Technical Articles
Configuring SAML 2.0 Authentication for your Secure Login Server
How to “exchange” a SAML assertion for an X.509 client certificate and to implement end-to-end single sign-on also for non-SAML systems in a SAML enabled network.
If SAML (Security Assertion Markup Language) is the single sign-on technology of choice for your corporate but you are still running applications that accept only X.509 client certificates, we have already a simple solution for you. With the latest patch of the SAP Single Sign-On 2.0 SP04 (Patch1), we offer out of the box authentication with SML assertions to the Secure Login Server (SLS). This way you will be able to implement SP-initiated Single Sign-On and to request an X.509 client certificate via Secure Login Web Client to Secure Login Server by offering a SAML assertion for authentication.
See the authentication flow in the following diagram:
Please, find also the prerequisites and the implementation steps necessary to implement this scenario:
Prerequisites:
- You have a Secure Login Server (SLS) running in your landscape. For more details how to install SLS, see How to install Secure Login Server
- There is a SAML 2.0 Identity Provider in your SAML network. If you are using the SAML IDP of the SAP Single Sign-On 2.0 product, it could be running on the same SAP NetWeaver AS Java server, where the SLS is running.
Implementation steps:
- Configure the mutual trust between the SAML Identity Provider and the SAML Service Provider (host of the Secure Login Server).
- Configure the SAP NetWeaver AS Java, where your Secure Login Server is running, to be a SAML Service Provider and to trust the SAML IDP of your company (for example SAML IDP of the SAP Single Sign-On product).
- Configure your SAML IDP to trust as a Service Provider the SAP NetWeaver AS Java, where your Secure Login Server is running. If you are using SAML IDP from SAP Single Sign-On 2.0, you can find here more details how to add a service provider.
- Create a policy configuration for the SAML 2.0 authentication using a SAML 2.0 login module (for example SAML2LoginModule) on the SAP NetWeaver AS Java.
- In the Secure Login Administration Console configure a Secure Login Web Client (SLWC) authentication profile for SAML 2.0 that points to the policy configuration for SAML 2.0 login module, created on step 2. For more details how to do this, see Configuring SAML 2.0 Authentication in the Secure Login Server.
- Configure the SLWC authentication profile to use the standard SAP NetWeaver login screen – set for the parameter Use Standard Authentication Form the policy configuration name, created on step 2. This parameter determines whether or not a browser presents the standard authentication form of the SAP NetWeaver AS for Java to the user.
This parameter is important when you are using SAML 2.0 authentication with SLWC because it enables the Secure Login Server to communicate with the identity provider that provides the users’ identities. Whenever users start the SLWC, they can choose the identity provider that manages the users’ identity information and authentication. For more details, see Parameters for User Authentication (Table 2 – Secure Login Web Client)
Hi team, I’d like to know if is possible to have this SSO scenarios implemented in SAP NW 7.4:
SSO for the users that belongs to domain1 and LDAP (Form, Basic authentication) for the users of the other, domain2.
Hi
This is a nice high level visual of the process. Thanks 🙂
It is possible for a redirect from NWBC login prompt to the SLWC so users don't need to do two steps to access their applications?
Regards
Colleen
You could configure the ICF node (ext. alias /nwbc) to use SAML as logon procedure in the Logon Data tab or you could use the Error Pages tab and configure a redirect to a specific logon page, which in this case would be SLWC.
Hi Samuli
Thanks for your reply. I forgot to mention that part of the Secure Login Server authentication was to issue private certificate to IE browser content. I was told that they cannot do that via the ICF configuration for NWBC logon procedure.
In truth, I cannot remember which functionality required X509 instead of just SAML
Regards
Colleenn
Hello Team,
I need some help here.
I want to use IDM 8 as identity provider with NW SSO, similar to above.
and then SSO will allow access to SAP systems.
Could you please explain if having just IDM 8 as user source is sufficient?
Regards,
Yatin Phad
Hello Yatin,
This will be possible if you are using the SAP Single Sign-On product (license required). The SAP Single Sign-On offers a Secure Login Server that issues X.509 client certificates. The Secure Login Server is running on AS Java and when you provision your SAP IDM users to AS JAVA UME it will be possible to implement single sign-on based on X.509 client certificates to SAP systems. This scenario will be working also for Windows based UIs like SAP GUI. If you are using only web UIs for SAP, then you can use also the SAML Identity Provider in a similar way because also the SAML IdP could use the AS JAVA UME as user store.
Regards,
Donka Dimitrova
Hi Donka DImitrova,
We are replacing an existing SSO solution (Smartcard based PKI ) with SAP Secure Login Server based SSO.
As we are not going to roll out the SAP Secure Login based SSO for all the systems at a time , we need both the SSO solutions to co-exist. ( for ex: all dev and QA using SSLS for testing and other systems using existing Smart Card PKI SSO ).
We understand that secure login client can act as a container for multiple client certificates and it can be used to configure multiple solutions in parallel.
We have configured java script web client group ( Jave Script Web Adapter) ( using SAML Authentication Profile) to issue the x.509 certificate.
Unfortunately all our SAP ABAP Systems are being redirected to use the SSLS Web Adapter Certificate. But we do make a set of systems use the certificate issued by Smart card PKI and the rest of the systems to use SSLS issued certificate?
Is there a way to define a sequence of the certificate to be used by the SAP GUI SNC?
How do we control the certificate to be used by the SAP GUI SNC Session out of all the available certificates in the Secure Login Client?
Implementation guide claims that the secure login client is capable of supporting multiple scenarios but that is not working in our case.
Could you please advise
Thanks in advance.
Hi,
This scenario is still available within SSO 3.0 and Azure AD?
I already have installed SSO 3.0 but we have not authentication with Azure AD SAML2.
Best regards,
Hi Donka,
The link mentioned in Implementation steps 1 a is invalid, could you please make a update?
Regards,
Ning
Hi!
If you are looking at this step:
The link points to the documentation for Configuring AS Java as a Service Provider | SAP Help Portal and it is valid.
Regards,
Donka
Hi,
I followed your other blog and configured SPNEGO-Based Single Sign-On for X.509 and it is working fine with out any issues. Thank you for the detailed document provided for the same.
But when i tried to configure the secure login webclient using SAML (using cloud IDP) I am facing below issues. Unfortunately i dont have much clarity how it works also. Can you please help or provide some link with detailed steps.
Note : SSO 3.0 installed and configured SAML2 with cloud IDP
Thank you.
Best regards
Hi Nagaseshu,
We no longer recommend the solution using the Secure Login Web Client. The Secure Login Web Client is a component of the SAP Single Sign-On product which will go out of mainstream maintenance end of 2027.
Earlier this year we launched the successor solution called SAP Secure Login Service for SAP GUI. This new solution offers much better integration with an identity provider. You will find more information here:
https://community.sap.com/topics/single-sign-on
Best regards,
Martina