1. Centrify Cloud Tenant with Administrator Credentials.
2. SAP Role created in Centrify Portal for users to gain access to the SAP-Java application to Single-Sign-on
3. Administrator Credentials to configure SAML2.0 in SAP.
Note: Centrify has a built-in template under Cloud manager\Apps , I have chosen to use Custom SAMLTemplate to show how we can import SP-Meta-Data if you wish to take that path.
SAP side Configuration
1. 1-logonto-sap-Netweaver-Java-clickon-SAP NetWeaver Administrator
2. Provide your Administrator credentials
3. Go to Configuration Tab and click on Authentication and Single-sign-on
4. click on SAML 2-0 tab and then Enable SAML 2.0 Support
5. Type in a provider name thats represents Saml2-0 and click Next
6. Add signing-key-pair
6a. Steps 6a,6b and 6c are for if you dont have existing key-pair go to Certificates and keys
6b. Click Saml2 in table-1 and create in table-2 and in the popup fill-in Entry-name and click the checkbox -Store certificate- and then click next
6c. Fill in COMMON name - typically this is your company name like Centrify for example and then click next and next and finish - you have your key-pair now.
7. Choose the saml2-key from Step-6 if you already have a key pair and click next
8. Leave as defaults and click Next and FINISH.
9. click on -Metada tab and then download Metadata
10. Go to Centrify Apps in Cloud Manager and Add Custom SAML application ,
Please select the right Roles for users able to access the application, under account mapping please verify if you are using “samaccountname” as this attribute may wary per organization.
11. Upload SP-Metadata from file option that was downloaded from SAP service provider.
12. Make sure you take a look at the “Assertion Consumer Service URL in the Application Settings and click on the “SAVE” button
13. Download Identity Provider Metadata and “signing certificate”
14. Go to "TrustedProviders" and then add the IDP-metadata file from Centrify
15. click Edit under Trusted Providers and then under Identity Federation Click Add - Select Unspecified for NameID format , click Save and then ENABLE it.
16. At this point you may need to modify the logon stack if needed
go to configuration/ Authentication and Single-sign-on/ click on ticket and edit
How to configure Logon stack for SAML (ticket logon stack template)
Please refer to SAP Note "2273981 - Configuring Authentication stacks for the J2ee Netweaver Application Server"
17. Your logon stack should look like this
18. How to login to SAP bypassing SAML2.
Please refer to SAP Note "1874339 - Disabling the SAML2 login module via URL allowing user/password login instead."
You need to add "?saml2=disabled" to the URL.
19. Go to the SAP login Url as users typically go to , once you are there you will now be redirected to Centrify as shown below .
20. If IWA “Integrated windows Authentication” is enabled through Centrify users are automatically logged in .
21. Users can also go to their Centrify “user Portal” and click on the “SAP-JAVA” icon and single-signon to the application.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.