This wiki page describes only the necessary configuration for single sign-on from Microsoft SharePoint 2010 to SAP Portal 7.0x. It does not cover the other direction when user logged into SAP Portal has to have SSO to SharePoint 2010. The example setup assumes that the user IDs in ADFS 2.0, AS Java 7.2 and SAP Portal 7.0x are the same. However, the same scenario could be setup also when the user IDs are different in the different systems.
Table of Contents
Trust between SharePoint 2010 and ADFS 2.0
Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies in order to setup trust between SharePoint 2010 and ADFS 2.0.
Other ADFS 2.0 step-by-step and how to guides could be found at ADFS step-by-step guides
Trust between AS Java (CE) 7.2 and SAP Portal 7.0x
1. Export signing certificate from CE 7.2
Open http(s)://<ce72host>:<port>/nwa -> Configuration Management -> Certificates and Keys
Select “TicketKeystore” view and “SAPLogonTicketKeypair-cert” entry.
Click button “Export To File”:
2. Add trusted system at SAP Portal 7.0x using the SSO2 wizard
Open http(s)://<portalhost>:<port>/nwa -> Configuration Management -> Trusted Systems and select “Add Trusted System” -> “By Uploading Certificate Manually”
Import certificate and provide SID and client of CE 7.2 system (in our case it is SP3/000)
3. Test the trust
Login in CE 7.2 system (e.g. in NetWeaver Administrator, http(s)://<ce72host>:<port>/nwa)
In the same browser window, navigate to 7.0x Portal (http(s)://<portalhost>:<port>/irj/portal) and you should be automatically authenticated with the MYSAPSSO2 cookie
Trust between AS Java (CE) 7.2 and ADFS 2.0
Initial configuration in AS Java (CE) 7.2
Open http(s)://<ce72host>:<port>/nwa -> Configuration Management -> Authentication and Single Sign-On
Select “SAML 2.0” tab and click “Enable SAML 2.0 Support” button.
Enter name of the local provider
Change setting “Legacy Systems Support (Issue Logon Ticket)” to “On” and click “Browse” button for the signing key-pair.
A signing key-pair should be generated for the local provider. It will be used as encryption key-pair as well. Here are the next steps:
Continue with the wizard.
Change selection mode to “Automatic” and click “Finish”.
Download metadata file:
Save the metadata file:
Add Relying Party Trust in ADFS 2.0
Start “AD FS 2.0 Management”, select “Relying Party Trusts” and action “Add Relying Party Trust”
Select metadata file
Use all default settings and save the relying party. After that select action “Properties” for the CE 7.2 system.
Go to “Advanced” tab and change the signature algorithm from SHA-256 to SHA-1.
Afterwards, select action “Edit Claim Rules” and add claim of type “Send LDAP Attributes as Claims“. Select to send the “SAM-Account-Name” as Name ID.
With this final step the trust setup at ADFS 2.0 is completed. In order to do the trust setup at CE 7.2 you will need the metadata of ADFS. An example of ADFS 2.0 federation metadata URL is the following - https://<adfs20host>/FederationMetadata/2007-06/FederationMetadata.xml.
Because the metadata document is digitally signed you will need also the signing certificate in order to be able to import the metadata in AS Java (CE) 7.2. The SAP application server does not allow import of a signed metadata document unless the signature is successfully verified.
To download the ADFS signing certificate: In AD FS 2.0 Management select Service -> Certificates and download the “Token-signing” by double clicking on it and then choose “Copy To File …”.
Add Trusted Identity Provider at CE 7.2
Open http(s)://<ce72host>:<port>/nwa -> Configuration Management -> Authentication and Single Sign-On -> SAML 2.0 and click on “Trusted Providers”.
Select the metadata file you have downloaded from ADFS and click “Next”.
As metadata is digitally signed, choose the file with the signing certificate you have downloaded from ADFS and click “Next”.
Enter alias (optional) and click “Next”.
Leave default settings and click “Next” and “Finish” at the subsequent screens of the wizard. At the end the trusted provider will be added but will be disabled.
This is because the identity federation settings are missing. In order to add them click on the “Edit” button, then “Add” and select format name “Unspecified” and source name “Logon ID” and finally “OK”.
The last step is to save the provider and enable it – use buttons “Save” and “Enable”. The icon in the first row should change from grey to green.
With this the trust setup on the AS Java 7.2(CE) is completed.
Setup Redirect Application
In this scenario, the AS Java 7.2 acts like intermediate system between ADFS 2.0 and SAP EP 7.0x.
That is why, we will need a simple redirect application which:
- will be deployed on AS Java 7.2
- will be configured with SAML 2.0 authentication
- will redirect to the SAP EP 7.0x only after successful authentication
Testing the Scenario
Login to ADFS – e.g. https://<adfs20host>/adfs/ls/IdpInitiatedSignOn.aspx
After authenticating with ADFS, access the redirect application hosted on AS Java CE 7.2 in the same browser window.
Here is what happens when testing the scenario in case first access is to AS Java 7.2:
1. Access redirect application on AS Java 7.2
2. You will be redirected to ADFS for authentication
3. After successful authentication at ADFS, you will be returned back to AS Java 7.2 with SAML 2.0 assertion. The assertion will be evaluated and after being authenticated with SAML 2.0 at AS Java 7.2, an SAP Logon Ticket will be issued (MYSAPSSO2 cookie).
4. You will be redirected to SAP EP 7.0x and authenticated with the MYSAPSSO2 cookie issued by AS Java CE 7.2.
Using HTTP Watch (or similar tool) you should be able to see all these redirects: