1. Centrify Cloud Tenant with Administrator Credentials.
2. SAP Role created in Centrify Portal for users to gain access to the SAP-ABAP application to Single-Sign-on
3. Administrator Credentials to configure SAML2.0 in SAP.
Note: Centrify has a built-in template under Cloud manager\Apps , I have chosen to use Custom SAMLTemplate to show how we can import SP-Meta-Data if you wish to take that path.
1.Logon to the SAPgui console (Your DEV environment preferred)
2. Type/nsaml2 , click allow on the “security popup”
3. You may see a certificate error , click continue to launch the wizard
Note: :Make sure you are in the url that your users go to logon ( check port number etc in the url)
4. Provide your credentials
5. SAML 2.0 Configuration wizard opens up , click on “create SAML 2.0 Local Provider” from the drop down menu
6. Give Provider name Example “SP:DEV-SAML2 and click next
7. Click next on the “Miscellaneous” step
8. Click next on Identity-provider discovery ( leave defaults ) and click “finish”
9. Click on “Metadata” , “Download Metadata” and Save it.
10. Go to Centrify Apps in Cloud Manager and Add Custom SAML application ,
Please select the right Roles for users able to access the application, under account mapping please verify if you are using “samaccountname” as this attribute may wary per organization.
11. Upload SP-Metadata from file option that was downloaded from SAP service provider.
12. Make sure you take a look at the “Assertion Consumer Service URL in the Application Settings and click on the “SAVE” button
13. Download Identity Provider Metadata and “signing certificate”
14. Go back to Step-9 screen and click on Trusted Providers and add SAML-Metadata file that was downloaded from Centrify Identity Provider.
15. Click Next on “Certificates and Algorithms”
16. Click Next on “Single Sign-On Endpoints” , leave the option checked at HTTP Redirect
17. Click Next on “Single Logout Endpoints”
18. Click Next on “Artifact Endpoints”
19. Click Finish on “Authentication Requirements”
20. Click on “Identity Federation” and then “Add” and under “Supported NameID Formats” Select “unspecified” and click OK.
21. Check under “UserID Mapping Mode” “Logon ID” is selected. This corresponds to Step-10 where you are using “samaccountname” as the ID under account mapping.
22. Final Step : Enable SAML 2.0 Configuration and Click OK.
23. Go to the SAP login Url as users typically go to , once you are there you will now be redirected to Centrify as shown below .
24. If IWA “Integrated windows Authentication” is enabled through Centrify users are automatically logged in .
25. Users can also go to their Centrify “user Portal” and click on the “SAP-ABAP” icon and single-signon to the application.