Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
10 views19 pages

ADFS SAML - Step by Step+gui

This document provides a step-by-step guide for configuring Single Sign-On (SSO) from Microsoft SharePoint 2010 to SAP Portal 7.0x using SAML 2.0. It outlines the necessary trust configurations between SharePoint, ADFS 2.0, and SAP systems, including exporting certificates and setting up relying party trusts. The guide concludes with testing the SSO scenario to ensure successful authentication across the platforms.

Uploaded by

jurgissap
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views19 pages

ADFS SAML - Step by Step+gui

This document provides a step-by-step guide for configuring Single Sign-On (SSO) from Microsoft SharePoint 2010 to SAP Portal 7.0x using SAML 2.0. It outlines the necessary trust configurations between SharePoint, ADFS 2.0, and SAP systems, including exporting certificates and setting up relying party trusts. The guide concludes with testing the SSO scenario to ensure successful authentication across the platforms.

Uploaded by

jurgissap
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security and ...

Page 1 of 19

Getting Started Store

Community WIKI SAP Community Welcome, Guest Login Register Search the Community

Security and Identity Management / ABAP Security and Identity Management at SAP / Single Sign-On with SAML 2.0

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x


Created by Desislava Petkova, last modified on Aug 30, 2011

This wiki page describes only the necessary configuration for single sign-on from Microsoft SharePoint 2010 to SAP Portal 7.0x. It does not cover the other direction when user logged into SAP Portal has
to have SSO to SharePoint 2010. The example setup assumes that the user IDs in ADFS 2.0, AS Java 7.2 and SAP Portal 7.0x are the same. However, the same scenario could be setup also when the
user IDs are different in the different systems.

Table of Contents
• Overview
• Trust between SharePoint 2010 and ADFS 2.0
• Trust between AS Java (CE) 7.2 and SAP Portal 7.0x
• Trust between AS Java (CE) 7.2 and ADFS 2.0
• Initial configuration in AS Java (CE) 7.2
• Add Relying Party Trust in ADFS 2.0
• Add Trusted Identity Provider at CE 7.2
• Setup Redirect Application
• Testing the Scenario

Overview

Trust between SharePoint 2010 and ADFS 2.0


Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies in order to setup trust between SharePoint 2010 and ADFS 2.0.
Other ADFS 2.0 step-by-step and how to guides could be found at ADFS step-by-step guides

Trust between AS Java (CE) 7.2 and SAP Portal 7.0x


1. Export signing certificate from CE 7.2
Open http(s)://<ce72host>:<port>/nwa -> Configuration Management -> Certificates and Keys

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security and ... Page 2 of 19

Select “TicketKeystore” view and “SAPLogonTicketKeypair-cert” entry.

Click button “Export To File”:

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security and ... Page 3 of 19

2. Add trusted system at SAP Portal 7.0x using the SSO2 wizard
Open http(s)://<portalhost>:<port>/nwa -> Configuration Management -> Trusted Systems and select “Add Trusted System” -> “By Uploading Certificate Manually”

Import certificate and provide SID and client of CE 7.2 system (in our case it is SP3/000)

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security and ... Page 4 of 19

and confirm

3. Test the trust


Login in CE 7.2 system (e.g. in NetWeaver Administrator, http(s)://<ce72host>:<port>/nwa)

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security and ... Page 5 of 19

In the same browser window, navigate to 7.0x Portal (http(s)://<portalhost>:<port>/irj/portal) and you should be automatically authenticated with the MYSAPSSO2 cookie

Trust between AS Java (CE) 7.2 and ADFS 2.0


Initial configuration in AS Java (CE) 7.2

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security and ... Page 6 of 19

Open http(s)://<ce72host>:<port>/nwa -> Configuration Management -> Authentication and Single Sign-On

Select “SAML 2.0” tab and click “Enable SAML 2.0 Support” button.

Enter name of the local provider

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security and ... Page 7 of 19

Change setting “Legacy Systems Support (Issue Logon Ticket)” to “On” and click “Browse” button for the signing key-pair.

A signing key-pair should be generated for the local provider. It will be used as encryption key-pair as well. Here are the next steps:
Step 1:

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security and ... Page 8 of 19

Step 2:

Step 3:

Step 4:

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security and ... Page 9 of 19

Continue with the wizard.

Change selection mode to “Automatic” and click “Finish”.

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security a... Page 10 of 19

Download metadata file:

Save the metadata file:

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security a... Page 11 of 19

Add Relying Party Trust in ADFS 2.0


Start “AD FS 2.0 Management”, select “Relying Party Trusts” and action “Add Relying Party Trust”

Select metadata file

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security a... Page 12 of 19

Use all default settings and save the relying party. After that select action “Properties” for the CE 7.2 system.

Go to “Advanced” tab and change the signature algorithm from SHA-256 to SHA-1.

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security a... Page 13 of 19

Afterwards, select action “Edit Claim Rules” and add claim of type “Send LDAP Attributes as Claims“. Select to send the “SAM-Account-Name” as Name ID.

With this final step the trust setup at ADFS 2.0 is completed. In order to do the trust setup at CE 7.2 you will need the metadata of ADFS. An example of ADFS 2.0 federation metadata URL is the following
- https://<adfs20host>/FederationMetadata/2007-06/FederationMetadata.xml.
Because the metadata document is digitally signed you will need also the signing certificate in order to be able to import the metadata in AS Java (CE) 7.2. The SAP application server does not allow
import of a signed metadata document unless the signature is successfully verified.

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security a... Page 14 of 19

To download the ADFS signing certificate: In AD FS 2.0 Management select Service -> Certificates and download the “Token-signing” by double clicking on it and then choose “Copy To File …”.

Add Trusted Identity Provider at CE 7.2


Open http(s)://<ce72host>:<port>/nwa -> Configuration Management -> Authentication and Single Sign-On -> SAML 2.0 and click on “Trusted Providers”.

Select the metadata file you have downloaded from ADFS and click “Next”.

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security a... Page 15 of 19

As metadata is digitally signed, choose the file with the signing certificate you have downloaded from ADFS and click “Next”.

Enter alias (optional) and click “Next”.

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security a... Page 16 of 19

Leave default settings and click “Next” and “Finish” at the subsequent screens of the wizard. At the end the trusted provider will be added but will be disabled.

This is because the identity federation settings are missing. In order to add them click on the “Edit” button, then “Add” and select format name “Unspecified” and source name “Logon ID” and finally “OK”.

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security a... Page 17 of 19

The last step is to save the provider and enable it – use buttons “Save” and “Enable”. The icon in the first row should change from grey to green.

With this the trust setup on the AS Java 7.2(CE) is completed.

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security a... Page 18 of 19

Setup Redirect Application


In this scenario, the AS Java 7.2 acts like intermediate system between ADFS 2.0 and SAP EP 7.0x.
That is why, we will need a simple redirect application which:

• will be deployed on AS Java 7.2


• will be configured with SAML 2.0 authentication
• will redirect to the SAP EP 7.0x only after successful authentication

Testing the Scenario


Login to ADFS – e.g. https://<adfs20host>/adfs/ls/IdpInitiatedSignOn.aspx

After authenticating with ADFS, access the redirect application hosted on AS Java CE 7.2 in the same browser window.

Here is what happens when testing the scenario in case first access is to AS Java 7.2:
1. Access redirect application on AS Java 7.2
2. You will be redirected to ADFS for authentication
3. After successful authentication at ADFS, you will be returned back to AS Java 7.2 with SAML 2.0 assertion. The assertion will be evaluated and after being authenticated with SAML 2.0 at AS Java 7.2,
an SAP Logon Ticket will be issued (MYSAPSSO2 cookie).
4. You will be redirected to SAP EP 7.0x and authenticated with the MYSAPSSO2 cookie issued by AS Java CE 7.2.

Using HTTP Watch (or similar tool) you should be able to see all these redirects:

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x - Security a... Page 19 of 19

saml2

Contact Us SAP Help Portal


Privacy Terms of Use Legal Disclosure Copyright
Follow SCN

https://wiki.scn.sap.com/wiki/display/Security/Step-by-Step+guide+for+SSO+from+MS... 4/9/2018

You might also like