sso for sap netweaver application server java with … · sso for sap netweaver application server...

SSO for SAP NetWeaver Application Server Java with Sun Java System Access Manager using SAML 1.x

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com © 2006 SAP AG 1


Applies To: 1. SAP NetWeaver Enterprise Portal 2004s 2. SAP NetWeaver Application Server Java 2004s 3. Sun Java System Access Manager 7.1

Summary This article describes steps for configuring Single Sign On (SSO) for applications deployed on SAP NetWeaver Application Server Java (SAP J2EE Engine) with Sun Java System Access Manager using Security Assertion Markup Language (SAML 1.x) Author: Vasanth Bhat Company: Sun Microsystems India Private Ltd. Bangalore.

Created On: 03/05/2007

Author Bio Vasanth Bhat is a Lead Engineer in SAP Partner Engineering Team in Sun Microsystems India Private Ltd., Bangalore.



Table of Content 1. Introduction....................................................................................................................3 2. Overview ........................................................................................................................3 3. Configuring Sun Java System Access Manager .....................................................6

3.1 Generate the Site ID for SAP J2EE Engine .......................................................6

3.2 Add the sap_saml_sso.jar to Web Container JVM ClassPath ......................6

3.3 Note down the Site Id for Sun Java System Access Manager.......................6

3.4 Register the SAP J2EE Engine as Trusted Party ............................................7

3.5 Create SAP J2EE users in Sun Java System Access Manager....................9

4. Configuring SAP NetWeaver Application Server Java.........................................10 4.1 Change the Startup Mode for SAML Service..................................................10

4.2 Create HTTP Destination for Sun AM SAML SOAP Receiver....................10

4.3 Configure SAML service Parameters ...............................................................11

4.4 Add SAML Login module in the Application's Login Module Stack .............12

5. Testing the Single Sign On .......................................................................................14 6. References ..................................................................................................................15 Disclaimer and Liability Notice......................................................................................16



1. Introduction The SAP J2EE Engine supports the use of the Security Assertion Markup Language (SAML) for Single Sign-On. SAML can be used for Single Sign On for applications deployed on SAP J2EE Engine (such as SAP Enterprise Portal). The Sun Java System Access Manager is used as assertion source (Identity Provider) for single sign on to applications deployed on SAP J2EE Engine (Service Provider). An overview of Sun Java System Access Manager is available at http://docs.sun.com/app/docs/doc/819-4669

2. Overview Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between security domains, that is, between an Identity Provider (Sun AM in our case) and Service Provider (Application deployed on SAP J2EE Engine in our case). SAML is a product of the OASIS Security Services Technical Committee. The details on SAML specifications are available from: http://www.oasis-open.org/committees/security The two key concepts of SAML are Assertions and Profiles. SAML Assertions are a declaration of facts about a principal. Assertions contain Authentication, Authorization or Attribute Information. A SAML profile is a set of rules that defines how to embed and extract SAML assertions. The profile describes how the assertions are combined with other objects by an authority, transported from the authority, and subsequently processed at the trusted partner site. SAML defines two profiles, Web Browser Artifact Profile and the Web Browser POST Profile. The difference between these two profiles is based on how the Assertion is exchanged between an Identity Provider (Sun AM) and Service Provider (SAP J2EE Engine). In case of Web Browser Artifact profile, a pointer to the SAML assertion (called an Artifact) is included in the query string (usually parameter SAMLart) of an HTTP redirect to the Service Provider. The Service Provider in turn makes a direct SOAP/HTTP request back to the Identity Provider with the artifact and obtains actual SAML assertion in the response. The SAP J2EE Engine implements this SAML profile. In case of Web Browser POST profile, a SAML assertion is included in the response that is sent to the service provider as part of an HTML form. The following figure illustrates the flow of events for the Single Sign On based on the Web Browser Artifact Profile between Sun Java System Access Manager and the SAP J2EE Engine.



Figure 1: SAML SSO with SAP J2EE Engine

The following flow of events that take place when user access an application (such as SAP EP) configured for SAML authentication, deployed on SAP J2EE Engine via the Sun Java System Access Manager

1. The user access the SAP EP via the Sun Java System Access Manager(Sun AM). 2. Sun AM authenticates the user, if not authenticated already 3. Sun AM generates the Authentication Assertion for the user and stores it. 4. Sun AM invokes the registered plug-ins for Name Identifier Mapping & Site

Attribute Mapping 5. Sun AM creates the Artifact for the Assertion and issues an HTTP redirect for the

SAML Receiver registered for the SAP J2EE Engine. 6. The browser redirects the user to the SAML receiver service for the SAP J2EE

Engine. 7. The SAML receiver on the SAP J2EE Engine internally forwards the request along



with Artifact to SAP EP configured with SAML Login Module. The SAML Login Module retrieves and evaluates the Artifact. It also uses the information from the artifact to retrieve the Identity Provider (Sun AM) details.

8. The SAML Login module on SAP J2EE Engine generates an assertion request containing the Artifact and sends it as SOAP/HTTP to the SAML SOAP receiver of Sun AM.

9. Sun AM retrieves the Artifact from the assertion request and uses it to get the corresponding assertion.

10. Sun AM responds to the SAML Login module with the Assertion. 11. The SAML Login Module analyses the assertion and internally authenticates the

user. 12. On Successful internal authentication, user is single signed on to the SAP EP.



3. Configuring Sun Java System Access Manager

3.1 Generate the Site ID for SAP J2EE Engine

Perform the following steps to generate the Site ID for SAP J2EE Engine. 1. Unzip the file sap_saml_sunam.zip on the Sun AM Machine.

You can download the sap_saml_sunam.zip file from SDN here. 2. Modify the AM_HOME in the script amgenSiteId if Sun AM is installed in non

default location. Make sure that the script amgenSiteId has execute permissions. 3. Generate and note the Site ID for SAP J2EE using the command amgenSiteId. This

value is needed later in the configuration steps in Section 3.4 Example : amgenSiteId http://ephost.companyxyz.com:50100 Note : Do make sure that the URL does NOT have a trailing '/'

3.2 Add the sap_saml_sso.jar to Web Container JVM ClassPath

In this step the sap_saml_sso.jar needs to be added to the JVM ClassPath of WebContainer on which the Sun AM is deployed. This is typically done in the Web Server or Application Server Administration console. Please follow the documentation provided by the Web Server or Application Server. The Web Server or Application Server needs to be Restarted for the new values to take effect.

3.3 Note down the Site Id for Sun Java System Access Manager

The Sun Java System Manager has a preset Site ID, which uniquely identifies it. You can obtain this value as follows

1. Login to Sun AM as amAdmin 2. Click on Federation Tab 3. Click on SAML Tab 4. Click edit link of the only entry of Site Identifiers to go to Edit Site Identifier

Page as shown in Figure 2. 5. Copy the value of Site ID in a temp file. This will be used in Section 4.3.

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/90cc8237-2eb9-2910-82ae-d448f4ecb6b0



Figure 2 : Site ID for Sun Java System Access

3.4 Register the SAP J2EE Engine as Trusted Party

Follow the steps below to register the SAP J2EE Engine as a Trusted Partner in Sun Access Manager.

1. Go to the SAML configuration home in Sun AM by clicking on Back to SAML button shown in Figure 2.

2. Click New under Trusted Partners to go to Select trusted partner type and profile page.

3. Select Artifact under Destination. Leave all others unchecked. 4. Click Next to go to Add New Trusted Partner Page. 5. Set the values as follows

● Source ID : Value of Site ID for SAP J2EE Engine generated in Section 3.1 ● Host List : IP Address of the machine running SAP J2EE Engine. ● Target : Fully Qualified name of the machine running SAP J2EE Engine.



● SAML URL : URL of SAML Receiver on SAP J2EE Engine. Typically this in the form http(s)://<sap_j2ee_host>.<domain>:port/saml/receiver

● Name Identifier Mapper : com.sun.identity.saml.plugins.UidMapper ● Click on Finish ● Click on Save and make sure that you get the confirmation. ● Make sure that the entry for SAP J2EE is now appearing under Trusted

Partners in the Sun AM SAML configuration Page.

Figure 3 : Add SAP J2EE as Trusted Partner in Sun AM



3.5 Create SAP J2EE users in Sun Java System Access Manager

For the simple setup, we are considering simple user mapping where Every user in SAP J2EE Engine also has a user entry in Sun AM with the same User ID. However this is not a requirement for Single Sign On. Different mapping can be achieved through customizing using Account Mapping, NameIdentifier Mapping and Attribute Mapping. More details on this are available at http://docs.sun.com/app/docs/doc/819-4674/6n6qelg7v?a=view The Sun Java System Identity Manager product allows centralized, automated and bulk provisioning of users, roles and other information to hundreds applications from multiple vendors including SAP EP, SAP R/3 and SAP HR. More detailed information on Sun Java System Identity Manager is available at http://docs.sun.com/app/docs/coll/1514.2 For the purposes of testing, you can create few users in Sun AM by following the instructions at http://docs.sun.com/app/docs/doc/819-4670/6n6qardv5?a=view

Figure 4 : Create SAP J2EE users in Sun AM



4. Configuring SAP NetWeaver Application Server Java

4.1 Change the Startup Mode for SAML Service

Follow the steps below to make sure that the SAML Service is always started as a part of SAP J2EE Engine startup. 1. Launch the SAP J2EE Visual Administrator as the sap<sid> user. 2. Login to the SAP Visual Administrator 3. Select Server -> Services -> Configuration Adapter. 4. Expand Configurations -> cluster_data -> server -> cfg –> services. 5. Switch to edit mode. Click Yes. 6. Double Click on Property Sheet tc~sec~saml~service-runtime 7. Select start-up mode. The Change property entry page appears. 8. In the Custom field, enter the value always and click Apply Custom. 9. Click OK.

Figure 5 : Change Startup mode for SAML Service

4.2 Create HTTP Destination for Sun AM SAML SOAP Receiver

Follow the steps below to create an HTTP Destination for the SAML SOAP Receiver of Sun Java System Access Manager.



1. Launch the SAP J2EE Visual Administrator as the sap<sid> user. 2. Login to the SAP Visual Administrator 3. Expand Destinations - HTTP. 4. Click New and enter a name for the new destination, for example, SunAM 5. Click OK. 6. Enter the URL of the SAML SOAP Receiver for Sun AM, for example

http://ephost.companyxyz.com:8080/amserver/SAMLSOAPReceiver 7. For testing purposes, we are using a non secure channel with no Client

Authentication. In the production cases, a secure channel needs to be used with Client Authentications like BASIC, SSL etc.

8. Click Save.

Figure 6 : Destination for Sun AM SAML SOAP Receiver.

4.3 Configure SAML service Parameters

Follow the steps below to configure the SAML Service on the SAP J2EE Engine. 1. Launch the SAP J2EE Visual Administrator as the sap<sid> user. 2. Login to the SAP Visual Administrator 3. Select Server -> Services -> Configuration Adapter.



4. Scroll down and expand SAML->Configuration->PartnersInbound 5. Switch to edit mode. Click Yes. 6. Right Click on PartnersInbound Node and Select Create Sub Node. 7. Enter the Partner Name, for example SunAM, Click Create. 8. Expand the newly created node. 9. Set the values as follows

● Destination Name : Give the name of the Destination created in Section 4.2 ● SourceID : Enter the Site ID fro Sun AM noted down in Section 3.3 prefixed

with “B64:” For example, B64:Gz5Ie6oAgITQsmjxfsDyru/jtiM= 10. For testing purposes, the PermitInsecureConnections parameter, located under

Configurations > SAML > Configuration - Settings can be set to true. In a production environment, this value should be set to false.

Figure 7 : Configure SAML Service Parameters

4.4 Add SAML Login module in the Application's Login Module Stack

Perform the following steps to add SAML Login Module to the application's login module stack. For our case, we will modify the ticket template which is used by SAP Enterprise Portal.



1. Launch the SAP J2EE Visual Administrator as the sap<sid> user. 2. Login to the SAP Visual Administrator. 3. Select Server -> Services ->Security Provider. 4. In the Policy Configuration Tab, Select ticket Template. 5. Switch to edit mode. 6. Click on Modify, and adjust the login module stack, so that it appears as shown in

Figure 8. 7. Make sure that the changes are saved. 8. Close the Visual Administrator. 9. Restart SAP J2EE Engine.

Figure 8 : Add SAML Login Module in the login module Stack



5. Testing the Single Sign On

Perform the following tasks to test SAP EP SSO using SAML assertions.

1. Launch the Internet Browser, and navigate to SSO Trigger for SAP EP. http://ephost.companyxyz.com:8080/amserver/SAMLAwareServlet?TARGET=http://ephost.companyxyz.com:50100/irj/portal

2. When prompted Authenticate to Sun Java System Access manager as one of the user created in Section 3.5, for example Administrator

3. The SAP Enterprise Portal Welcome page should be displayed as shown in Figure 9.



6. References 1. Using SAML Assertions for SSO in SAP J2EE Engine ->

http://help.sap.com/saphelp_nw2004s/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm

2. Sun Java System Access Manager 7.1 -> http://docs.sun.com/app/docs/coll/1292.2 3. Sun AM Federation & SAML -> http://docs.sun.com/app/docs/doc/819-4674 4. Sun Java System Identity Manager -> http://docs.sun.com/app/docs/coll/1514.2 5. Sun Java Enterprise System -> http://docs.sun.com/app/docs/doc/820-0167



Disclaimer and Liability Notice This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.

sso for sap netweaver application server java with … · sso for sap netweaver application server...

Documents