Skip to Content

Configuring SAML 2.0 Authentication for your Secure Login Server

How to “exchange” a SAML assertion for an X.509 client certificate and to implement end-to-end single sign-on also for non-SAML systems in a SAML enabled network.

If SAML (Security Assertion Markup Language) is the single sign-on technology of choice for your corporate but you are still running applications that accept only X.509 client certificates, we have already a simple solution for you. With the latest patch of the SAP Single Sign-On 2.0 SP04 (Patch1), we offer out of the box authentication with SML assertions to the Secure Login Server (SLS). This way you will be able to implement SP-initiated Single Sign-On and to request an X.509 client certificate via Secure Login Web Client to Secure Login Server by offering a SAML assertion for authentication.

See the authentication flow in the following diagram:

SAML_Auth_SLS.png

Please, find also the prerequisites and the implementation steps necessary to implement this scenario:

Prerequisites:

Implementation steps:

  1. Configure the mutual trust between the SAML Identity Provider and the SAML Service Provider (host of the Secure Login Server).
    1. Configure the SAP NetWeaver AS Java, where your Secure Login Server is running, to be a SAML Service Provider and to trust the SAML IDP of your company (for example SAML IDP of the SAP Single Sign-On product).
    2. Configure your SAML IDP to trust as a Service Provider the SAP NetWeaver AS Java, where your Secure Login Server is running. If you are using SAML IDP from SAP Single Sign-On 2.0, you can find here more details how to add a service provider.
  2. Create a policy configuration for the SAML 2.0 authentication using a SAML 2.0 login module (for example SAML2LoginModule) on the SAP NetWeaver AS Java.
  3. In the Secure Login Administration Console configure a Secure Login Web Client (SLWC) authentication profile for SAML 2.0 that points to the policy configuration for SAML 2.0 login module, created on step 2. For more details how to do this, see Configuring SAML 2.0 Authentication in the Secure Login Server.
  4. Configure the SLWC authentication profile to use the standard SAP NetWeaver login screen – set for the parameter Use Standard Authentication Form the policy configuration name, created on step 2. This parameter determines whether or not a browser presents the standard authentication form of the SAP NetWeaver AS for Java to the user.

This parameter is important when you are using SAML 2.0 authentication with SLWC because it enables the Secure Login Server to communicate with the identity provider that provides the users’ identities. Whenever users start the SLWC, they can choose the identity provider that manages the users’ identity information and authentication. For more details, see Parameters for User Authentication (Table 2 – Secure Login Web Client)


/
SAML_Auth_SLS.png
8 Comments
You must be Logged on to comment or reply to a post.
  • Hi team, I’d like to know if is possible to have this SSO scenarios implemented in SAP NW 7.4:

    • SSO implemented in two domains, with two different IDP.

      SSO for the users that belongs to domain1 and LDAP (Form, Basic authentication) for the users of the other, domain2.

  • Hi

    This is a nice high level visual of the process. Thanks 🙂

    It is possible for a redirect from NWBC login prompt to the SLWC so users don’t need to do two steps to access their applications?

    Regards

    Colleen

    • You could configure the ICF node (ext. alias /nwbc) to use SAML as logon procedure in the Logon Data tab or you could use the Error Pages tab and configure a redirect to a specific logon page, which in this case would be SLWC.

      • Hi Samuli

        Thanks for your reply. I forgot to mention that part of the Secure Login Server authentication was to issue private certificate to IE browser content. I was told that they cannot do that via the ICF configuration for NWBC logon procedure.

        In truth, I cannot remember which functionality required X509 instead of just SAML

        Regards

        Colleenn

  • Hello Team,

    I need some help here.

    I want to use IDM 8 as identity provider with NW SSO, similar to above.

    and then SSO will allow access to SAP systems.

    Could you please explain if having just IDM 8 as user source is sufficient?

    Regards,

    Yatin Phad

    • Hello Yatin,

      This will be possible if you are using the SAP Single Sign-On product (license required). The SAP Single Sign-On offers a Secure Login Server that issues X.509 client certificates. The Secure Login Server is running on AS Java and when you provision your SAP IDM users to AS JAVA UME it will be possible to implement single sign-on based on X.509 client certificates to SAP systems. This scenario will be working also for Windows based UIs like SAP GUI. If you are using only web UIs for SAP, then you can use also the SAML Identity Provider in a similar way because also the SAML IdP could use the AS JAVA UME as user store.

      Regards,

      Donka Dimitrova

  • Hi Donka DImitrova,

     

    We are replacing an existing SSO solution (Smartcard based PKI ) with SAP Secure Login Server based SSO.

    As we are not going to roll out the SAP Secure Login based SSO for all the systems at a time , we need both the SSO solutions to co-exist. ( for ex: all dev and QA using SSLS for testing  and other systems using existing Smart Card PKI SSO ).

    We understand that secure login client can act as a container for multiple client certificates and it can be used to configure multiple solutions in parallel.

    We have configured java script web client group ( Jave Script  Web Adapter) ( using SAML Authentication Profile) to issue the x.509 certificate.

    Unfortunately all  our SAP ABAP Systems are being redirected to use the SSLS Web Adapter Certificate. But we do make a set of systems use the certificate issued by Smart card PKI and the rest of the systems to use SSLS issued certificate?

    Is there a way to define a sequence of the certificate to be used by the SAP GUI SNC?

    How do we control the certificate to be used by the SAP GUI SNC Session out of all the available certificates in the Secure Login Client?

    Implementation guide claims that the secure login client is capable of supporting multiple scenarios but that is not working in our case.

    Could you please advise

     

    Thanks in advance.

  • Hi,

     

    This scenario is still  available within SSO 3.0 and Azure AD?

    I already have installed SSO 3.0 but we have not authentication with Azure AD SAML2.

     

    Best regards,