cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Identity Federation design

Go to solution
Former Member

on ‎08-05-2012 11:18 AM

0 Kudos

Hi Experts,

There are 2 SAP Java stack systems in our landscape. Following are the details about the system:

Java stack 1 : Secure Login Server and Identity Federation component (Domain A)

Secure Login server issues X.509 certificates to provide SSO to ABAP systems.

Identity Federation compoenent i.e Identity Provider to provide cross domain SSO

Java stack 2 : SAP IDM system (in a different domain & company). (Domain B)

I've configured Service Provider on Java stack 2 to trust Identity Provider of Java stack 1.

Requirement:

When a user from Domain A tries to access resources on Java stack 2  (Domain B) using https://<IP>:<port>/idm he should be redirected to Java stack 1 (Identity Federation component) for authentication.

If a user has valid X.509 certificate issued from Secure Login Server, he should be authenticated to Identity Federation in java stack 1 with out entering password and SAML2.0 assertion should be sent back to Java stack 2 . Then Java stack 2 will create a session for authenticated user.

Question:

  1. I've configured Secure Login Server, Identity Provider and Service Provider as mentioned in the document. User has a valid X.509 certificate issued by Secure Login Server. But when the user tries to access resource on java stack 2, he is never redirected to Identity provider.Did I miss something in the config? It would be great if you can share the document on this. I've already done everything based on a wiki guide.

2.   Is it possible to use X.509 certificate to autheticate with Identity Provider?  Is this a  limitation with SAP Identity Provider product?

Please advice if I'm on the correct track.

Note:

IDM is just an example. I want to extend this design to to other Java stack systems which are out of our domain

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Kaempfer
Advisor
Advisor
‎08-06-2012 1:00 PM
0 Kudos

Hi,

related to 1.

did you read the domumentation on "Login Modules and Login Module Stacks" at help.sap.com. Especially the "Login Module Stacks" are perhaps important for you. If a user is able to authenticate via a certificate to the SAP NW Java Server and the certificate authentication is conifgured higher in the authentifation stack, then the application will not forward the request for authentication to the Identity Provider.

I am sure you know about that but just to make sure ...

You can use the certificate also to authenticate to non-ABAP system and certificates are also supporting cross domain SSO.

related to 2.

certificate authentication is part of SAP NW Java server and not of the Identity Provider.- This should not be a problem.

Best Regards

Matthias

Show replies
Show replies
Former Member
‎08-06-2012 1:27 PM
0 Kudos

Hi Matthias,

Thanks for the quick reply.

Yes, I've configured SAP NW Java server login module stack to access certificates. I've even verified that and it is working correctly.

But, I've even deployed Identity Provider on the same java server. Can this Identity Provider authenticate using certificates. My actual sceanrio as follows:

SAP Java Server                              Non SAP Java system

Secure Login Server                             Service Provider

Identity Provider    

User has a valid X.509 certificate. While accessing Non SAP Java system, service provider redirects authentication to Identity Provider.

Can Identity Provider perform certificate based authentication and then send SAML2.0 assertion to Service Provider?

If yes, is there any specific configuration that has to be done for Identity Provider to accept certificates instead of userid/password. (SAP NW Java is accepting certs ,but Identity provider deployed on the same server doesn't accept certs. It always prompts for userid/password).

To which url the service provider should redirect for Identity Provider authentication?

Thanks,

Anuj        

Kaempfer
Advisor
Advisor
‎08-07-2012 8:43 AM
0 Kudos

Hi Anuj,

I did this not by myself yet but I ask a colleague.

Try to add the “TLSClient” authentication context to the list of default authentication contexts. “TLSClient” is mapped to use ClientCertLoginModule.

NWA -> Configuration -> Authentication and SSO -> SAML 2.0 -> Local Provider -> Identity Provider Settings

I am always interested how customers are using the software. Why do you want to mix certificates and SAML in your setup?

Is the non SAP system not supporting certificate authentication or do you want to use identity federation or something else?

Regards

Matthias

Former Member
‎08-07-2012 9:43 AM
0 Kudos

Hi Matthias,

Thanks for the reply. In the landscape that I'm working we have applications on SAP and Non SAP system. We're trying to acheive "Authentication and Single Sign on" using SAP NW SSO 1.0  to any system in the landscape. I've found that X.509 certificate based authentication covers SSO for all SAP systems i.e SAP ABAP, SAP Java, SAP Webservices, etc...So a user (once a day) will use Secure Login Client/Server to receive X.509 certificate and seamlessly integrate and access any SAP system in the landscape without further entering his user id and password. I've tested this and it works fine with both SAP ABAP and Java stack.

Next challange is to utilize the X.509 certificate  , that the user has received (once a day) ,  to authenticate to NON SAP (Java,C,.Net,etc) based servers. As most of these NON SAP servers don't perform sert based authentication ,I cannot use the X.509 cert present with the user. However,these Non SAP systems can  redirect their authentication to Identity Provider(IP) and inturn receive a SAML 2.0 assertion from IP.

Expected Result

After receiving a X.509 from SAP NW SSO when a user tries to access Non SAP system ,he'll be redirected to Identity Provider (Deployed o SAP NW SSO server) for authentication. IP should inturn extract the X.509 cert present with user and issue SAML 2.0 assertion to Non SAP system. Then the Non SAP system will  release the resource to the user.

Questions:

Before testing the scenario with Non SAP system, I want to test the Identity Provider-Service Provider settings with 2 SAP Java stack systems. Do I have to perform any additional setting on the SAP Java stack (Service provider) to redirect it to Identity Provider. I mean when I try to access https://<IP>:<port>/nwa on SAP Java stack with Service provider configured, will it redirect me to SAP NW SSO + Iden Provider server? Is there any additional config that has to be done on the service provider?

Thanks in advance for all the help and answers.

Regards,

Anuj

Kaempfer
Advisor
Advisor
‎08-07-2012 11:05 AM
0 Kudos

Hi Anuj,

you have to think about to configure

a) front channel communication

b) back channel communication

--> I would recommend to start with a). You can find it at the documentation. Example for SAP NW 7.3

http://help.sap.com/saphelp_nw73/helpdata/en/46/631b92250b4fc1855686b4ce0f2f33/frameset.htm

Than you have to decide if you want to start with IDP or SP initiated SSO. Related to you description you want to use SP initiated SSO (starting point of the end user for access).

Then you need to check what about the users? Are the user name everywhere the same or do you need to create users -> topic identity federation (-> try to start with existing users)

And check the how to guide of Dimitar. This is not exactly your use case but you can learn here much about SAML configuration:

https://scn.sap.com/docs/DOC-29737

Link Collection SAML:

http://wiki.sdn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0

Best Regards

Matthias

former_member269672
Explorer
‎08-09-2012 3:17 PM
0 Kudos

Hi Anuj,

In addition to the things Matthias mentioned in his reply, you need to protect the accessed resources with SAML 2.0. Please check Protecting Resources with SAML. You can also check part of wiki page for this configuratiopn although the scenario is not the same.

Best regards,

Desislava

Answers (1)

Answers (1)

Former Member
‎08-10-2012 4:40 PM
0 Kudos

Hi Matthias ,Desislava,

Your inputs were very helpful. I've tested Identity Fedration between 2 java stacks with X.509 certificate and it worked.

Thanks to point me to the right documents. I'll try to acheive similar thing using SAP Identity Provider and a Non SAP Service Provider.

Regards,

Anuj Khator

Show replies
Show replies
Ask a Question