Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Showing results for 
Search instead for 
Did you mean: 

System Landscape

SAP Netweaver Portal 7.3 SPS 7

SAP HR 604  SP 0061

EA HR 605 SP 0038

General Recommendations

SAML requires Single Sign On with a 2048 Bit certificate.

Enable trust between Backend and Portal using 2048 bit certs

Logon to http://host:port/nwa

Navigate to Configuration > Security > Certificates and Keys > Ticket Keystore

Delete entry SAPLogonTicketKeypair and SAPLogonTicketKeypair-cert

Click on Create to create a new SAPLogonTicketKeypair:

In the popup name the new entry SAPLogonTicketKeypair, be sure that the algorithm is DSA and the checkbox Store Certificate is checked

In the next step fill the form according to your company needs and click Finish:

Now export the newly created TicketKeypair and import it to your backend system (according to the release you have to import in client 000 or the production client (check for messages when opening TA strustsso2))

Also do this the other way round:

Export the backend certificate and import it into your portal.

Preparing the backend for SAML Authentication

In your backend system you have to run the report WSS_SETUP

Go to transaction SA38 and run WSS_SETUP, the program creates a user DELAY_LOGON, this user is used for any Webservice using Message Based Authentication for example SAML Authentication. The ICF Framework cannot acces SOAP Messages, that's why you first get logged in with the Delay Logon user and afterwards it switches to the user maintained in table USREXTID.

Maintain users for table usrextid:

Goto transaction SM30 and maintain table rsusrextid:

Add new entries:

The external ID has to be set as follows Issuer:ExtUserID, in the field user the mapped backend user has to be maintained.

Sample Entry in Table usrextid

the following Screenshot shows a sample entry of the user mapping table usrextid

Set the SAML Issuer

Logon to http://host:port/nwa

Navigate to Configuration > Security > Trusted Systems > Web Service Security SAML > Local SAML Attesters

Confifure the Services

In the backend system call Transaction soamanager to maintain your webservice, you have to select the checkbox single sign on with saml

On the portal side we implemented consumer proxies to consume the webservices provided by the backend system. To maintain the consumer proxis logon to http://host:port/nwa and navigate to SOA > Application and Scenario Communication > Single Service Administration > Consumer Proxies


Labels in this area