on 02-17-2015 12:52 PM
Hi All,
I have the following question regarding NW SSO with SAML and Active Directory Domain:
Best regards,
Duy
Dear Duy,
SAML provides a standard for cross-domain Single Sign-On (SSO), so from this point of view, the SAP AppServer should be placed in a domain
http://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0
For Identity Federation, please check:
https://help.sap.com/saphelp_nw73/helpdata/en/2e/25659ad6834ce5b7f6c394fca79ee3/content.htm
https://help.sap.com/saphelp_nw73/helpdata/en/17/6d45fc91e84ef1bf0152f2b947dc35/content.htm
Regards,
Adrian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Duy,
Basically in order to ensure that SAML-enabled systems are only passing information between trusted sources, you must create a trust relationship between the applications that are sending and receiving information. Instead of a host of one-to-one trust relationships between a client and the systems in your landscape,SAML 2.0 enables you to create a star-based trust relationship, with an identity provider at its center. All service providers trust the identity provider and rely on the identity provider to authenticate users before providing access to a resource. There is no requirement for user IDs (and passwords) to be identical between the identity provider and any service providers.
More information: SAML 2.0 - http://help.sap.com/saphelp_nw70ehp2/helpdata/en/17/6d45fc91e84ef1bf0152f2b947dc35/content.htm
Trusting a Security Token Service - http://help.sap.com/saphelp_nw70ehp2/helpdata/en/e0/efe61f938e4ab19471c64b1a2268e4/content.htm
Regards,
Adrian
Hi,
I have gone through all the links that you included from the beginning but it's not clear how SSO based on SAML works on MS Domain environment. I understand about the connection and trust relationship between service provider (SAP Application Server) and identity provider (NW IDM Federation). However, the connection to authentication server, in this case, Microsoft Active Directory is not clear or explained in the links I read in SAP Help Portal. The questions are still remained:
Regards,
Duy
Hi Duy Le,
we are just implemented an single sign-on scenario (identity and service provider) with sap only machines, now we are evaluating if the sap identity provider could also authenticate the user against an active directory. Did you had some further success or information in your research? Thanks in advance.
Regards,
Julian
Hi,
The AS Java server, where the IDP is installed, is not required to be joined to any MS domain. The only requirement is that its UME (User Management Engine) is configured against the AD server(s) which you would like to use for username/password verification and retrieving user details. The IDP is using the UME of the underlying AS Java to check user credentials and to retrieve user details.
Active Directory is an LDAP compliant server so you should check the following documentation how to change the UME data source of your AS Java system - LDAP Directory as Data Source - Identity Management - SAP Library.
Regards,
Dimitar
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.