Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
donka_dimitrova
Contributor


How to “exchange” a SAML assertion for an X.509 client certificate and to implement end-to-end single sign-on also for non-SAML systems in a SAML enabled network.

If SAML (Security Assertion Markup Language) is the single sign-on technology of choice for your corporate but you are still running applications that accept only X.509 client certificates, we have already a simple solution for you. With the latest patch of the SAP Single Sign-On 2.0 SP04 (Patch1), we offer out of the box authentication with SML assertions to the Secure Login Server (SLS). This way you will be able to implement SP-initiated Single Sign-On and to request an X.509 client certificate via Secure Login Web Client to Secure Login Server by offering a SAML assertion for authentication.

See the authentication flow in the following diagram:



Please, find also the prerequisites and the implementation steps necessary to implement this scenario:

Prerequisites:




Implementation steps:




  1. Configure the mutual trust between the SAML Identity Provider and the SAML Service Provider (host of the Secure Login Server).

    1. Configure the SAP NetWeaver AS Java, where your Secure Login Server is running, to be a SAML Service Provider and to trust the SAML IDP of your company (for example SAML IDP of the SAP Single Sign-On product).

    2. Configure your SAML IDP to trust as a Service Provider the SAP NetWeaver AS Java, where your Secure Login Server is running. If you are using SAML IDP from SAP Single Sign-On 2.0, you can find here more details how to add a service provider.



  2. Create a policy configuration for the SAML 2.0 authentication using a SAML 2.0 login module (for example SAML2LoginModule) on the SAP NetWeaver AS Java.

  3. In the Secure Login Administration Console configure a Secure Login Web Client (SLWC) authentication profile for SAML 2.0 that points to the policy configuration for SAML 2.0 login module, created on step 2. For more details how to do this, see Configuring SAML 2.0 Authentication in the Secure Login Server.

  4. Configure the SLWC authentication profile to use the standard SAP NetWeaver login screen - set for the parameter Use Standard Authentication Form the policy configuration name, created on step 2. This parameter determines whether or not a browser presents the standard authentication form of the SAP NetWeaver AS for Java to the user.


This parameter is important when you are using SAML 2.0 authentication with SLWC because it enables the Secure Login Server to communicate with the identity provider that provides the users' identities. Whenever users start the SLWC, they can choose the identity provider that manages the users' identity information and authentication. For more details, see Parameters for User Authentication (Table 2 - Secure Login Web Client)


 



12 Comments
Former Member
0 Kudos

Hi team, I’d like to know if is possible to have this SSO scenarios implemented in SAP NW 7.4:

  • SSO implemented in two domains, with two different IDP.

  SSO for the users that belongs to domain1 and LDAP (Form, Basic authentication) for the users of the other, domain2.

Colleen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi

This is a nice high level visual of the process. Thanks :smile:

It is possible for a redirect from NWBC login prompt to the SLWC so users don't need to do two steps to access their applications?

Regards

Colleen

Former Member
0 Kudos

You could configure the ICF node (ext. alias /nwbc) to use SAML as logon procedure in the Logon Data tab or you could use the Error Pages tab and configure a redirect to a specific logon page, which in this case would be SLWC.

Colleen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Samuli

Thanks for your reply. I forgot to mention that part of the Secure Login Server authentication was to issue private certificate to IE browser content. I was told that they cannot do that via the ICF configuration for NWBC logon procedure.

In truth, I cannot remember which functionality required X509 instead of just SAML

Regards

Colleenn

Former Member
0 Kudos

Hello Team,

I need some help here.

I want to use IDM 8 as identity provider with NW SSO, similar to above.

and then SSO will allow access to SAP systems.

Could you please explain if having just IDM 8 as user source is sufficient?

Regards,

Yatin Phad

donka_dimitrova
Contributor
0 Kudos

Hello Yatin,

This will be possible if you are using the SAP Single Sign-On product (license required). The SAP Single Sign-On offers a Secure Login Server that issues X.509 client certificates. The Secure Login Server is running on AS Java and when you provision your SAP IDM users to AS JAVA UME it will be possible to implement single sign-on based on X.509 client certificates to SAP systems. This scenario will be working also for Windows based UIs like SAP GUI. If you are using only web UIs for SAP, then you can use also the SAML Identity Provider in a similar way because also the SAML IdP could use the AS JAVA UME as user store.

Regards,

Donka Dimitrova

former_member670138
Discoverer
0 Kudos
Hi Donka DImitrova,

 

We are replacing an existing SSO solution (Smartcard based PKI ) with SAP Secure Login Server based SSO.

As we are not going to roll out the SAP Secure Login based SSO for all the systems at a time , we need both the SSO solutions to co-exist. ( for ex: all dev and QA using SSLS for testing  and other systems using existing Smart Card PKI SSO ).

We understand that secure login client can act as a container for multiple client certificates and it can be used to configure multiple solutions in parallel.

We have configured java script web client group ( Jave Script  Web Adapter) ( using SAML Authentication Profile) to issue the x.509 certificate.

Unfortunately all  our SAP ABAP Systems are being redirected to use the SSLS Web Adapter Certificate. But we do make a set of systems use the certificate issued by Smart card PKI and the rest of the systems to use SSLS issued certificate?

Is there a way to define a sequence of the certificate to be used by the SAP GUI SNC?

How do we control the certificate to be used by the SAP GUI SNC Session out of all the available certificates in the Secure Login Client?

Implementation guide claims that the secure login client is capable of supporting multiple scenarios but that is not working in our case.

Could you please advise

 

Thanks in advance.
0 Kudos
Hi,

 

This scenario is still  available within SSO 3.0 and Azure AD?

I already have installed SSO 3.0 but we have not authentication with Azure AD SAML2.

 

Best regards,

 
0 Kudos
Hi Donka,

The link mentioned in Implementation steps 1 a is invalid, could you please make a update?

Regards,

Ning
donka_dimitrova
Contributor
0 Kudos

Hi!

If you are looking at this step:

  1. Configure the SAP NetWeaver AS Java, where your Secure Login Server is running, to be a SAML Service Provider and to trust the SAML IDP of your company (for example SAML IDP of the SAP Single Sign-On product).

The link points to the documentation for Configuring AS Java as a Service Provider | SAP Help Portal and it is valid.

Regards,

Donka

seshukoti
Explorer
0 Kudos
Hi,

I followed your other blog and configured SPNEGO-Based Single Sign-On for X.509 and it is working fine with out any issues. Thank you for the detailed document provided for the same.

But when i tried to configure the secure login webclient using SAML (using cloud IDP) I am facing below issues. Unfortunately i dont have much clarity how it works also. Can you please help or provide some link with detailed steps.

  1. The enrollment URL in SLC is not coming automatically

  2. Secure login client(SLC) is not launching the webclient URL in browser even after adding the URL in SLC and selected groups (SLC->file->options->policy groups).

  3. If i double click on the manually added profile above to login, but it is giving below message(mentioned in screen shot)but not launching URL in browser

  4. I tried both IE and chrome browsers


Note : SSO 3.0 installed and configured SAML2 with cloud IDP

Thank you.


 

Best regards

 
Martina_K
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Nagaseshu,

We no longer recommend the solution using the Secure Login Web Client. The Secure Login Web Client is a component of the SAP Single Sign-On product which will go out of mainstream maintenance end of 2027.

Earlier this year we launched the successor solution called SAP Secure Login Service for SAP GUI. This new solution offers much better integration with an identity provider. You will find more information here:

https://community.sap.com/topics/single-sign-on

Best regards,

Martina