cancel
Showing results for 
Search instead for 
Did you mean: 

GWPAM SAML SSO with Microsoft Active Directory Federation Server (ADFS)

former_member186439
Participant
0 Kudos

The GWPAM documentation mentions SAML 2.0 based single signon is supported.  However, the details are a bit vague.  We currently have federation configured between our NetWeaver Gateway system and a Microsoft ADFS system.  In other words, ADFS is our Identity Provider.  Will GWPAM SSO support this configuration?

Accepted Solutions (1)

Accepted Solutions (1)

former_member186439
Participant
0 Kudos

I guess I'll answer my own question.

More details are available in the Self-Paced learning: https://scn.sap.com/docs/DOC-48351.  Unfortunately, most of the screen shots are unreadable.

Is anyone out there responding to GWPAM questions?

Former Member
0 Kudos

Hello,

SAP NetWeaver Gateway supports SAML 2.0 Browser SSO with ADFS as an IdP. You may find some helpful information in the Security Guide:

https://help.sap.com/saphelp_gateway20sp06/helpdata/en/42/f6b2669eb7477bb65a1722d99959b2/frameset.ht...

https://help.sap.com/saphelp_gateway20sp06/helpdata/en/c9/5f3f6b39724a4a91dcdfd05745e8e7/frameset.ht...

On the ADFS side Gateway is configured as a standard relaying party, I would recommend using Artifact Binding.

If you need more information you are welcome contacting me directly.

Regards,

Genady

Former Member
0 Kudos

Hi Genady,

We're looking into the SAML2 authentication for Gateway for Microsoft Excel. I've set the config dll file to SAML20, and enabled SAML2 in Netweaver Gateway, but it seems that the default when I bind just goes to basic authentication, and I'm never prompted to select another authentication type?

Where would I see an option for SAML2?

Former Member
0 Kudos

Hi Gavin,

I would recommend you first to setup SAML on your Gateway box and test it from browser.

Please refer to the Gateway links above or standard SAML setup on ABAP server.

By default SAML is enabled on ICF node so double check that it is among the current login module list.

you may check DIAG_TOOL at: /sap/bc/webdynpro/sap/sec_diag_tool for more details.

One it's working from browser, you may switch to Excel.

Regards,

Genady

Former Member
0 Kudos

Thanks Genady -- those tips should definitely help.

Can you clarify though how the user experience would work? Would the user in Excel get a pop-up with the federated authentication in a sort of browser? It seems like there is very little configuration for this item, and that it's simply ignoring my reference to use SAML20 instead of basic.

Former Member
0 Kudos

You should configure your ADFS server to use Integrated Windows Authentication. That results in user credentials (Kerberos ticket) being automatically passed to the server without any popup.

I would recommend to use diag_tool for the flow tracing.    

Answers (0)