Thanks for that tip. I missed that config. The destination service was not configured yet.

Now I have a followup...our source SAML is load balanced between 2 hosts (A and B).

In our test, we made the SAML connection between host A and SAP. Then we reconfigured to make a direct test between host B and SAP. Does the SAML configuration in SAP allow for providing more than one SAML source? I don't see this option in the configtool when I'm setting up the SAML parameters to allow more than one sourceID/destination.

I should also add that our SAML source is a 3rd party Juniper/Neoteris VPN. The config on it is very straightforward where we specify the sourceID(hex) and Issuer ID(i.e. destination for SAP). While we could set these to be the load balanced name, the problem occurs when SAP tries to respond back to the SAML. If it responds to the load balanced URL for the SAML authority, it may not go back to the one that issued the assertion and therefore fail.

Hi Dave,

no this is not supported. However what you can do is using the same hostname for both systems (and the same certificates). The Loadbalancer then can connect the SAML service to the system as defined in the settings of the balancer.

regards,

Patrick

Thank you for the info. I think I need some clarification...Let me explain the environment.

We have two VPN/SAML Sources for redundancy purposes. They are called ireport1 and ireport2. The DNS alias is simply 'ireport'. When a user accesses 'ireport', they get passed to either #1 or #2.

At that point, they provide credentials to login to the VPN (Juniper Neoteris), which authenticates them against our own LDAP. Once that has occured, ireport(1 or 2) will make the call the the SAP Portal, which is configured to accept SAML as a logon method.

In the SAP Portal system, if we were to configure the SAML SourceID as simply 'ireport', and the destination(responder URL) as just 'ireport/xxx/yyy', what happens when a user makes their request from ireport1, but the responder calls back 'ireport' and gets 'ireport2'?

Just to follow up - we have configured our SAML configuration as follows:

In the configtool, under the partnersinbound connections, I have 2 sub-configs - one for each SAML Source system.

In the Admintool destinations service, I have also configured these with the appropriate response.

So, now when we access our SAML source alias (ireport), we get passed to ireport1 or ireport2, and then the authentication occurs, and the response goes back to the correct URL as defined in the Destination service.

So, it appears to work, but you have me curious as to what you meant when you said it is not supported?

Hi Dave,

maybe I had some misunderstanding here. What I referred to was a HA system of SAML sources sharing the SAME SAML ID. If you have to SAML sources that are independent of each other, this is not an issue.

So what I meant was, that if both SAML sources share the same SourceID, then you may run into trouble, as as far as I remember, the destination is selected based on the SourceID and thus you will only be able to specify one SAML source.

It appears to me, that you have a destination id for each of you SAML sources right ?

Regards,

Patrick

That is correct. Initially I had configured both SAML sources (1 and 2) with the same sourceIDs. So we now have unique sourceIDs with unique destinations for each one and the solution is working. It seems to me that not many customers are using SAML based on the limited posts or info on SDN. I may need to write a blog about our environment....

Hi Dave,

well the feedback I have so far was, that it just had been to easy to install which sounds a bit better. Even your question wasn't really a problem, as you did solve it yourself

Regards,

Patrick

Hello David,

Can you expand a little bit about your Juniper solution.

I'm looking for a solution that will let our employees to access the portal from anywhere in the world with reasonable performance.

Many thanks,

Eli