Greetings!

When following the standard procedure for setting up Single Sign-on for a Netweaver JAVA/Portal 7.4-based system (specifically, SAML 2.x), you normally go into NWA > Configuration > "Authentication and Single Sign-On" and modify the "ticket" policy by adding the Login Module of your choice (in my case, SAML 2.x).

Example documentation:

Configuring the AS Java to Issue Logon Tickets - User Authentication and Single Sign-On - SAP Librar...

Protecting Resources with SAML - User Authentication and Single Sign-On - SAP Library

However, when you do this, you impact nearly all aspects of accessing the Netweaver (JAVA) system, both /irj and /nwa areas now use SSO.  This would normally be a good thing, but if anything goes badly with the Identity Provider, then users unable to login, even with the BasicPasswordLoginModule set as requisite AFTER SAML.  You can reproduce this situation if you set SAML to trust an Identity Provider and then shutdown the identity provider.  Now, when you try to login to the Portal, it will redirect you to where the Identity Provider should be, but since you can't access it (it's shutdown), you are stuck.  Portal doesn't know that it should fail to Basic auth since it doesn't realize the Identity Provider is offline.  The only way around in this situation that I've found is to go into the ConfigTool and disable SAML there, then you can login again with Basic authentication after a restart.

So, the question is, what's the best way to enable SSO (SAML) ONLY for /irj, but leave Basic Auth for /nwa?  That way, if anything happens that screws up SAML, the admins can easily login to /nwa and fix the issue.  Should I continue to edit the 'ticket' or maybe create a new policy and somehow assign Portal (/irj) to the new one and leave ticket alone?  Or, is there a way to for /nwa to always use basic?

I've been looking everywhere for configuring at this detailed level and haven't run into anything yet.

Thanks in advance for any advice,

Aaron