Solved: SSO to 3rd party portal using SAML

Former Member · ‎09-30-2011

Hi,

We have a SAP portal on 7.01 SP6. We would like to provide a link in our portal to connect to a 3rd party KM portal that supports SAML.

How can we achieve this?

I read in this link (http://help.sap.com/saphelp_nw04s/helpdata/de/94/695b3ebd564644e10000000a114084/content.htm ) that "The AS Java accepts SAML assertions for Single Sign-On. However, it cannot act as an SAML authority that issues such assertions. "

Does this mean that we can't use SAP portal 7.01 to SSO to a 3rd party portal that supports SAML?

Thanks,

Ajay

Former Member · ‎09-30-2011

If you have a 7.10 Java system, then why are you reading the nw 2004s documentation?

That is the problem...

Note: Logistically the SAML 2.0 IdP is shipped with the IdM, but I guess you could install an IdM on your portal to make it work.

Cheers,

Julius

Former Member · ‎09-30-2011

If you have a 7.10 Java system, then why are you reading the nw 2004s documentation?

That is the problem...

Note: Logistically the SAML 2.0 IdP is shipped with the IdM, but I guess you could install an IdM on your portal to make it work.

Cheers,

Julius

Former Member · ‎10-03-2011

Hi Julius,

What we have is a 7.01 system, not 7.10 system. That was why I was going through the nw2004s help docs.

Can IDM be installed on 7.01 portal to make the SSO connectivity to 3rd party portal work?

Thanks,

Rishi

mvoros · ‎10-03-2011

No, 7.2 release is required for Identity Provider.

Cheers

Former Member · ‎10-04-2011

So is there any way we can configure SSO with a 3rd party portal from SAP portal 7.01 without upgrading to 7.02 or 7.3?

Thanks,

Rishi

mvoros · ‎10-05-2011

I said 7.2, not 7.02. Anyway, just to summarize SAP provides SAML Identity Provider which is part of SAP Netweaver IdM product. I believe that implementing this solution would also have licensing impact. The technical requirement is that you need Java AS 7.2 or higher. I was bummed when I realized that I can't deploy it to my IdM sandbox system that is running on 7.1.

I assume that you want to authenticate against your portal. In that case I don't think that you can achieve this with your current landscape. So you can try to use other technology instead of SAML. SAP provides library that allows you to verify SAP logon tickets. So if you have an option to write a custom logon module in your 3rd party app then you can try to reuse these tickets instead of SAML. It's not the future proof solution (SAML would be much better).

Another solution could be to rethink your current landscape. Maybe you can deploy a new system for Identity provider and use portal and 3rd party app just as service providers.

Cheers

former_member269672 · ‎10-05-2011

Hi Ajay,

To achieve SSO to a third-party system using SAML 2.0 without upgrading your portal system, you may install a new NetWeaver Java system 7.3 which will act as an intermediate system between SAP Portal and third-party portal. It will be identity provider for the third-party system. So, the scenario could be the following:

1. Users authenticate at the SAP Portal and SAP Logon ticket is issued

2. User clicks a link which points to the third-party system (service provider).

3. As there is no session yet, the service provider sends authentication request to the identity provider (NetWeaver Java system 7.3).

4. The NetWeaver Java system 7.3 (identity provider) authenticates the user based on the SAP Logon ticket issued by the SAP Portal 7.01 (Java system trusts the portal) and returns SAML 2.0 response to the third-party system (service provider).

5. Service provider(third-party system) evaluates the SAML 2.0 response, authenticates the user and returns the requested resource.

Regards,

Desislava

Edited by: Desislava Petkova on Oct 5, 2011 4:40 PM

former_member183915 · ‎09-07-2016

Hi Ajay,

Were you able to achieve this requirement?

Regards,

Navya.