SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS Applies to: SAP Gateway 2.0 Summary This guide describes how you install and configure SAML 2.0 on Microsoft ADFS server and SAP NetWeaver AS ABAP server. Author(s): Navin Sahadev Company: SAP Labs India Created on: 23 July 2014 Author Bio Navin Sahadev works in SAP Gateway for the Customer Product Success organization and the Infrastructure team at SAP Labs India. He has also worked in Duet, Duet Enterprise. He has more than 9 years of Experience in SAP Technology. 1

Table of Contents Table of Contents Table of Contents... 2 1. Overview... 3 1.1 Target Audience... 3 2. Introduction... 3 3. Configuring SAML 2.0 authentication... 5 3.1 Preparing the System for SAML2 Configuration... 5 3.2 Configuring Microsoft Active Directory Federation Services (ADFS)... 7 3.2.1 Prerequisites... 7 3.2.2 Installing Microsoft ADFS:... 9 3.2.3 Editing ADFS properties... 12 3.2.4 ADFS Add a trust Relying Party... 13 3.2.5 Configuring Single Sign-On Authentication for IIS... 18 3.2.6 Exporting IIS certificate... 20 3.2.7 Exporting ADFS Token signing certificate... 20 3.2.8 Exporting the AFDS server Metadata... 21 3.3 Configuring SAP NetWeaver AS ABAP... 22 3.3.1 Importing Certificates and Clearing Cache... 22 3.3.2 Configuring SAML Configurations for a specific client... 22 3.3.3 Importing metadata file of Identity provider... 24 4. Enabling SAP NetWeaver AS ABAP server to perform User Authentication Using SAML... 28 5. Appendix... 29 5.1 Mapping Domain user to an ABAP user... 29 5.2 Mapping Domain user to SAP NetWeaver AS ABAP user from a Table View... 30 5.3 User Mapping for the Same User... 30 6. Trouble Shooting... 31 Copyright... 34 2

1. Overview This document provides information on how to configure: ADFS on Windows Server 2008 R2 (with Basic Authentication) SAML 2.0 on SAP NetWeaver AS ABAP 7.02 SP08 1.1 Target Audience This document aims to assist SAP and Microsoft Consultants and System architects who are interested in understanding both functional and operational modes of SAML 2.0 at Network (Intranet). 2. Introduction Using the SAP NetWeaver AS ABAP 7.02 underlying infrastructure, SAP Gateway 2.0 supports exchange of authentication and authorization of a user via SAML 2.0. Security Assertion Markup Language (SAML) 2.0 is an XML-based standard for exchanging authentication and authorization data between an Identity Provider (IdP); producer of SAML assertions and Service Provider (SP); consumer of assertions. An assertion is a package of information that supplies zero or more statements made by a SAML authority. For assertion, SAML version 2.0 includes the following authentication response bindings: HTTP POST: This is a push model that enables transfer of SAML assertion directed to Service Provider through a browser intermediary; HTTP Artifact: This is a pull model that enables SP to retrieve SAML assertion directly from IdP using a reference (generated by IdP, and passed through the browser). Along with web-based authentication and authorization, SAML 2.0 also enable cross-domain Single Sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user. The Interactions between a user and SAP Gateway during SAML 2.0 service provided-initiated flow is depicted in the following figure: 3

During SAML 2.0 Service Provided-initiated flow following interactions are observed on the User agent side: 1. The user request for a resource (for example: OData service) to SAP Gateway. 2. On receiving the request, SAP Gateway redirects to Identity provider. 3. The user is redirected to Identity provider (ADFS). 4. Identity provider responds with the 401 (Integrated Windows authentication or Basic Authentication). 5. The User provides the authentication information. 6. Identity provider redirects the user to Assertion Consumer Service (ACS) endpoint, where your service provider will receive assertions. 7. The user calls ACS with SAML artifact in the SAP Gateway. 8. The ACS validates the SAML artifact information with Identity provider (ADFS). Note: Step 7 and 8 execution takes place in background. 9. The ACS redirects the user to the requested SAP Gateway resource. 10. The user requests SAP Gateway resources with SAML cookie. 11. The SAP Gateway responds with a secure SAML cookie. Using this cookie user can communicate with SAP Gateway for accessing resources until this cookie expires. Note: This document provides information on configuring SAML HTTP Post. However, you can also configure the SAML Artifacts. SAML Artifact handling is easier due to missing of CSRF token, and therefore does not require 403 Forbidden errors handling. 4

3. Configuring SAML 2.0 authentication The configuration steps provided in this document have been executed on the below mentioned platforms versions. Microsoft ADFS 2.0 (Windows Server 2008 R2) SAP NetWeaver AS ABAP 7.02 SP08 Note: If you are configuring SAML 2.0 depending upon the product release version you are working on, the screenshots may appear different. 3.1 Preparing the System for SAML2 Configuration Before you proceed to configuring SAML 2 on your SAP NetWeaver AS ABAP server, ensure you have met the following requirements: Ensure the Secure socket communication (HTTPS) port number is 443 or the communication port you are using has super user root authority. To achieve super user authority in the SAP system port, perform the following steps: a) Change the ownership of program icmbnd in directory /usr/sap/<sid>/sys/exe/run using the chown root command:sapsys icmbnd. b) Check if the profile parameter for your webserver is set in the instance profile. In this case, the value for icm/server_port_2 = PROT=HTTPS,PORT=443,TIMEOUT=30,EXTBIND=1. c) Restart the SAP server instance Note: The SAP system achieves by using a process called icmbnd. This process runs with root user authority and binds to the required port. It then returns the listening socket to the SAP server instance, which can then communicate using that port. Install SAPCRYPTOLIB http://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/236897bf5a1902e10000000a42189c frameset.htm ). Before you start using SAML 2.0, we recommend you to install the latest SAP crypto library for enabling SSL and providing signing and encryption functionality. Note: You can use different versions of SAPCRYPTOLIB for different Operating Systems. When Gateway applications are accessed using a client browser, it is essential that SAML 2.0 authentication preserves the original HTTP GET method. Thus, SAML 2.0 Artifact binding must be used instead of POST. ICM should be able to load crypto functionality in order to establish SSL connection for back channel system-to-system communication to IdP If you have latest version of the Kernel then you can avoid importing of the cryptolib. In Transaction STRUST, select Environment > Display SSF Version. 5

Ensure to set the profile parameters. You are required to set the following profile parameters on the instance of the application server: ssf/name ssf/ssfapi_lib sec/libsapsecu ssl/ssl_lib icm/server_port_x = SAPSECULIB = <Path and file name of the SAPCRYPTOLIB> = <Path and file name of the SAPCRYPTOLIB> = <Path and file name of the SAPCRYPTOLIB> = PROT=HTTPS,PORT=0 For more information on configuration steps, see SAP note 510007. Activate secure session management to enable SAML 2.0 on the client (s) server. To activate the security session management on the client(s) server, perform the following steps: 1. Start Transaction SICF_SESSIONS. 2. Choose the corresponding client. 3. Select Activate. Ensure to activate the following services in the Transaction SICF: o /sap/bc/webdynpro/sap/saml2 o /Sap/public/bc o /sap/public/bc/ur o /sap/public/myssocntl o /sap/public/ping 6

Download and execute SAP notes to fix SAML 2.0 related issues in SP6-SP8 (SAP Netweaver ABAP 7.02) o SAP Note 1607892 provides fixes an error in SAML 2.0 UI (trusted provider wizard), when choosing a certificate (F4 help button) from the Address Book that was previously installed. o SAP note 1590701 provides support for SAML 2.0 authentication, when a reverse proxy is used. The following settings should be done with the proxy settings: i. Set Client Protocol header value to https. Configure SAP Web Dispatcher wdisp/add_client_protocol_header=true Add the following line to Apache proxy: RequestHeader set ClientProtocol https ii. Set the Host header value SAP Web Dispatcher will always preserve the Host header Add the following line to Apache proxy: ProxyPreserveHost on The proxy notifies SAP Gateway with the called scheme and host details. Note: For information on SAP notes corresponding to other SAP NetWeaver AS ABAP releases, see Troubleshooting SAML 2.0 Scenarios. 3.2 Configuring Microsoft Active Directory Federation Services (ADFS) This section provides information on how to configure SAML 2.0 on Microsoft Active Directory Federation Services (ADFS). 3.2.1 Prerequisites Before you proceed to configuring SAML 2.0 on ADFS, ensure you have set the environment by performing the following: Microsoft ADFS download: To download Microsoft ADFS version 2.0 on ADFS server, follow this link: http://www.microsoft.com/enus/download/details.aspx?id=10909 Create Service User on Exchanging server level Using this procedure, you can create a user in the Microsoft Exchange server. 1. Create a service user on the Exchange server. 2. Add this user to the domain admin group. 3. If you want, you can add Service Principle Name (SPN). In command prompt, execute the command setspn -a host/<adfs server FQDN> <User>. Assign the policies to the Service User Using this procedure, you can assign a user the required rights and policies: 1. On the ADFS server, add the service user to administrator group. 2. Log on with this server user and the following configuration: a. Go to Start > Run > gpedit.msc. b. Select Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. c. Add the service user in policy settings for the following two policies: o Log on as a batch job o Log on as a service 7

Install Internet Information Services (IIS) and Application Server through Server Manager on ADFS server. Ensure World Wide Web Publishing Service is running (Go to Start > Run Services.msc) Create self-signed certificate in IIS (ADFS Server) To create a trusted self-signed certificate in IIS (ADFS Server), perform the following steps: 1. Go to Start > Run inetmgr. 2. Select root node > server certificates. 3. Select Create certificate Request and enter all the required details. 4. Trust it with one of the CA. 5. Complete Certificate request. 8

3.2.2 Installing Microsoft ADFS: To install the Microsoft ADFS server, perform the following steps: 1. Run the setup.exe. 2. Select Next. 3. Select the check box to Accept the License and select Next. 4. Select Federation server and select Next. 5. Install Prerequisite and select Next. 9

6. Select Start the ADFS 2.0 Management snap-in when this wizard closes and select Finish. 7. Select ADFS 2.0 Federation Server Configuration Wizard. Note: You can also launch ADFS 2.0 Management from Start > Programs > Administrative Tools > ADFS 2.0 Management. 10

8. Select Create a new Federation Service and select Next. 9. Select New Federation server farm and select Next. 10. ADFS search for IIS certificate, SSL Server certificate and auto-fills the certificate fields and select Next. 11

11. Enter the user and password and select Next. 12. Select subsequent Next to finish the installation. 3.2.3 Editing ADFS properties 1. To edit Go to Start > All programs > Administrative tools and select ADFS 2.0 Management. 2. Right click Service node and select Edit Federation Service Properties. 3. Confirm that the General settings match the DNS entries and certificate names. Take note of the Federation Service Identifier, as this is used in the Service-Now SAML 2.0 configuration 12

settings. 4. Navigate to ADFS 2.0 > Service > Endpoints, enable the endpoints URL: /adfs/services/trust/artifactresolution. 3.2.4 ADFS Add a trust Relying Party 1. Browse to SAP NetWeaver AS ABAP URL: https://<proxy_host>:<proxy_port>/sap/bc/webdynpro/sap/saml2?sap-client=<abap client>. Alternatively, you can access SAML2 UI through the proxy host. On the SAML2 ABAP window, select Metadata and save it as a local file. 2. Select Required: Add a trusted relying party. 13

3. Select Import Data about the relying party from a file and select Browse to navigate to the ABAP file saved in step 5. 4. Copy the provider name from the following URL: https://<proxy_host>:<proxy_port>/sap/bc/webdynpro/sap/saml2?sap-client=<abap client>. In the Display name field, enter this Provider name. 14

5. Select Next. 6. Select Permit all users to access the relying party and select Next. 15

7. Select Next. 8. Select Close. 9. Select Add Rule. 16

10. Under Claim rule template, select Send LDAP Attributes as Claims and select Next. 11. On the Configure Rule screen, perform the following sub-steps: a. In the Claim rule name field, enter Claim Rule name. b. Under Attribute store, select Active Directory. c. In Mapping of LDAP attributes to outgoing claim types: Under LDAP Attribute, select SAM-Account-Name. Under Outgoing Claim Types, select Name ID. d. Select Finish. 12. Select Apply. 17

The following screen appears with the configured rule name. 13. (Optional) If you want, you can choose either Algorithm SHA-1 or SHA-256 to establish a secure trust. To do this, perform the following steps: a) Under Trust Relationships, Select Replying Party Trust. b) On the right hand side, under Replying Party Trust, select and right click on a Replying Party Trust. (For example: In the following screen shot, the option selected is XX_New). c) On the XX_New, select Advanced tab. d) Under Secure hash algorithm, select SHA-1 or SHA-256 corresponding to your security trust environment. e) Select Apply and OK. 3.2.5 Configuring Single Sign-On Authentication for IIS The following section provides information on how to configure Single Sign-On for Basic Authentication. 18

Note: In case you are using integrated Windows authentication, ignore this section. To configure SSO for IIS, perform the following steps: 1. Navigate to Sites > Default Web sites > adfs, right click on ls and select Explore. 2. Open the web.config file in a Notepad. 3. In the localauthenticationtypes, comment the following lines: <add name="integrated" page="auth/integrated/" /> <add name="forms" page="formssignin.aspx" /> <add name="tlsclient" page="auth/sslclient/" /> Note: By commenting the above lines, the ADFS application will authenticate the Login Page before attempting to use Windows Authentication. 4. Save web.config file. 19

5. Check if the Basic authentication is enabled for the site. 6. Go to command prompt and enter command iisreset. 7. To test SSO, navigate to https://<hostname FQDN>/adfs/ls/IdpInitiatedSignon.aspx and perform the following sub-steps: a. Select Sign in to this site. b. Select Continue to Sign In. c. On the Authentication Required pop-up, enter the ADFS domain User Name and Password. You log in to the configured secure party trusted site. 3.2.6 Exporting IIS certificate To export the IIS certificate from the ADFS server, perform the following steps: 1. Log on to ADFS server. 2. Go to Start > Run > MMC. 3. Add Certificate snap-in. 4. Select Computer Account and Select Ok. 5. From Trusted Root Certificate Authorities > Certificates search for the IIS certificate. 6. Export the certificate in DER encoded binary X.509(.CER) format. 3.2.7 Exporting ADFS Token signing certificate To export the ADFS token signing certificate, perform the following steps: 1. Log on to ADFS Server. 2. Go to Start > All Programs > Administrative Tools > ADFS 2.0 Management. 3. Navigate to Service > Certificates. 4. On the right hand panel, under the Token-signing, double click on the Certificate. 5. On the Certificate window, select Details tab. 20

6. Select Copy to File and Select Next. 7. Select Base-64 encoded X.509 (.CER). 8. Subsequently select Next to export the certificate. 3.2.8 Exporting the AFDS server Metadata From the ADFS server, you can export the metadata file to build a secure trust with the relying party using the following URL https://<hostname FQDN>/FederationMetadata/2007-06/FederationMetadata.xml 21

3.3 Configuring SAP NetWeaver AS ABAP This section provides information on how to configure SAML 2.0 on SAP NetWeaver AS ABAP server. 3.3.1 Importing Certificates and Clearing Cache Before you proceed to configure SAML 2.0 on SAP NetWeaver AS ABAP server, import the downloaded IIs certificate and clear cache by performing the following steps:. 1. Import ADFS IIS certificate to SAP NetWeaver ABAP server. To import an IIS certificate, go to Transaction Strust and select SSL Client SSL Client (standard). 2. Once the certificates are imported, go to Transaction SMICM. 3. Select Administration > ICM > Exit Soft > Local. 3.3.2 Configuring SAML Configurations for a specific client To configure SAML 2.0 for a specific SAP NetWeaver ABAP client, perform the following steps: 1. Go to Transaction SAML2 and select Enable SAML 2.0 Support. 2. Enter Provider Name and select Next. 22

3. In General Settings, enter a value for Clock Skew Tolerance. 4. In the Service Provider Settings, choose Automatic for Selection Mode. 5. Select Finish. 6. Select Edit > Include Certificate in Signature to establish connection between SAP NetWeaver AS ABAP Server and Microsoft ADFS. 23

7. Select Metadata to export metadata. 8. Save a local copy of the metadata to share this information with the Identity provider. 9. In the Service Provider settings tab, you can view the configuration details. 3.3.3 Importing metadata file of Identity provider To import the metadata file of Identity provider, perform the following steps: 1. Select Trusted Providers tab and select Identity Providers in Show. 24

2. Select Add > Upload Metadata File. 3. On Metadata Verification screen, select upload from file > Browse to the ADFS IIS certificate. For information on how to export IIS certificate of ADFS, see section 3.2.6 Exporting IIS certificate 4. Select Next. 5. On Provider name screen, Name field is pre-filled and select Next. 25

6. On Signature and Encryption screen, under Artifact Profile, select Require Signature as Never. 7. Select Next. 8. On Single Sign-On Endpoints screen, select Next. 9. On Single Logout Endpoints screen, select Next. 26

10. On Artifact EndPoints Screen, select Next. 11. Select Binding as HTTP Post and select Finish. Note: Depending on your scenario, you can select Binding HTTP Artifact. 12. Under List of Trusted Providers, Select Edit. 13. Select Identity Federation tab and select Add to add Name ID. Note: For Unspecified Name ID format, you have an option to select the Source as Logon ID (ABAP User ID), Logon Alias (ABAP Alias, through Transaction SU01) and Mapping in USREXTID 27

Table (Mapping in table VUSREXTID). It is recommended that not to use USEREXTID table. On using the USREXTID table complete the Steps in the Appendix section 14. Select Save. 15. To enable the Trusted provider, select Enable. 4. Enabling SAP NetWeaver AS ABAP server to perform User Authentication Using SAML This section provides information on how to enable SAML on one of the services. To enable SAP NetWeaver server to perform user authentication using SAML, perform the following steps: 1. Go to Transaction SICF. 2. Navigate to sap/opu/odata/iwfnd/catalogservice service and select Edit. 3. Select Logon Data tab and perform the following sub-steps: a) Set Procedure field to Alternative Logon Procedure. b) Set Security Requirement to SSL. Once the Alternative Logon Procedure has been changed, you can scroll down within the Logon Data tab area and you will see a list of Logon Procedures. By default, SAML Logon is item 7 in the list. To change this order, simply overtype the number in the left-hand column with 1 (or 2). 28

4. To change this order, in the left-hand No column, overwrite the number. The list is automatically sorted according to the new order, but Logon Through HTTP Fields will always be item one. 5. Save your changes. 6. Go to Transaction SAML2, on the Trusted Provider tab, select Disable and Enable it again. On executing Gateway service, the client will be redirected to the logon screen of the external SAML 2.0 IdP server. Note: To test the service, edit the following link with server details https://<fqdn>:<port>/sap/opu/odata/iwfnd/catalogservice/?sap-client=<client no>&$format=xml 5. Appendix This section provides information on how to map a domain user to an ABAP user on the SAP NetWeaver AS ABAP server. We would be using Unspecified Name ID format, Source as Mapping in USREXTID Table (Mapping in table VUSREXTID) 5.1 Mapping Domain user to an ABAP user To map a domain user to an ABAP user through Transaction SAML2, perform the following steps: 1. Select the Name ID Management tab and search for the ABAP user. 2. Select the NAME ID Format as Unspecified and select Go. 3. Under the list of Trusted Providers, select a Provider name. 4. Select Add to map Windows users to the SAP user. 29

Note: Ensure to check with your Exchange server admin for the text case sensitive (i.e. uppercase or lowercase) for the user name. 5.2 Mapping Domain user to SAP NetWeaver AS ABAP user from a Table View Alternatively, you can also map user from the table view in SAP NetWeaver AS ABAP. To do this, perform the following steps: 1. Go to Transaction SM30 and enter the table/view VUSREXTID. 2. Select Maintain. 3. In Determine Work Area pop-up, set External ID type to SA. 4. Select Continue. You will find entries added in the table. However, in case of missing entries, you can add new entries by selecting New Entries. 5.3 User Mapping for the Same User User mapping maps a user ID on the domain server to the user ID in the SAP NetWeaver AS ABAP server for the same user. 1. If the saml:assertion/saml:subject/saml:nameidentifier element contains the SAP user ID, go to Transaction SA38. 2. On the Program Execution screen, set RSUSREXTID for Program. Using this, you can create mappings for all users or a subset of users. For more information, see SAP Note 1254821. 30

Note: You can get the Identity Provider name from SAML2 transaction screen. Once you have mapped the User ID, perform a check by selecting Test Mode. Once you have checked the user mapping entries for correctness in the table view, and ensure to uncheck the Test Mode. 6. Trouble Shooting The following section provides information on how to troubleshoot issues encountered while configuring SAML 2.0. To debug SAML at SAP NetWeaver ABAP, see the following links a. Troubleshooting SAML 2.0 Scenarios b. Common Problems encountered when configuring SAML 2.0 for AS ABAP c. Single Sign on With SAML 2.0 d. http://wiki.scn.sap.com/wiki/display/bsp/using+proxies For debugging SAML flow, activate the below service at SAP NetWeaver ABAP. Refer the link Diagnosing SAML 2.0 Problems with the Security Diagnostic Tool for ABAP and also ensure you have SEC_DIAG_TOOL_VIEWER role assigned to your user to view traces at following link: 31

https://<hostname>:<port>/sap/bc/webdynpro/sap/sec_diag_tool. To test if SAP Netweaver ABAP server is pinged successfully via browser, use the following URL https://<hostname>:<port>/sap/public/ping By default, Internet Explorer (IE) 9 is the corporate portal(sap Java Stack) web browser. We need to either disable default portal at the launch of IE or remove the logon modules from the ABAP Services. From the list of Logon Procedures, Delete both Logon Tickets and Assertion Tickets. 32

If you want to expose SAP NetWeaver ABAP on Cisco Ace hardware due to rerouting, change the SAML2 service settings. You can check the SAML flow on your web browser. We recommend checking SAML flow using Google Chrome. Once the browser is opened press F12 Key and enter the SAP NetWeaver Gateway service URL. On Domain controller (Microsoft Exchange Server), run the Setspn commands: Setspn l <service account> (To list down the registered users) Setspn d <host> <service account> ( To delete SPN users) To Debug ADFS you can view logs from Start > Run > EVENTVWR at ADFS Server 33

Copyright 2014 SAP SE or an SAP SE affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE and its affiliated companies ( SAP SE Group ) for informational purposes only, without representation or warranty of any kind, and SAP SE Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP SE and other SAP SE products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices. 34