Skip to Content
Technical Articles

Single Sign-On between SAP Cloud Platform Launchpad and SAP Enterprise Portal

Starting from NetWeaver SAP Enterprise Portal 7.5 SP19, you can run portal content (iViews and Pages) from SAP Cloud Platform Launchpad.

For more information, see:
Enterprise Portal as Content Provider to SAP Cloud Platform Launchpad.
Federation of Remote Content Providers

Single Sign-On (SSO) is one of the tasks in the implementation of a production scenario and I would like to explain how to configure SSO between SAP Cloud Platform Launchpad (Launchpad) and Enterprise Portal (EP).

There are two ways to configure connectivity:

  1. Direct access (Direct EP )– Enterprise Portal is accessed directly from Internet, meaning the Enterprise Portal system is exposed to the external access.
  2. Tunneled access  (Tunneled EP) – Enterprise Portal is accessed only from the internal network and requires setting up the Cloud Connector (CC)

I will explain the SSO settings for both of these.

To achieve SSO, I am using the following landscape example where SAP Cloud Platform Launchpad and Enterprise Portal have the same user persistency = the Corporate LDAP system is connected via an Identity Provider (IDP)

Involved components

As prerequisites I will assume that:

  1. all required installations and account/subaccount exist (only Tunneled access scenario require CC installation)
  2. admin access to manage required settings exist for all installation.
  3. EP role content exposed via Content Provider to SAP Cloud Platform Launchpad
  4. exposed EP role added to the site content.
  5. End-User assigned to the exposed EP role. See the How-To and details for  3,4,5 here.
  6. idp.ondemand.com was trusted in external corp. IDP (see the Involved component diagram) = the IDP (idp.ondemand.com) trust was established with Corporate IDP (account…sap.com = idp.acme.com) in the Corporate Identity Providers – see the picture below

Corporate%20Identity%20Providers

Corporate Identity Providers

 

*******************************************************************

SSO for Direct scenario:
You need to establish an SSO between SAP Cloud Platform Launchpad and Enterprise Portal, so that when users logon to SAP Cloud Platform Launchpad, they will be able to run Enterprise Portal content without logging on again.

  1. Establish trust between subaccount and IDP
  2. Establish trust between Enterprise Portal and IDP

To establish trust between sub-account and IDP, do the following:
1. Login to SAP Cloud Platform Cockpit as subaccount admin and open Trust Configuration

You can establish trust by clicking Establish Trust and choosing the required IDP from the opened list or manually perform trust. Click SAML Metadata and save the downloaded file for further processing.

Establish%20trust

Establish trust

2. Open the IDP with your admin user/password and create a new application (see below): directep.

create%20new%20application

create new application

 

3. Select SAML 2.0 Configuration and upload the downloaded subaccount metadata file.

4. In the created application, select Conditional Authentication.


5. Select the trusted corporate identity provider as Default Identity Provider and select “Allow users stored in Identity Authentication service to log on.

Now the subaccount has established trust with the IDP – you can see it in the Trust configuration of your subaccount.

Activate it in the subaccount of SAP Cloud Platform cockpit.
Make the Default SAP ID Service inactive.
See example in the Establish Trust screenshot above.

To establish trust between Enterprise Portal and IDP:

  1. Logon to SAP NetWeaver Administrator (NWA)
  2. Open Authentication and Single Sign-On: SAML 2.0
  3. Create a local Service Provider – you can find different scenarios here.

EP%20Service%20Provider

EP Service Provider

In Enterprise Portal as a Service Provider:

  1. Click Download Metadata and save the downloaded file. (Make sure you check that the file is not empty as in some browsers it is an issue)
  2. Open the IDP again and create a new application for Enterprise Portal. Configure it the same way you did for the subaccount but use the SAML metadata file from Enterprise Portal.
  3. In the IDP -> Tenant Settings choose SAML 2.0 Configuration and download the IDP metadata.
  4. Go to NWA and click Trusted Providers. Add a trusted provider by uploading the IDP metadata file.

Trusted provider

Trusted providers

Choose Identity Federation and configure “Supported name ID formats”
In my case the Enterprise Portal connected to Corporate LDAP and the external corp. IDP also connected to the same LDAP.
The user identifier is Logon ID, but the IDP use email – in case we need to use client certificate later (Tunneled scenario with Cloud Connector), the mapping of email to user could be configured in the login module settings.

 

Identity%20Federation

Identity Federation

 

Authentication:

To configure the authentication login modules to use SAML:

Open Authentication
In the example below the authentication stack is a ticket. I will change ticket, and add SAML2LoginModuleSee more here.

Add%20SAML2%20module%20to%20ticket

Add SAML2 module to the authentication stack

 

Once the SP and trusted provider is activated, the trust is ready to use.

That’s all for Direct access scenario SSO.
The Direct access scenario SSO configuration is a predecessor for Tunneled access configuration.
The Tunneled access scenario SSO configuration is coming soon in a separate blog.

Be the first to leave a comment
You must be Logged on to comment or reply to a post.