Single Sign-On between SAP Portal and SuccessFactors Dimitar Mihaylov 7/1/2012
Contents 1. Overview... 3 2. Trust between SAP Portal 7.3 and SuccessFactors... 5 2.1. Initial configuration in SAP Portal 7.3... 5 2.2. Add SuccessFactors system as trusted SAML 2.0 service provider... 10 2.3. Add Portal 7.3 as a trusted identity provider in SuccessFactors... 17 2.4. Create in SAP Portal an URL iview to SuccessFactors... 21 3. Additional configuration required for SAP Portal 7.0x... 25 3.1. Establish trust between the AS Java 7.3 system (IDP) and the SAP Portal 7.0x... 26 3.2. Enable authentication with SAP Logon Tickets in the IDP... 29 4. User Mapping... 31 5. Troubleshooting... 32 5.1. Security Troubleshooting Wizard on AS Java 7.2/7.3... 32 5.2. Web Diagnostic Tool on SAP Portal 7.0x... 32 5.3. SuccessFactors... 32 Copyright... 34
1. Overview This document describes how to enable single sign-on from a customer s on-premise SAP Portal to SuccessFactors. Single sign-on is based on standard SAML 2.0 mechanisms and the Identity Provider of SAP Netweaver Single Sign-On is used. For simplicity, the example setup assumes that the user IDs in SAP Portal and SuccessFactors are the same. However, you can set up the same scenario when the user IDs in the two systems are different, as briefly described in section 4 of this document. You can configure a direct trust relationship between the systems if you are using SAP Portal 7.3. In this case, the SAP Portal can act directly as SAML 2.0 identity provider (IDP), and the SuccessFactors system can act as SAML 2.0 service provider (SP).
If you are using SAML Portal 7.0x, an additional NetWeaver Application Server Java 7.2 or 7.3 is required. Note: In order for an SAP NetWeaver Application Server 7.2 or 7.3 to act as a SAML 2.0 identity provider, you need to install the IDMFEDERATION software component (SCA), which is included in both SAP NetWeaver Single Sign-On or SAP NetWeaver Identity Management..
2. Trust between SAP Portal 7.3 and SuccessFactors 2.1. Initial configuration in SAP Portal 7.3 Open http(s)://<portalhost>:<port>/nwa -> Configuration -> Authentication and Single Sign-On. Select the SAML 2.0 tab and click the Enable SAML 2.0 Support button.
Enter the name of the local provider and select operational mode Identity Provider. Click the Browse button for the signing key-pair. A signing key-pair should be generated for the local provider. It will be used as an encryption key-pair as well.
Here are the next steps: Step 1 Step 2
Step 3 Step 4
Continue with the initial wizard. Use the default settings (might differ from the screenshot) and click Finish.
2.2. Add SuccessFactors system as trusted SAML 2.0 service provider Click on link Trusted Providers Click Add and select Manually.
Enter the name of the service provider. Check the information provided by SuccessFactors for the correct name - in most of the cases this is https://www.successfactors.com. After entering the name, click Next to continue. Click Browse to select the signing and encryption certificates.
Click Import Entry to upload the certificate provided by SuccessFactors. Select type X.509 Certificate, find the file, and click Import.
Select the newly imported certificate and click OK. Select the same certificate as an encryption certificate and click Next.
Add an Assertion Consumer Service. Note: Check the documentation provided by SuccessFactors for the correct URL. Optionally you may also add a Single Logout Service.
Do not enter other endpoints. Click Next to the end, then click Finish. Click Edit, then click Add under Supported Name ID Formats. Select format Unspecified and source Logon ID.
Afterwards click OK, Save, and Enable.
2.3. Add Portal 7.3 as a trusted identity provider in SuccessFactors In order to perform the next steps, you need to have a provisioning account in SuccessFactors. If you do not have this yet, the SuccessFactors administrators have to establish the trust relationship. As a first step, you need to export the signing certificate of the Portal 7.3 identity provider. Open NetWeaver Administrator and go to Configuration Certificates and Keys.
Select the view SAML2 and the entry portal73-cert. Then click Export Entry. Select the export format to be Base64 and click Download.
Save the file and open it with a text editor. The content should look like this: Now that you have the signing certificate, you can start with the configuration in the SuccessFactors system. There, open the Single Sign-On (SSO) Settings :
The minimal set of settings is the following: The SAML Issuer field has to be the same as the name of the identity provider entered in the SAP Portal 7.3 system. The SAML Asserting Party Name is just an alias and could have any value. In SAML Verifying Certificate, paste the signing certificate you have exported from the identity provider. Finally do not forget to click the button Add an asserting party.
To enable the SAML login, you also have to enter a Reset Token and save it. 2.4. Create in SAP Portal an URL iview to SuccessFactors
Enter the host name of the SAP Portal 7.3 system and the path /saml2/idp/sso. Edit the newly created iview, then add two parameters: saml2sp and RelayState. In our case, they have the following values: saml2sp: https://www.successfactors.com
RelayState: https://salesdemo4.successfactors.com/xi/ui/home/pages/home.xhtml Please note that you need to consult the SuccessFactors documentation to find the correct values for your configuration. Save the changes and close the iview.
Now you can test your configuration by logging in with a user that has accounts in both the SAP Portal and SuccessFactors. Then navigate to this URL iview. You may change the options of the URL iview and open the SuccessFactors application in a new browser window, for example.
3. Additional configuration required for SAP Portal 7.0x If you have a SAP Portal 7.0x version, the Identity Provider cannot be deployed on this system directly. You need an additional SAP NetWeaver Application Server Java 7.2 or 7.3 for the Identity Provider. Besides that, the scenario is identical to the one previously described. Thus, the difference is that the user will first authenticate to the SAP Portal 7.0x system, and then navigate to the IDP in order to get an SAML 2.0 assertion to access the SuccessFactors system. To establish single sign-on between the SAP Portal 7.0x and the IDP, we will use the SAP Logon Ticket which the SAP Portal 7.0x issues by default. This cookie is then returned as a domain cookie with the name MYSAPSSO2. Please note that both systems, SAP Portal 7.0x and IDP, have to be in the same domain for the cookie to be sent to the IDP.
3.1. Establish trust between the AS Java 7.3 system (IDP) and the SAP Portal 7.0x You should configure the IDP system to trust SAP Logon Tickets issued by the SAP Portal 7.0x system. Go to NetWeaver Administrator Configuration Trusted Systems. Connect to the Portal 7.0x system to obtain its signing certificate. First click on Add Trusted Systems button and select the option By Querying Trusted System. If you have previously exported the certificate, you may use also the other option.
Enter the connection data into the SAP Portal 7.0x system. Confirm the creation of the trust relationship by clicking Finish
Now you will see that the system was added to the list of trusted systems.
3.2. Enable authentication with SAP Logon Tickets in the IDP By default, the IDP will accept authentication with user name and password. In order to enable authentication with SAP Logon Tickets, open the SAML 2.0 configuration. In Local Provider, select the tab Identity Provider Settings.
Click on Edit and the table Supported Authentication Contexts. Select SAPLogonTicket. Select Default HTTPS Authentication Contexts from Copy to. Save the changes. The list of Default HTTP Authentication Contexts should contain SAPLogonTicket as shown in the screenshot.
4. User Mapping If the user identifiers in the SAP Identity Provider (IDP) and the SuccessFactors system are not identical, you can configure a user mapping at the identity provider side. Please note that the user ID for the SuccessFactors system has to be available as a user attribute in the User Management Engine (UME) of the IDP. Change the following configuration: In the SAML 2.0 configuration UI, select Trusted Providers SuccessFactors system Identity Federation Select source User Attribute, then enter the name of the attribute. In our case, this is sfuserid : Note: This is the only configuration change you have to perform for user mapping.
5. Troubleshooting 5.1. Security Troubleshooting Wizard on AS Java 7.2/7.3 See SAP Note 1332726 - https://service.sap.com/sap/support/notes/1332726. 5.2. Web Diagnostic Tool on SAP Portal 7.0x See SAP Note 1045019 - https://service.sap.com/sap/support/notes/1045019. 5.3. SuccessFactors A link to the SSO Log Viewer is available at the end of the Single Sign-On (SSO) Settings page.
You will find information on failed SSO attempts there.
Copyright Copyright 2012 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iseries, pseries, xseries, zseries, eserver, z/vm, z/os, i5/os, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Oracle Corporation. JavaScript is a registered trademark of Oracle Corporation, used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.