SAP NetWeaver Gateway Frontend Server offers several methods for authentication (Username and Password, SPNego/Kerberos, x509 client certificates and SAML 2.0). This blog is created by the S/4HANA Regional Implementation Group (RIG) and will detail the steps required to setup SAML 2.0 authentication with SAP S/4HANA with SAP Cloud Identity as the Identity Provider (IDP).
The service provider (SP) for the example will be a SAP NetWeaver Gateway Frontend server connected to the backend SAP S/4HANA 1610 system. For the Identity provider (IDP), you will need to procure a SAP Cloud Identity Tenant from SAP. The following diagram (1), will illustrate a sample architecture of this configuration.
The following systems used for this example for SAML 2.0 configuration with SAP S/4HANA 1610 and SAP Cloud Identity:
- SAP NetWeaver AS ABAP for S/4HANA 7.51 SPS01
- SAP Web Dispatcher 7.49 (SAP Note 908097 – SAP Web Dispatcher: Release, Installation, Patches, Documentation)
- SAP S/4HANA On-Premise 1610 ABAP FPS01
- SAP Cloud Identity Tenant
This document and screen shots was created on a S/4HANA 1610 FPS01 system with SAP NetWeaver AS ABAP 7.51 SPS01. The service provider should work with SAP NetWeaver releases that meet the following requirements:
- NetWeaver AS JAVA 7.20, 7.30, 7.31 and 7.4, 7.5 and higher
- NetWeaver AS ABAP 7.02, 7.30, 7.31 and 7.4, 7.5 and higher
The scenario includes the following steps:
- User accesses a Web Server behind a reverse proxy to get to a Web page.
- The script initiates a GET request to the SAP Gateway service via the Proxy (typically HTTPS). The Proxy terminates the original TLS request and makes new (recommended HTTPS) call to SAP Gateway.
- The Identity Provider (IDP) authenticates the user using one of the supported schemas (for example Integrated Windows or basic authentication). Upon authentication, the User Agent is redirected back to SAP Gateway. The request contains an artifact value of SAMLart. The artifact is a reference to a SAML assertion stored in the IDP.
- The artifact is sent back to the client and redirected to SAP Gateway.
- SAP Gateway prepares a synchronous SOAP request for resolving the received artifact and opens a back-channel HTTPS communication to the IDP. On receiving an assertion SP, SAP Gateway validates it, and authenticates or rejects the request.
- SAP Gateway forwards the request for the specific data to the SAP ERP back-end system.
Please refer to the following document for step by step instructions on setting up SCI as identity provider against a SAP S/4HANA service provider.
SAP S/4HANA RIG