Single Sign-On between SAP Cloud Platform Launchpad and SAP Enterprise Portal
Starting from NetWeaver SAP Enterprise Portal 7.5 SP19, you can run portal content (iViews and Pages) from SAP Cloud Platform Launchpad.
For more information, see:
Enterprise Portal as Content Provider to SAP Cloud Platform Launchpad.
Federation of Remote Content Providers
Single Sign-On (SSO) is one of the tasks in the implementation of a production scenario and I would like to explain how to configure SSO between SAP Cloud Platform Launchpad (Launchpad) and Enterprise Portal (EP).
There are two ways to configure connectivity:
- Direct access (Direct EP )– Enterprise Portal is accessed directly from Internet, meaning the Enterprise Portal system is exposed to the external access.
- Tunneled access (Tunneled EP) – Enterprise Portal is accessed only from the internal network and requires setting up the Cloud Connector (CC)
I will explain the SSO settings for both of these.
To achieve SSO, I am using the following landscape example where SAP Cloud Platform Launchpad and Enterprise Portal have the same user persistency = the Corporate LDAP system is connected via an Identity Provider (IDP)
As prerequisites I will assume that:
- all required installations and account/subaccount exist (only Tunneled access scenario require CC installation)
- admin access to manage required settings exist for all installation.
- EP role content exposed via Content Provider to SAP Cloud Platform Launchpad
- exposed EP role added to the site content.
- End-User assigned to the exposed EP role. See the How-To and details for 3,4,5 here.
- idp.ondemand.com was trusted in external corp. IDP (see the Involved component diagram) = the IDP (idp.ondemand.com) trust was established with Corporate IDP (account…sap.com = idp.acme.com) in the Corporate Identity Providers – see the picture below
SSO for Direct scenario:
You need to establish an SSO between SAP Cloud Platform Launchpad and Enterprise Portal, so that when users logon to SAP Cloud Platform Launchpad, they will be able to run Enterprise Portal content without logging on again.
- Establish trust between subaccount and IDP
- Establish trust between Enterprise Portal and IDP
To establish trust between sub-account and IDP, do the following:
1. Login to SAP Cloud Platform Cockpit as subaccount admin and open Trust Configuration
You can establish trust by clicking Establish Trust and choosing the required IDP from the opened list or manually perform trust. Click SAML Metadata and save the downloaded file for further processing.
2. Open the IDP with your admin user/password and create a new application (see below): directep.
3. Select SAML 2.0 Configuration and upload the downloaded subaccount metadata file.
4. In the created application, select Conditional Authentication.
5. Select the trusted corporate identity provider as Default Identity Provider and select “Allow users stored in Identity Authentication service to log on.”
Now the subaccount has established trust with the IDP – you can see it in the Trust configuration of your subaccount.
Activate it in the subaccount of SAP Cloud Platform cockpit.
Make the Default SAP ID Service inactive.
See example in the Establish Trust screenshot above.
To establish trust between Enterprise Portal and IDP:
- Logon to SAP NetWeaver Administrator (NWA)
- Open Authentication and Single Sign-On: SAML 2.0
- Create a local Service Provider – you can find different scenarios here.
In Enterprise Portal as a Service Provider:
- Click Download Metadata and save the downloaded file. (Make sure you check that the file is not empty as in some browsers it is an issue)
- Open the IDP again and create a new application for Enterprise Portal. Configure it the same way you did for the subaccount but use the SAML metadata file from Enterprise Portal.
- In the IDP -> Tenant Settings choose SAML 2.0 Configuration and download the IDP metadata.
- Go to NWA and click Trusted Providers. Add a trusted provider by uploading the IDP metadata file.
Choose Identity Federation and configure “Supported name ID formats”
In my case the Enterprise Portal connected to Corporate LDAP and the external corp. IDP also connected to the same LDAP.
The user identifier is Logon ID, but the IDP use email – in case we need to use client certificate later (Tunneled scenario with Cloud Connector), the mapping of email to user could be configured in the login module settings.
To configure the authentication login modules to use SAML:
In the example below the authentication stack is a ticket. I will change ticket, and add SAML2LoginModule. See more here.
Once the SP and trusted provider is activated, the trust is ready to use.
That’s all for Direct access scenario SSO.
The Direct access scenario SSO configuration is a predecessor for Tunneled access configuration.
The Tunneled access scenario SSO configuration is coming soon in a separate blog.