Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAML2.0 authentication with Portal

Former Member

‎08-15-2011 5:38 PM

0 Kudos

Hi,

I'm looking for a right way to change SAP Portal SSO authentication from tickets (which are setted up by default) to SAML2.0.

For now I changed the default authentication stack to the custom one which includes SAML2LoginModule. And when I'm accessing the Portal it calls the SAML authentication. I mean that the IdP login screen appears and I can enter credentials, but when the IdP redirects me back to the Portal another login screen appears and I need to provide credentials here too.

Please give me some clue on how this should be properly configured or why I get such behaviour with two login screens.

Thanks,

Andrei

4 REPLIES 4

former_member269672
Explorer

‎08-19-2011 9:04 AM

0 Kudos

Hi Andrei,

The fact that the second logon screen appears means that SAML 2.0 authentication was not successful. What is the version of NetWeaver you are using?

Here are some things you can check:

1. Signature/encryption requirements

For example, if SP requires that SAML2 assertions are signed but IdP does not sign them, authentication at SP will fail.

If SP requires that SAML2 assertions are encrypted but IdP does not encrypt them, authentication at SP will fail.

2. Name ID formats

Check what is the Name ID format and Name ID value identity provider sends to service provider. Check the "Identity Federation" configuration at SP side.

When SP receives the Name ID value, it tries to find a user using this value. SP first checks the configuration so that it knows how to interpret this value.

Example: If Name ID format is "unspecified" and IdP sends "abc" as Name ID value, SP will first check the configuration to see if this Name ID format is configured as supported. If it is not supported, authentication will fail. In case, it is supported, SP will check what this value should mean. Let's say that SP configuration for "unspecified" Name ID format says that the source is "Logon ID". In this case, SP will try to find a user with logon ID "abc". If user with the specified logon ID does not exist, logon screen of the SP will be shown.

Here are some links:

[Name ID formats related documentation|http://help.sap.com/saphelp_nw72/helpdata/en/a9/e287475d544cdaa63e884180d6c23f/content.htm]

[Starting porint of SAML 2.0|http://help.sap.com/saphelp_nw72/helpdata/en/46/631b92250b4fc1855686b4ce0f2f33/content.htm]

[Single Sign-On with SAML 2.0 wiki|http://wiki.sdn.sap.com/wiki/display/Security/SingleSign-OnwithSAML2.0]

Best regards,

Desislava

Former Member
In response to former_member269672

‎08-19-2011 9:41 AM

0 Kudos

Hi Desislava,

Thank you for the answer! I'm using Netweaver 7.3.

This is not a saml configuration issue, because I can successfully login to other applications with saml.

Actually I found a temporary solution for the Portal which meet my needs. I replaced the modules in the standard "ticket" authentication stack with SAML2LoginModule. It works fine (without additional logon screen), but there are two disadvanteges:

1. SAML is applied for all applications which use default login context (like Netweaver web interface);

2. It is not right to replace login modules in the ticket stack..

Do you know for which exact portal components I need to assign saml login module?

Thanks,

Andrei

martin_voros
Active Contributor
In response to former_member269672

‎08-20-2011 11:04 PM

0 Kudos

Hi,

you just add module SAML2LoginModule to the authentication stack.You need to [modify authentication policy|http://help.sap.com/saphelp_nw73/helpdata/en/4a/734e26fa92731fe10000000a42189c/frameset.htm] for selected java components. Check also this [section|http://help.sap.com/saphelp_nw73/helpdata/en/bf/b0b879544740c8a3c8bdda87e50587/frameset.htm] of documentation.

Cheers

former_member269672
Explorer
In response to former_member269672

‎08-23-2011 11:44 AM

0 Kudos

Hi Andrei,

As far as I understand, you would like Portal to be configured with SAML 2.0 authentication and NetWeaver Administrator to have authentication as in ticket template, right?

If this is the case, you can do the following:

1. Create your own template [http://help.sap.com/saphelp_nw73/helpdata/en/68/2416ddde30419c900078c9b475dc80/content.htm] and configure it to have the authentication stack you need.

2. Search for policy configuration with name "default". You will see that its used authscheme is "uidpwdlogon".

Search for "uidpwdlogon". Change its used template to be the one you have created in the previous step.

Thus, when accessing the portal, you will have the authentication as specified in your own template.

Useful links:

[Portal authentication infrastucture|http://help.sap.com/saphelp_nw73/helpdata/en/a3/e5a0404dd52b54e10000000a1550b0/frameset.htm]

[Authentication Mechanisms |http://help.sap.com/saphelp_nw73/helpdata/en/f0/a37642ac86d142e10000000a1550b0/frameset.htm]

[Authentication schemes|http://help.sap.com/saphelp_nw73/helpdata/en/53/a87642ac86d142e10000000a1550b0/content.htm]

Regards,

Desislava