Single Sign-On 2.0 SP04 (Patch1), we offer out of the box authentication with SML assertions to the Secure Login Server (SLS). This way you will be able to implement SP-initiated Single Sign-On and to request an X.509 client certificate via Secure Login Web Client to Secure Login Server by offering a SAML assertion for authentication.

See the authentication flow in the following diagram:

SAML_Auth_SLS.png

Please, find also the prerequisites and the implementation steps necessary to implement this scenario:

Prerequisites:

Implementation steps:

  1. Configure the mutual trust between the SAML Identity Provider and the SAML Service Provider (host of the Secure Login Server).
    1. Configure the SAP NetWeaver AS Java, where your Secure Login Server is running, to be a SAML Service Provider and to trust the SAML IDP of your company (for example SAML IDP of the SAP Single Sign-On product).
    2. Configure your SAML IDP to trust as a Service Provider the SAP NetWeaver AS Java, where your Secure Login Server is running. If you are using SAML IDP from SAP Single Sign-On 2.0, you can find here more details how to add a service provider.
  2. Create a policy configuration for the SAML 2.0 authentication using a SAML 2.0 login module (for example SAML2LoginModule) on the SAP NetWeaver AS Java.
  3. In the Secure Login Administration Console configure a Secure Login Web Client (SLWC) authentication profile for SAML 2.0 that points to the policy configuration for SAML 2.0 login module, created on step 2. For more details how to do this, see Configuring SAML 2.0 Authentication in the Secure Login Server.
  4. Configure the SLWC authentication profile to use the standard SAP NetWeaver login screen – set for the parameter Use Standard Authentication Form the policy configuration name, created on step 2. This parameter determines whether or not a browser presents the standard authentication form of the SAP NetWeaver AS for Java to the user.

This parameter is important when you are using SAML 2.0 authentication with SLWC because it enables the Secure Login Server to communicate with the identity provider that provides the users’ identities. Whenever users start the SLWC, they can choose the identity provider that manages the users’ identity information and authentication. For more details, see Parameters for User Authentication (Table 2 – Secure Login Web Client)


6 Comments
You must be Logged on to comment or reply to a post.
  • Hi team, I’d like to know if is possible to have this SSO scenarios implemented in SAP NW 7.4:

    • SSO implemented in two domains, with two different IDP.

      SSO for the users that belongs to domain1 and LDAP (Form, Basic authentication) for the users of the other, domain2.

  • Hi

    This is a nice high level visual of the process. Thanks 🙂

    It is possible for a redirect from NWBC login prompt to the SLWC so users don’t need to do two steps to access their applications?

    Regards

    Colleen

    • You could configure the ICF node (ext. alias /nwbc) to use SAML as logon procedure in the Logon Data tab or you could use the Error Pages tab and configure a redirect to a specific logon page, which in this case would be SLWC.

      • Hi Samuli

        Thanks for your reply. I forgot to mention that part of the Secure Login Server authentication was to issue private certificate to IE browser content. I was told that they cannot do that via the ICF configuration for NWBC logon procedure.

        In truth, I cannot remember which functionality required X509 instead of just SAML

        Regards

        Colleenn

  • Hello Team,

    I need some help here.

    I want to use IDM 8 as identity provider with NW SSO, similar to above.

    and then SSO will allow access to SAP systems.

    Could you please explain if having just IDM 8 as user source is sufficient?

    Regards,

    Yatin Phad

    • Hello Yatin,

      This will be possible if you are using the SAP Single Sign-On product (license required). The SAP Single Sign-On offers a Secure Login Server that issues X.509 client certificates. The Secure Login Server is running on AS Java and when you provision your SAP IDM users to AS JAVA UME it will be possible to implement single sign-on based on X.509 client certificates to SAP systems. This scenario will be working also for Windows based UIs like SAP GUI. If you are using only web UIs for SAP, then you can use also the SAML Identity Provider in a similar way because also the SAML IdP could use the AS JAVA UME as user store.

      Regards,

      Donka Dimitrova