SAML provides a standard for cross-domain Single Sign-On (SSO) , other methods exist for enabling cross-domain SSO, but they require proprietary solutions to pass authentication information across domains. SAML 2.0 supports identity provider-initiated SSO as in SAML 1.x.
SAML 2.0 also supports service provider-initiated SSO.
When the identity provider initiates SSO, you must maintain links on the identity provider system to the protected resources on the service providers. When you protect resources with SAML on a service provider, the service provider is configured to request authentication from the identity provider.
Details on the implementation steps required to configure the Identity Provider (host SAP NetWeaver Application Server Java where the SAP Identity Management is installed) and SAP Cloud for Customer as the service provider for Single Sign-On with SAML 2.0 is shared below .
System Requirements
- To support the identity provider extensions, the host SAP NetWeaver Application Server (AS) Java must be of the following releases:
- AS Java 7.3 SPS 13 or later
- AS Java 7.31 SPS 15 or later
- AS Java 7.4 SPS 10 or later
- To support the newest user interface improvements, the host SAP NetWeaver Application Server (AS) Java must be of release AS Java 7.2 SPS 4 or later otherwise the host AS Java must be of the following releases:
- AS Java 7.2 SPS 2 with 1471322 applied
- AS Java 7.2 SPS 3 or later
- User interface improvements include functions to add authentication contexts and map them to log-in modules, to configure metadata and metadata access, and to delete the identity provider configuration.
- You must have SAP Single Sign-On (SAP SSO) 2.0 or later, or SAP Identity Management 7.2 or later installed in your system landscape.
- More details on Implementation of Identity Provider available in Guide: Identity Provider for SAP Single Sign-On and SAP Identity Management
- For more information about licensing SAP products, consult your key account manager.
Downloading and Installing the Federation Software for Identity Provider
As of SAP NetWeaver Identity Management 7.1, the federation software component archive (SCA) includes the identity provider. In SAP NetWeaver Identity Management 7.2 and later, the federation SCA also includes the security token service software.
- Go to SAP Software Download Center at https://support.sap.com/swdc
- Choose Support Packages and Patches and select software downloads
- In Alphabetical Index Navigate to Section S
- Navigate to the Product SAP Single Sign On and download IDMFEDERATION<release>.sca
- Deploy .sca to AS Java using SUM tool or Deployment Job view of SAP NWDS
Post deployment Federation Software should be available in AS Java, you can find this component with name IDMFEDERATION in System Information Components Info tab in NWA.
Enabling HTTPS for AS JAVA
HTTPS is required for identity provider in SAML authentication. Hence, you should enable HTTPS for identity provider after you installed the AS JAVA. Refer to SAP NetWeaver Application Server Java Security Guide in
https://help.sap.com for details on AS JAVA HTTPS details.
Identity Provider Configurations
A. Configuring AS JAVA as an Identity Provider
- Start SAP NetWeaver Administrator with the quick link https://<hostname>:<port>/nwa.
- Go to Configuration Tab --> Authentication -> Single Sign-on --> SAML2.0 tab
- Choose Enable SAML 2.0 Support.
- Enter a name for the Provider Name.
- Choose an operation mode for the provider.
- Enter Identity Provider
7. Choose Next
8. Open the dropdown box of key type in the field Keystore View.
9. Choose SAML2 and Choose Browse in the row of Signing Key Pair.
10. Choose Create on the Select Keystore Entry screen.
11. Enter a name for the
Entry Name on the Key Storage screen.
12. Check Store Certificate
13. Choose Next
14. Enter a name for the commonName
15. Choose Finish
16. Choose OK on the Select Keystore Entry screen.
17. choose Next on the SAML 2.0 tab.
18. Choose Finish.
B. Trusting a Service Provider (SAP Cloud for Customer)
The following configurations are the prerequisites for the identity provider to trust the service provider.
Downloading metadata XML file from a SAP Cloud for Customer.
- Navigate to the following Work Center View in SAP Cloud for Customer.
Work Center : APPLICATION AND USER MANAGEMENT
View : COMMON TASKS --> Configure Single Sign-on
2. Choose My System.
3. Under General --> Download Metadata, depending on the type of metadata acceptable to your identity provider, choose either of the following :
a. SP Metadata (Serivce Provider Metadata)
b. STS Metadata (Security Token Service Metadata)
4. Save the XML file to your local work space for upload into the Identity Provider.
C. Adding a Service Provider into Trust List
- Start SAP NetWeaver Administrator with the quick link https://<hostname>:<port>/nwa.
- Choose SAML2.0 --> Trusted Providers. If you are not in My Workspace, then you need to go to Authentication and Single Sign-On.
- On the Trusted Providers tab, choose Add --> Uploading Metadata File.
- On the SAML 2.0 Configuration screen, choose Browse and provide the path to the metadata XML file of the service provider.
- Choose Next.
- Select File and choose Browse.
- Provide the path to the certificate of the service provider to ensure trust.
- On the SAML 2.0 Configuration, keep the following steps as default.
- Choose Finish and stay on this page.
The signature and encryption options must match with those of the service provider. If the service provider requires that SAML assertions are always digitally signed and the identity provider never signs them, then the SAML configuration cannot function.
D. Enabling the Service Provider (SAP Cloud for Customer)
- Choose SAML2.0 --> Trusted Providers.
- Open the dropdown box of the trusted providers in the field Show.
- Choose Service Providers.
- Choose Edit.
- Go to the Identity Federation tab.
- Choose Add.
- In the Name ID Format dialog box, open the dropdown box of Name ID format in the field Format Name.
- Choose Unspecified
- Enter Logon ID in the field Source Name.
10. Choose OK
11. Choose save on the Trusted Providers Tab.
12. Choose Enable
Configurations in SAP Cloud for Customer (SAP C4C)
A. Trusting the Identity Providers (IDP)
The following configurations are the prerequisites for the service provider to trust the identity provider.
Downloading metadata XML file from an identity provider
- Start SAP NetWeaver Administrator in AS Java where Identity Provider is configured with the quick link https://<hostname>:<port>/nwa. For internet scenario, the access hostname and port should be that you configured in the reverse proxy server, then the endpoints URL will be contained in the XML metadata file for SAML authentication.
- Go to the SAML 2.0 tab.
- Choose Local Provider page under the SAML 2.0.
- Choose Download Metadata.
- Open the link Download Metadata.
- Save the XML file in your local folders.
- Choose Close.
Downloading certificate from an identity provider
- Start SAP NetWeaver Administrator in AS Java where Identity Provider with the quick link https://<hostname>:<port>/nwa.
- Choose the Go To menu.
- Choose Configuration --> Security --> Certificates and Keys --> Key Storage.
- On the Key Storage tab, select the view “SAML2”.
- Choose the entry you generate in the list the Details of view”SAML2”.
6. Choose Export Entry
7. In the Export Entry To File dialog box, choose Base64 X.509 in the field Select export format.
8. Choose the Download Link Download for the X.509 Certificate File.
9. Save the certificate file in your local folders.
B. Adding an Identity Provider into Trust List in SAP Cloud for Customer
- Navigate to the following Work Center View.
Work Center : APPLICATION AND USER MANAGEMENT
View : COMMON TASKS --> Configure Single Sign-On
2. Choose My System.
3. Under General àDownload Metadata, depending on the type of metadata acceptable to your identity provider, choose either of the following:
a. SP Metadata (Service Provider Metadata)
b.STS Metadata (Security Token Service Metadata)
4. Save the XML file to your local work space for upload into the Identity Provider.
5. Choose Manual Identity Provider Selection check box.
6. For the field URL Sent to Employee, Choose Automatic Selection.
7. Choose Identity Provider tab and then Choose "New Identity Provider"
8. Upload the metadata XML file that you have downloaded from your Identity Provider system. By importing the metadata the system automatically uploads the required signature certificate and encryption certificate.
9. Choose Activate Single Sign-On and then Choose Save for saving the changes.
10. Confirm the pop up window by choosing OK.
Reference Link for more details on SSO with SAML 2.0 :
https://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0