How to “exchange” a SAML assertion for an X.509 client certificate and to implement end-to-end single sign-on also for non-SAML systems in a SAML enabled network.
If SAML (Security Assertion Markup Language) is the single sign-on technology of choice for your corporate but you are still running applications that accept only X.509 client certificates, we have already a simple solution for you. With the latest patch of the SAP Single Sign-On 2.0 SP04 (Patch1), we offer out of the box authentication with SML assertions to the Secure Login Server (SLS). This way you will be able to implement SP-initiated Single Sign-On and to request an X.509 client certificate via Secure Login Web Client to Secure Login Server by offering a SAML assertion for authentication.
See the authentication flow in the following diagram:
Please, find also the prerequisites and the implementation steps necessary to implement this scenario:
- You have a Secure Login Server (SLS) running in your landscape. For more details how to install SLS, see How to install Secure Login Server
- There is a SAML 2.0 Identity Provider in your SAML network. If you are using the SAML IDP of the SAP Single Sign-On 2.0 product, it could be running on the same SAP NetWeaver AS Java server, where the SLS is running.
- Configure the mutual trust between the SAML Identity Provider and the SAML Service Provider (host of the Secure Login Server).
- Configure the SAP NetWeaver AS Java, where your Secure Login Server is running, to be a SAML Service Provider and to trust the SAML IDP of your company (for example SAML IDP of the SAP Single Sign-On product).
- Configure your SAML IDP to trust as a Service Provider the SAP NetWeaver AS Java, where your Secure Login Server is running. If you are using SAML IDP from SAP Single Sign-On 2.0, you can find here more details how to add a service provider.
- Create a policy configuration for the SAML 2.0 authentication using a SAML 2.0 login module (for example SAML2LoginModule) on the SAP NetWeaver AS Java.
- In the Secure Login Administration Console configure a Secure Login Web Client (SLWC) authentication profile for SAML 2.0 that points to the policy configuration for SAML 2.0 login module, created on step 2. For more details how to do this, see Configuring SAML 2.0 Authentication in the Secure Login Server.
- Configure the SLWC authentication profile to use the standard SAP NetWeaver login screen – set for the parameter Use Standard Authentication Form the policy configuration name, created on step 2. This parameter determines whether or not a browser presents the standard authentication form of the SAP NetWeaver AS for Java to the user.
This parameter is important when you are using SAML 2.0 authentication with SLWC because it enables the Secure Login Server to communicate with the identity provider that provides the users’ identities. Whenever users start the SLWC, they can choose the identity provider that manages the users’ identity information and authentication. For more details, see Parameters for User Authentication (Table 2 – Secure Login Web Client)