× Welcome to the Centrify Community! Looking for Express & Smart Card Help? Click Here

SAP-JAVA-SAML Guide

SAP-JAVA-SAML Guide

By Centrify on ‎12-21-2016 05:20 AM

Prerequisites:

1. Centrify Cloud Tenant with Administrator Credentials.
2. SAP Role created in Centrify Portal for users to gain access to the SAP-Java application to Single-Sign-on
3. Administrator Credentials to configure SAML2.0 in SAP.

Note: Centrify has a built-in template under Cloud manager\Apps , I have chosen to use Custom SAMLTemplate to show how we can import SP-Meta-Data if you wish to take that path.

 

SAP side Configuration

1. 1-logonto-sap-Netweaver-Java-clickon-SAP NetWeaver Administrator

1-logonto-sap-Netweaver-Java-clickon-SAP NetWeaver Administrator.png

2. Provide your Administrator credentials

2- Provide your Administrator credentials.png

3. Go to Configuration Tab and click on Authentication and Single-sign-on

3 - go to Configuration Tab and click on Authentication and Single-sign-on.png

4. click on SAML 2-0 tab and then Enable SAML 2.0 Support

4 - click on SAML 2-0 tab and then Enable SAML 2.0 Support.png

5.  Type in a provider name thats represents Saml2-0 and click Next

5 - Type in a provider name thats represents Saml2-0 and click Next.png

6. Add signing-key-pair

6 - add signing-key-pair.png

6a. Steps 6a,6b and 6c are for if you dont have existing key-pair go to Certificates and keys

6a - if you dont have existing key-pair go to Certificates and keys.png

6b. Click Saml2 in table-1 and create in table-2 and in the popup fill-in Entry-name and click the checkbox -Store certificate- and then click next

6b - Click Saml2 in table-1 and create in table-2 and in the popup  fill-in Entry-name and click the checkbox -Store certificate- and then click next.png

6c. Fill  in COMMON name - typically this is your company name like Centrify for example and then click next and next and finish - you have your key-pair now.

6c- fill COMMON name - typically this is your company name like Centrify for example and then click next and next and finish - you have your key-pair now..png

7. Choose the saml2-key  from Step-6 if you already have a key pair and click next

7- choose the saml2-key and click next.png

8. Leave as defaults and click Next and FINISH.

8-  leave as defaults and click Next and FINISH..png

9.  click on -Metada tab and then download Metadata

9- click on -Metada tabd and then download Metadata.png

10. Go to Centrify Apps in Cloud Manager and Add Custom SAML application ,
Please select the right Roles for users able to access the application, under account mapping please verify if you are using “samaccountname” as this attribute may wary per organization.

10- user-roles.png

 

10a -samaccountname.png

 

11. Upload SP-Metadata from file option that was downloaded from SAP service provider.

11-upload-sp-metadata.png

12. Make sure you take a look at the “Assertion Consumer Service URL in the Application Settings and click on the “SAVE” button

12-save-metadata.png

13. Download Identity Provider Metadata and “signing certificate”

13-download-identity provider-metadata.png

14. Go to "TrustedProviders" and then add the IDP-metadata file from Centrify

14- upload the IDP-metadata file into the Sap console.png

15. click Edit under Trusted Providers and then under Identity Federation Click Add - Select Unspecified for NameID format , click Save and then ENABLE it.

15. click Edit under Trusted Providers and then under Identity Federation Click Add - Select Unspecified for NameID format , click Save and then ENABLE it..png

16. At this point you may need to modify the logon stack if needed
go to configuration/ Authentication and Single-sign-on/ click on ticket and edit 

How to configure Logon stack for SAML (ticket logon stack template)
Please refer to SAP Note "2273981 - Configuring Authentication stacks for the J2ee Netweaver Application Server"

16. At this point you may need to modify the logon stack if needed.png

17. Your logon stack should look like this 

EvaluateTicketloginModule SUFFIECENT
SAML2LoginModule OPTIONAL
CreateTicketLoginModule SUFFIECENT
BasicPasswordloginModule REQUSITE
CreateTicketLoginModule REQUSITE

17. Add the SAML2LoginModule as shown.png

18. How to login to SAP bypassing SAML2.
Please refer to SAP Note "1874339 - Disabling the SAML2 login module via URL allowing user/password login instead."
You need to add "?saml2=disabled" to the URL.

19. Go to the SAP login Url as users typically go to , once you are there you will now be redirected to Centrify as shown below .

18. re-direct to IDP.png

20. If IWA “Integrated windows Authentication” is enabled through Centrify users are automatically logged in .

21. Users can also go to their Centrify “user Portal” and click on the “SAP-JAVA” icon and single-signon to the application.

 

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel