Hello SCN,
we are trying to establish SSO for our IE (NWBC) connections to our Netweaver ABAP systems.
CLIENT (IE) in OURDOMAIN ---> NETWEAVER ABAP --(SAML)--> ADFS 2.0 --> WINDOWS DOMAINCONTROLLER (iDP) of OURDOMAIN
Our Windows Account Name (SAMAccountname) is the same as the SAP Name, 1to1 mapping is possible.
I didn't find a correct step by step guide for this. Only special cases with portal, webservices and so on, but none for (in my opinion)
standard case.
Steps we done on ABAP Side:
1. set SSO2 settings in RZ10
2. check client is enabled for HTTPS with SICF_SESSIONS
3. Setup local SAML provider (SAML2)
Add Authentication context alias "IntegratedWindowsAuthentication" with name: "urn:federation:authentication:windows"
4. Export metadata from NW ABAP (with zertificates)
5. Import metadata in ADFS
6. Mapping from SAMAccount-Name to NameID
Check SecureHash is SHA-1
7.Download metadata.xml from https://<ourADFS>/FederationMetadata/2007-06/FederationMetadata.xml
8. Import federationmetadata.xml in ABAP SAML2 as Identification Provider
9. Added Alias "IntegratedWindowsAuthentication" as in Authentication Requirements
10. Added SUpported NAmeID format "Unspecified" with "Logon ID"
11. Set SICF service NWBC to use SAML
Here are the screenshots of our configuration:
Local Provider configuration in AS ABAP:
Trusted Provider Configuration in AS ABAP:
The authentication is not working at the moment, and i do not get any error in our tracefiles... (SM50 switch online sec to level 3)
Can anyone tell me if this scenario we are trying is completly wrong?
Or can someone tell me the correct settings?
I have the "Single Sign-on with SAP" Galileo Press Book, but the guides there doesnt help us, because there are only different scenarios with portal, excel and webservices.
PS: My company is using the ADFS for external authentication processes (not SAP), and i thought i can use the ADFS to do internal SAML authentication of our HTTPS Services in SAP (MSS / SRM..) against our active directory.
SSO for SAP GUI (kerberos dll) is working perfectly. And no, i don't want to buy SPNEGO .
Kind regards
Manuel Herr
- SAP Managed Tags:
Accepted Solutions (0)
Answers (1)
I just got mine to work too. I also had to reimport my metadata.xml a second time.
Curious .... when you go to SICF to enable a Service (ie NWBC), you select the [Alternate Logon Procedure] and then you have to move SAML Logon up in the order. One of the docs says that Logon Through HTTP Fields should always be #1. Did you do that? Or did you move SAML Logon up to be first?
Hi Richard,
i also first tested to move SAML Logon up, but i end up with standard configuration at the moment.
SAML is active because from a superordinate node SAML 2.0 is inherited.
btw. did you add the "IntegratedWindowsAuthentication" alias i mentioned above?
3. Setup local SAML provider (SAML2)
Add Authentication context alias "IntegratedWindowsAuthentication" with name: "urn:federation:authentication:windows"
Because i removed it at the moment and its working fine.. (Screenshots of running config will come later)
Regards
Manuel
| User | Count |
|---|---|
| 85 | |
| 10 | |
| 10 | |
| 10 | |
| 7 | |
| 6 | |
| 6 | |
| 5 | |
| 4 | |
| 4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.