cancel
Showing results for 
Search instead for 
Did you mean: 

SSO with SAML and AD Domain

Duy_Le_-_Islet_
Participant
0 Kudos

Hi All,

I have the following question regarding NW SSO with SAML and Active Directory Domain:

  1. In the installation guide, I found that we need to perform SAP Application Server domain installation if we want to use Single Sign-On. As far as I understand, this requirement is true if we use Kerberos-based solution. But how about if SAML is used, is the SAP Application Server required to be in Windows domain?
  2. In the case the SAP Application Server has to be in domain, in the case the domain of client computers are on the different domain from the domain of SAP server, do we have to establish the trust between the two domain in the case SAML is used? I found that with SAML, we can provide cross-domain SSO solution but it's not very clear to me how to enable this scenario.
  3. I am looking for the configuration guide for SSO based on SAML with NW IDM Federation (the component of SAP SSO 2.0), especially about User Credentials Verification with Microsoft Active Directory. I think we need to do some configuration steps so that the Identity Provider on AS Java can contact Active Directory to get user credentials, could you please provides some hints about this?

Best regards,

Duy

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Dear Duy,

SAML provides a standard for cross-domain Single Sign-On (SSO), so from this point of view, the SAP AppServer should be placed in a domain

http://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0

For Identity Federation, please check:

https://help.sap.com/saphelp_nw73/helpdata/en/2e/25659ad6834ce5b7f6c394fca79ee3/content.htm

https://help.sap.com/saphelp_nw73/helpdata/en/17/6d45fc91e84ef1bf0152f2b947dc35/content.htm

Regards,

Adrian

Duy_Le_-_Islet_
Participant
0 Kudos

Hi,

In the case the SAP Application Server and user workstations are in different two domains, do we need to establish the trust between the two domains if SAML (and Identity Federation) is used?

Regards,

Duy

Former Member
0 Kudos

Dear Duy,

Basically in order to ensure that SAML-enabled systems are only passing information between trusted sources, you must create a trust relationship between the applications that are sending and receiving information. Instead of a host of one-to-one trust relationships between a client and the systems in your landscape,SAML 2.0 enables you to create a star-based trust relationship, with an identity provider at its center. All service providers trust the identity provider and rely on the identity provider to authenticate users before providing access to a resource. There is no requirement for user IDs (and passwords) to be identical between the identity provider and any service providers.

More information: SAML 2.0 - http://help.sap.com/saphelp_nw70ehp2/helpdata/en/17/6d45fc91e84ef1bf0152f2b947dc35/content.htm

Trusting a Security Token Service - http://help.sap.com/saphelp_nw70ehp2/helpdata/en/e0/efe61f938e4ab19471c64b1a2268e4/content.htm

Regards,

Adrian

Duy_Le_-_Islet_
Participant
0 Kudos

Hi,

I have gone through all the links that you included from the beginning but it's not clear how SSO based on SAML works on MS Domain environment. I understand about the connection and trust relationship between service provider (SAP Application Server) and identity provider (NW IDM Federation). However, the connection to authentication server, in this case, Microsoft Active Directory is not clear or explained in the links I read in SAP Help Portal. The questions are still remained:

  1. According to your feedback, SAP Application Server is required to be in Microsoft domain. But for example, SAP Application Server is in domain A, while the user's computers is in domain B (and thus will be authorized by domain B domain controller). Then will a trust relationship between domain A or domain B needed if SAML-based solution is used?
  2. As far as I understand, the Identity Provider (and maybe STS) can issue SAML assertions to authenticate the users. But in other to verify the user credentials, the Identity Provider need to contact the Authentication Server (Microsoft Active Directory). How this will be done is still unclear to me, though I know that there is a mapping procedure for Windows qualified domain name of the users, but before this can happen, is there any configuration needed for Active Directory and Identity Provider to "know" each other?

Regards,

Duy

Former Member
0 Kudos

Hi Duy Le,

we are just implemented an single sign-on scenario (identity and service provider) with sap only machines, now we are evaluating if the sap identity provider could also authenticate the user against an active directory. Did you had some further success or information in your research? Thanks in advance.

Regards,

Julian

former_member182254
Active Participant
0 Kudos

Hi,

The AS Java server, where the IDP is installed, is not required to be joined to any MS domain. The only requirement is that its UME (User Management Engine) is configured against the AD server(s) which you would like to use for username/password verification and retrieving user details. The IDP is using the UME of the underlying AS Java to check user credentials and to retrieve user details.

Active Directory is an LDAP compliant server so you should check the following documentation how to change the UME data source of your AS Java system - LDAP Directory as Data Source - Identity Management - SAP Library.

Regards,

Dimitar