Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Integration of SAP Portal with Shibboleth based CUA?

Go to solution
Former Member

‎06-21-2010 1:13 PM

0 Kudos

We are running SAP Portal NetWeaver EhP1 on LINUX RH-EL 5 with ORACLE 10.2.0.4. We are interested in integrating authentication to the SAP Portal with our web single sign-on system, which is based on Internet2's Shibboleth software. We would like to use our Shibboleth CUA to authenticate users and give them access to our SAP Enterprise Portal as well as to the SAP ABAP systems.

Has anyone done something similar and if so, what were the results or limitations encountered?

What is the underlying web server / product on which the Portal is based? Specifically, is it Apache httpd? If so, which version?

Can it support the use of third party Apache modules, e.g. the Shibboleth Service Provider (SP) Apache module for authentication?

If not, is it possible to run the portal fronted by Apache httpd? (Note that the Shibboleth SP software requires the use of Apache httpd on Linux servers.)

Can the portal be configured to honor the REMOTE_USER setting passed by the web server/container for authentication, instead of requiring a username/password to be entered?

If the portal cannot support the use of the Shibboleth Service Provider software for authentication, what are the other possible configuration options for authentication (besides username/password)?

What support, if any, is there for SAML-based authentication?

Will the portal interoperate with a Shibboleth Identity Provider (IdP)? Can you point us at documentation for this?

Thank-you,

Deb Nugent

1 ACCEPTED SOLUTION

Go to solution
mvoros
Active Contributor

‎06-21-2010 11:02 PM

0 Kudos

Hi,

interesting questions. Portal is running on top of Netweaver platform (Java stack). Hence no Apache web server. I doubt that it supports any Apache modules. You can use Apache as reversed proxy in front of SAP portal. Check note 480520 with attached configuration guide. I don't know answer for your question regarding REMOTE_USER setting.

SAP portal supports all standard [authentication methods|http://help.sap.com/saphelp_nw70/helpdata/en/8a/cb136e68592f478266d19bb2b89766/frameset.htm] supported by Netweaver. Probably the only possible way is to use [SAML|http://help.sap.com/saphelp_nw70/helpdata/en/94/695b3ebd564644e10000000a114084/frameset.htm]. [Here|http://www.ibm.com/developerworks/tivoli/library/t-cssosap/index.html] is a how-to guide how to set up SSO based on SAML between Tivoli and Netweaver applicaiton server.

Also search on net. I found links to interesting presentations (e.g. [this one|http://www.switch.ch/aai/support/presentations/ws-sap-2010/ETHZ_AAI_SAP_SAML_Artifact.pdf]).

Cheers

3 REPLIES 3

Go to solution
mvoros
Active Contributor

‎06-21-2010 11:02 PM

0 Kudos

Hi,

interesting questions. Portal is running on top of Netweaver platform (Java stack). Hence no Apache web server. I doubt that it supports any Apache modules. You can use Apache as reversed proxy in front of SAP portal. Check note 480520 with attached configuration guide. I don't know answer for your question regarding REMOTE_USER setting.

SAP portal supports all standard [authentication methods|http://help.sap.com/saphelp_nw70/helpdata/en/8a/cb136e68592f478266d19bb2b89766/frameset.htm] supported by Netweaver. Probably the only possible way is to use [SAML|http://help.sap.com/saphelp_nw70/helpdata/en/94/695b3ebd564644e10000000a114084/frameset.htm]. [Here|http://www.ibm.com/developerworks/tivoli/library/t-cssosap/index.html] is a how-to guide how to set up SSO based on SAML between Tivoli and Netweaver applicaiton server.

Also search on net. I found links to interesting presentations (e.g. [this one|http://www.switch.ch/aai/support/presentations/ws-sap-2010/ETHZ_AAI_SAP_SAML_Artifact.pdf]).

Cheers

Go to solution
MichaelShea
Product and Topic Expert
Product and Topic Expert

‎06-22-2010 7:58 AM

0 Kudos

Hi Deb,

The SAP NetWeaver Application Server ABAP 7.02 and AS Java 7.2 were recently certified by the Liberty Alliance as SAML 2.0 compliant. That does not match your NetWeaver version currently, but it is an interesting possibility for you.

See the documentation: http://help.sap.com/saphelp_nwce72/helpdata/en/17/6d45fc91e84ef1bf0152f2b947dc35/frameset.htm

-Michael

Go to solution
Former Member

‎08-16-2010 3:37 PM

0 Kudos

In case anyone is reading this thread / looking for a similar answer we were able to get the SAML module working with our Portal with the SAML assertions being provided by our Shibboleth based identity provider.

We were able to work with our Shibboleth Support team to determine what information was needed to configure our Portal to accept SAML login from them. They would have preferred we use SAML 2 but our current Portal software can only support SAML 1 / 1.1. We understand that a future Support Package or Enhancement Package will allow the use f SAML 2 and we will revisit that when it becomes available. We referenced documentation mentioned in other threads, specifically Suresh Santhanau2019s article u201CSAML SSO Configuration on AS Javau201D (http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/6064cdbe-0c8f-2c10-bfb7-88a26647ecb6) and the SAP Help files to configure SAML within our Portal.

The most difficult part for us was determining the SourceID value for the SAML Configuration Adaptor. We realized the value had to be the SHA-1 hash of our IDP server. And we had to start the string with u201CHex:u201D. Once we had the correct string in the SourceID, the logon worked correctly.

Our Shibboleth identity provider supplies the same username as we have configured as the username within our Portal so there is a one to one correlation.

Deb Nugent.