Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Sverview Trust between SharePoint 2010 and ADFS 2.0 Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies in order to setup trust between SharePoint 2010 and ADFS 2.0. Other ADFS 2.0 step-by-step and how to guides could be found at ADFS step-by-step guides Trust between AS Java (CE) 7.2 and SAP Portal 7.0x 1. Export signing certificate from CE 7.2 Open http(s)://<ce72host>:<port>/nwa -> Configuration Management -> Certificates and Keys

Select TicketKeystore view and SAPLogonTicketKeypair-cert entry.

Click button Export To File : 2. Add trusted system at SAP Portal 7.0x using the SSO2 wizard Open http(s)://<portalhost>:<port>/nwa -> Configuration Management -> Trusted Systems and select Add Trusted System -> By Uploading Certificate Manually

Import certificate and provide SID and client of CE 7.2 system (in our case it is SP3/000)

and confirm

3. Test the trust Login in CE 7.2 system (e.g. in NetWeaver Administrator, http(s)://<ce72host>:<port>/nwa) In the same browser window, navigate to 7.0x Portal (http(s)://<portalhost>:<port>/irj/portal) and you should be automatically authenticated with the MYSAPSSO2 cookie

Trust between AS Java (CE) 7.2 and ADFS 2.0 Initial configuration in AS Java (CE) 7.2 Open http(s)://<ce72host>:<port>/nwa -> Configuration Management -> Authentication and Single Sign-On

Select SAML 2.0 tab and click Enable SAML 2.0 Support button. Enter name of the local provider

Change setting Legacy Systems Support (Issue Logon Ticket) to On and click Browse button for the signing key-pair.

A signing key-pair should be generated for the local provider. It will be used as encryption key-pair as well. Here are the next steps: Step 1: Step 2:

Step 3:

Step 4:

Continue with the wizard.

Change selection mode to Automatic and click Finish.

Download metadata file:

Save the metadata file: Add Relying Party Trust in ADFS 2.0 Start AD FS 2.0 Management, select Relying Party Trusts and action Add Relying Party Trust

Select metadata file Use all default settings and save the relying party. After that select action Properties for the CE 7.2 system.

Go to Advanced tab and change the signature algorithm from SHA-256 to SHA-1.

Afterwards, select action Edit Claim Rules and add claim of type Send LDAP Attributes as Claims. Select to send the SAM-Account-Name as Name ID.

With this final step the trust setup at ADFS 2.0 is completed. In order to do the trust setup at CE 7.2 you will need the metadata of ADFS. An example of ADFS 2.0 federation metadata URL is the following - https://<adfs20host>/federationmetadata/2007-06/federationmetadata.xml. Because the metadata document is digitally signed you will need also the signing certificate in order to be able to import the metadata in AS Java (CE) 7.2. The SAP application server does not allow import of a signed metadata document unless the signature is successfully verified. To download the ADFS signing certificate: In AD FS 2.0 Management select Service -> Certificates and download the Token-signing by double clicking on it and then choose

Copy To File. Add Trusted Identity Provider at CE 7.2 Open http(s)://<ce72host>:<port>/nwa -> Configuration Management -> Authentication and Single Sign-On -> SAML 2.0 and click on Trusted Providers.

Select the metadata file you have downloaded from ADFS and click Next.

As metadata is digitally signed, choose the file with the signing certificate you have downloaded from ADFS and click Next.

Enter alias (optional) and click Next.

Leave default settings and click Next and Finish at the subsequent screens of the wizard. At the end the trusted provider will be added but will be disabled.

This is because the identity federation settings are missing. In order to add them click on the Edit button, then Add and select format name Unspecified and source name Logon ID and finally OK.

The last step is to save the provider and enable it use buttons Save and Enable. The icon in the first row should change from grey to green.

With this the trust setup on the AS Java 7.2(CE) is completed. Setup Redirect Application In this scenario, the AS Java 7.2 acts like intermediate system between ADFS 2.0 and SAP EP 7.0x. That is why, we will need a simple redirect application which: will be deployed on AS Java 7.2 will be configured with SAML 2.0 authentication will redirect to the SAP EP 7.0x only after successful authentication Testing the Scenario

Login to ADFS e.g. https://<adfs20host>/adfs/ls/idpinitiatedsignon.aspx After authenticating with ADFS, access the redirect application hosted on AS Java CE 7.2 in the same browser window. Here is what happens when testing the scenario in case first access is to AS Java 7.2: 1. Access redirect application on AS Java 7.2 2. You will be redirected to ADFS for authentication 3. After successful authentication at ADFS, you will be returned back to AS Java 7.2 with SAML 2.0 assertion. The assertion will be evaluated and after being authenticated with SAML 2.0 at AS Java 7.2, an SAP Logon Ticket will be issued (MYSAPSSO2 cookie). 4. You will be redirected to SAP EP 7.0x and authenticated with the MYSAPSSO2 cookie issued by AS Java CE 7.2. Using HTTP Watch (or similar tool) you should be able to see all these redirects: