Starting from NetWeaver SAP Enterprise Portal 7.5 SP19, you can run portal content (iViews and Pages) from SAP Cloud Platform Launchpad.
For more information, see:
Enterprise Portal as Content Provider to SAP Cloud Platform Launchpad.
Federation of Remote Content Providers
Single Sign-On (SSO) is one of the tasks in the implementation of a production scenario and I would like to explain how to configure SSO between SAP Cloud Platform Launchpad (Launchpad) and Enterprise Portal (EP).
There are two ways to configure connectivity:
- Direct access (Direct EP )– Enterprise Portal is accessed directly from Internet, meaning the Enterprise Portal system is exposed to the external access.
- Tunneled access (Tunneled EP) – Enterprise Portal is accessed only from the internal network and requires setting up the Cloud Connector (CC)
I will explain the SSO settings for Direct access.
To achieve SSO, I am using the following landscape example where SAP Cloud Platform Launchpad and Enterprise Portal have the same user persistency = the Corporate LDAP system is connected via an Identity Provider (IDP)
Involved components
As prerequisites I will assume that:
- all required installations and account/subaccount exist (Tunneled access scenario require CC installation)
- admin access to manage required settings exist for all installation.
- EP role content exposed via Content Provider to SAP Cloud Platform Launchpad
- exposed EP role added to the site content.
- End-User assigned to the exposed EP role. See the How-To and details for 3,4,5 here.
- idp.ondemand.com was trusted in external corp. IDP (see the Involved component diagram) = the IDP (idp.ondemand.com) trust was established with Corporate IDP (account...sap.com = idp.acme.com) in the Corporate Identity Providers - see the picture below
Corporate Identity Providers
*******************************************************************
SSO for Direct scenario:
You need to establish an SSO between SAP Cloud Platform Launchpad and Enterprise Portal, so that when users logon to SAP Cloud Platform Launchpad, they will be able to run Enterprise Portal content without logging on again.
- Establish trust between subaccount and IDP
- Establish trust between Enterprise Portal and IDP
To establish trust between sub-account and IDP, do the following:
1. Login to
SAP Cloud Platform Cockpit as subaccount admin and open
Trust Configuration
You can establish trust by clicking
Establish Trust and choosing the required IDP from the opened list or manually perform trust. Click
SAML Metadata and save the downloaded file for further processing.
Establish trust
2. Open the IDP with your admin user/password and create a new application (see below): directep.
create new application
3. Select
SAML 2.0 Configuration and upload the downloaded subaccount metadata file.
4. In the created application, select
Conditional Authentication.
5. Select the trusted corporate identity provider as
Default Identity Provider and select "
Allow users stored in Identity Authentication service to log on.”
Now the subaccount has established trust with the IDP – you can see it in the Trust configuration of your subaccount.
Activate it in the subaccount of SAP Cloud Platform cockpit.
Make the
Default SAP ID Service inactive.
See example in the
Establish Trust screenshot above.
To establish trust between Enterprise Portal and IDP:
- Logon to SAP NetWeaver Administrator (NWA)
- Open Authentication and Single Sign-On: SAML 2.0
- Create a local Service Provider – you can find different scenarios here.
EP Service Provider
In Enterprise Portal as a Service Provider:
- Click Download Metadata and save the downloaded file. (Make sure you check that the file is not empty as in some browsers it is an issue)
- Open the IDP again and create a new application for Enterprise Portal. Configure it the same way you did for the subaccount but use the SAML metadata file from Enterprise Portal.
- In the IDP -> Tenant Settings choose SAML 2.0 Configuration and download the IDP metadata.
- Go to NWA and click Trusted Providers. Add a trusted provider by uploading the IDP metadata file.
Trusted provider
Trusted providers
Choose
Identity Federation and configure
“Supported name ID formats”
In my case the Enterprise Portal connected to Corporate LDAP and the external corp. IDP also connected to the same LDAP.
The user identifier is Logon ID, but the IDP use email – in case we need to use client certificate later (Tunneled scenario with Cloud Connector), the mapping of email to user could be configured in the login module settings.
Identity Federation
Authentication:
To configure the authentication login modules to use SAML:
Open
Authentication
In the example below the authentication stack is a
ticket. I will change
ticket, and add
SAML2LoginModule. See more
here.
Add SAML2 module to the authentication stack
Once the SP and trusted provider is activated, the trust is ready to use.
That’s all for Direct access scenario SSO.