SAP NetWeaver AS Java

(1)

Chapter 75

Con

Configuring

figuring

figuring SAP NetWeaver AS Java

figuring

SAP NetWeaver AS Java

SAP NetWeaver Application Server ("AS") Java (Stack) is one of the two installation options of SAP NetWeaver AS. The other option is the ABAP Stack, which is run totally separately from the Java Stack. If you’re trying to configure the SAP NetWeaver AS Java, you’re in the right place. If you’re trying to configure the SAP NetWeaver ABAP, see Configuring SAP NetWeaver ABAP

Note Note Note

Note This document is written with SAP NetWeaver AS Java 7.3 EHP1 (7.3.1). If you are

not using version 7.3.1, your interface may differ from the illustrations. Only versions 7.3 and 7.3.1 are supported.

An overview of configuring

An overview of configuring SAP NetWeaver AS Java

SAP NetWeaver AS Java

SAP NetWeaver AS Java for SSO

for SSO

The following is an overview of the steps required to configure the SAP NetWeaver AS Java Web application for single sign-on (SSO) via SAML. SAP NetWeaver AS Java offers both IdP-initiated SAML SSO (for SSO access through theuser portal or Cloud Manager) and SP-initiated SAML SSO (for SSO access directly through the SAP NetWeaver AS Java web application). You can configure SAP NetWeaver AS Java for either or both types of SSO. Enabling both methods ensures that users can log in to SAP NetWeaver AS Java in different situations such as clicking through a notification email.

1111 Prepare SAP NetWeaver AS Java for single sign-on (see "SAP NetWeaver AS Java requirements for SSO" on page 75-2).

2222 Add and begin to configure SAP NetWeaver AS Java application in Cloud Manager.

Once the application settings are configured, complete the user account mapping and assign the application to one or more roles. For details, see "Configuring SAP NetWeaver AS Java in Cloud Manager (Part 1)" on page 75-4.

3333 Enable SAML and Create a Local Provider.

For more information, see "Enabling SAML and creating a local provider in SAP NetWeaver Administrator" on page 75-7

4444 Create and Enable a Trusted Provider for Centrify.

For more information, see "Creating and enabling a trusted provider" on page 75-9.

(2)

Preparing for Configuration

For more information, see "Creating a new authentication stack for SAML 2.0" on page 75-10.

6666 Configure ticket Policy Configuration to use SAML 2.0.

For more information, see "Configuring the SAML 2.0 login process to use the authentication stack" on page 75-11.

7777 Finish configuring SAP NetWeaver AS Java application for single sign-on. For details, "Configuring SAP NetWeaver AS Java in Cloud Manager (Part 2)" on page 75-11.

After you have finished configuring the application settings in the Cloud Manager and the SAP NetWeaver AS Java application, users are ready to launch the application from the Centrify user portal.

Preparing for Configuration

SAP NetWeaver AS Java

SAP NetWeaver AS Java requirements for SSO

requirements for SSO

Before you configure the SAP NetWeaver AS Java web application for SSO, you need the following:

SAP NetWeaver AS Java.

An active SAP NetWeaver AS Java account with administratorrights for your organization.

For more set-up information:

Configuring AS Java as a service provider:

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/bc/ 3385f2311a4181bddf0faa2e3e8a9a/content.htm

Configuring SAML 2.0 based SSO for NetWeaver 7.3 Portal:

http://scn.sap.com/docs/DOC-55536

Setting up the certificates for SSO

To establish a trusted connection between the web application and the cloud service, you need to have the same signing certificate in both the application and the application settings in Cloud Manager.

(3)

Preparing for Configuration

To download an application certificate from Cloud Manager (overview): 1111 In the Apps page, add the application.

2222 Click the application to open the application details.

3333 In the Application Settings tab, click Download Signing Certificate to download and save the certificate.

What you need to know about

What you need to know about SAP NetWeaver AS Java

SAP NetWeaver AS Java

Each SAML application is different. The following table lists features and functionality specific to SAP NetWeaver AS Java.

Capability Capability Capability

Capability Supported?Supported?Supported?Supported? Support detailsSupport detailsSupport detailsSupport details

Web browser client Yes

Mobile client No

SAML 2.0 Yes

SP-initiated SSO Yes

IdP-initiated SSO Yes

Force user login via SSO only Yes If SP-initiated SSO is enabled and Selection ModeSelection ModeSelection Mode is Automatic.Selection Mode Automatic.Automatic.Automatic. Separate administrator login

after SSO is enabled

Yes

User or Administrator lockout risk Yes Users can be locked out of SAP if they cannot access IdP. You can specify a back door URL by adding the parameter “saml2=disabled” to your destination URL. For example: • SAP NetWeaver Portal:

http(s)://(sap-nw-as-java-fqdn-and-port)/irj/ portal?saml2=disabled

• SAP NetWeaver Administrator:

http(s)://(sap-nw-as-java-fqdn-and-port)/ nwa?saml2=disabled

Automatic user provisioning No

Multiple User Types Yes Refer to SAP NetWeaver AS Java documentation for details.

Self-service password Yes Users can reset their own passwords and administrators can reset user passwords.

Access restriction using a corporate IP range

(4)

Configuring SAP NetWeaver AS Java in Cloud Manager (Part 1)

Configuring

Configuring SAP NetWeaver AS Java

SAP NetWeaver AS Java

SAP NetWeaver AS Java in

SAP NetWeaver AS Java

in

in Cloud Manager

Cloud Manager

Cloud Manager (Part 1)

(Part 1)

To add and configure the SAP NetWeaver AS Java application in Cloud Manager: 1111 In Cloud Manager, click Apps.

2222 Click Add Web Apps.

The Add Web Apps screen appears.

3333 On the Search tab, enter the partial or full application name in the Search field and click the search icon.

4444 Next to the application, click Add.

5555 In the Add Web App screen, click Yes to confirm. Cloud Manager adds the application.

6666 Click Close to exit the Application Catalog.

The application that you just added opens to the Application Settings page.

7777 On the Account Mapping page, click Download SAML Provider Metadata Document.

(5)

8888 On the Application Settings page, expand the Additional Options section and specify the following settings:

9999 (Optional) On the Description page, you can change the name, description, and logo for the application. For some applications, the name cannot be modified.

The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal.

Option OptionOption

Option DescriptionDescriptionDescriptionDescription

Application ID Configure this field if you are deploying a mobile application that uses the Centrify mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The cloud service uses the Application ID to provide single sign-on to mobile applications. Note the following:

• The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.

• There can only be one SAML application deployed with the name used by the mobile application.

The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters. Show in User app list Select Show in User app list Show in User app list Show in User app list Show in User app list so that this web application displays in the

user portal. (By default, this option is selected.)

If this web application is only needed in order to provide SAML for a corresponding mobile application, deselect this option. This web application won’t display for users in the user portal.

Security Certificate These settings specify the signing certificate used for secure SSO authentication between the cloud service and the web application. Just be sure to use a matching certificate both in the application settings in the Cloud Manager and in the application itself. Select an option to change the signing certificate.

• Use existing certificateUse existing certificateUse existing certificate Use existing certificate

When selected the certificate currently in use is displayed. It’s not necessary to select this option—it’s present to display the current certificate in use.

• Use the default tenant signing certificateUse the default tenant signing certificateUse the default tenant signing certificate Use the default tenant signing certificate

Select this option to use the cloud service standard certificate. This is the default setting.

(6)

10 10 10

10 On the User Access page, select the role(s) that represent the users and groups that have access to the application.

When assigning an application to a role, select either Automatic Install or Optional Install:

Select Automatic Install for applications that you want to appear automatically for users.

If you select Optional Install, the application doesn’t automatically appear in the user portal and users have the option to add the application.

11 11 11

11 (Optional) On the Policy page, specify additional authentication control for this application.You can select one or both of the following settings:

Restrict app to clients within the Corporate IP Range: Select this option to prevent users outside the company intranet from launching this application. To use this option, you must also specify which IP addresses are considered as your intranet by specifying the Corporate IP range in Settings > Corporate IP Range.

Require Strong Authentication: Select this option to force users to authenticate using additional, stronger authentication mechanisms when launching an application. Specify these mechanisms in Policy > Add Policy Set > Account Security Policies > Authentication.

You can also include JavaScript code to identify specific circumstances when you want to block an application or you want to require additional authentication methods. For details, see Specifying application access policies with JavaScript.

12 12 12

12 On the Account Mapping page, configure how the login information is mapped to the application’s user accounts. The options are as follows:

Use the following Directory Service field to supply the user name: Use this option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from the Centrify user service.

Everybody shares a single user name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account.

Use Account Mapping Script: You can customize the user account mapping here by supplying a custom JavaScript script. For example, you could use the following line as a script:

LoginUser.Username = LoginUser.Get('mail')+'.ad';

(7)

Enabling SAML and creating a local provider in SAP NetWeaver Administrator

[email protected]. For more information about writing a script to map user accounts, see the SAML application scripting guide.

13 13 13

13 (Optional) On the Advanced page, you can edit the script that generates the SAML assertion, if needed. In most cases, you don’t need to edit this script. For more information, see the SAML application scripting guide.

Note NoteNote

Note _{On the Changelog page, you can see recent changes that have been made to the}

application settings, by date, user, and the type of change that was made.

14 14 14

14 Click Workflow to set up a request and approval work flow for this application. See Configuring Workflow for more information.

15 15 15

15 Click Save.

After configuring the application settings (including the role assignment) and the application’s web site, you’re ready for users to launch the application from the user portal.

Leave the browser tab open to the Cloud Manager. You will use it again in "Configuring SAP NetWeaver AS Java in Cloud Manager (Part 2)" on page 75-11.

Enabling SAML and creating a local provider in SAP NetWeaver

Administrator

To enable and configure SAML 2.0:

1111 Open a new browser tab, navigate to your Web GUI URL (resembles: http(s):// <sap-java-hostname-and-port-number>/nwa), and log in to the SAP NetWeaver

Administrator as an administrator.

2222 Select Configuration > Authentication and Single Sign-On.

3333 Click SAML 2.0 > Enable SAML 2.0 Support.

4444 In Provider Name, enter CentrifySAML and click Next.

Note NoteNote

Note If you enter a different provider name here, you must also enter it in the Local

Provider Name field in Application Settings of your SAML application. See "Configuring SAP NetWeaver AS Java in Cloud Manager (Part 2)" on page 75-11 for details.

5555 Click Browse for Signing Key Pair.

6666 Click Create.

7777 Supply an Entry Name to identify this key entry.

All the other required fields in this box have default values. Make any desired changes to these other fields.

(8)

Enabling SAML and creating a local provider in SAP NetWeaver Administrator

9999 In commonName, enter any value you would like SAP to use to identify this key pair when SAP generates it.

For example, use the host name of your SAP NetWeaver AS Java instance.

10 10 10

10 Click Finish.

The Select Keystore Entry window appears showing the new key pair you just created.

11 11 11

11 Click OK.

Under Signature and Encryption, Signing Key Pair and Encryption Key Pair are filled in for you with the new key pair you just created.

12 12 12

12 Select On under Legacy Systems Support (Issue Login Ticket).

13 13 13 13 Click Next. 14 14 14

14 (Optional) If you plan to use SP-initiated SSO, choose one of the following for the Selection Mode under Identity Provider Discovery:

Manual: displays the identity provider selection screen when the SP-initiated SSO launches. Then the user must select a configured IdP, or click the Cancel button to return to the username-password login screen.

Automatic: redirects users to the default trusted provider (configured later starting here: "Creating and enabling a trusted provider" on page 75-9). Users who lose access to their IdP are locked out of SAP NetWeaver AS Java.

15 15 15

15 (Optional) Uncheck the remaining check boxes.

16 16 16 16 Click Finish. 17 17 17

17 Under Local Provider, select Service Provider Settings > Edit.

18 18 18

18 Copy the Endpoint URL and save it in a location where you can find it when

"Configuring SAP NetWeaver AS Java in Cloud Manager (Part 2)" on page 75-11.

19 19 19

19 In Default Application Path, enter the relative path to the page where you want SSO users to land, such as:

/irj/portal 20 20 20 20 Click Save. 21 21 21

21 (Optional) If you plan to use SAML over HTTP, follow these steps: a Click General Settings.

b Click Edit.

c Select Yes for Allow HTTP Access. d Click Save.

22 22 22

(9)

Creating and enabling a trusted provider

Creating

Creating and enabl

and enabl

and enabling

ing

ing a trusted provider

a trusted provider

Note Note Note

Note _{This procedure continues from}_{"Enabling SAML and creating a local provider in SAP}

NetWeaver Administrator" on page 75-7.

1111 Click Trusted Providers.

2222 Select Add > Uploading Metadata File.

3333 In the SAML 2.0 Configuration pop-up window, click Browse and select the metadata file you downloaded in "Configuring SAP NetWeaver AS Java in Cloud Manager (Part 1)" on page 75-4.

4444 Click Next.

5555 (Optional) Enter Centrify as the Alias.

If entered, SAP NetWeaver AS Java will show the name of the alias on the IdP selection screen; if not entered the selection screen will show the IdP’s Entity ID that was provided in the IdP Metadata.

6666 Click Next.

7777 On the screen that appears, leave all the default values unchanged and click Next again.

8888 Select HTTP Post and click Next.

9999 Continue clicking Next without changing any values until the Finish button appears.

10 10 10 10 Click Finish. 11 11 11

11 Select the trusted provider you just created under the List of Trusted Providers.

12 12 12 12 Click Edit. 13 13 13

13 Click Identity Federation under Details of trusted provider.

14 14 14 14 Click Add. 15 15 15

15 Select Unspecified as the Format Name.

16 16 16

16 Select Logon ID as the Source Name.

17 17 17

17 Click OK.

The new section Details of Name ID Format “Unspecified” appears at the bottom of the Trusted Providers screen.

18 18 18

18 Click Save at the top of the screen.

19 19 19

19 Click Enable.

The Active icon changes from a gray diamond to a green square.

20 20 20

(10)

Creating a new authentication stack for SAML 2.0

C

CC

Creat

reat

reating

reat

ing

ing a new authentication stack for SAML 2.0

ing

a new authentication stack for SAML 2.0

Note Note Note

Note _{This procedure continues from}_{"Creating and enabling a trusted provider" on page}

75-9.

1111 Go to the Authentication tab.

2222 Click Create.

3333 Enter centrify-saml20 as the Configuration Name.

4444 Leave the default Type set to Custom.

5555 Click Create.

Your new custom configuration displays as the selected configuration in the Authentication tab.

6666 Click Edit in the Authentication Stack tab.

7777 Click Add and select EvaluateTicketLoginModule from the <Select Login Module> drop-down list.

8888 Click Add and select SAML2LoginModule from the <Select Login Module> drop-down list.

9999 Click Add and select BasicPasswordLoginModule from the <Select Login Module> drop-down list.

10 10 10

10 Click Add and select CreateTicketLoginModule from the <Select Login Module> drop-down list.

11 11 11

11 Select the Optional flag for CreateTicketLoginModule.

12 12 12

12 Click Save.

Your Login Modules table should look like this:

13 13 13

(11)

Configuring the SAML 2.0 login process to use the authentication stack

C

CC

Configur

onfigur

onfiguring

ing

ing the

ing

the

the SAML 2.0

the

SAML 2.0 login process

SAML 2.0

login process

login process to use

to use

to use the authentication

the authentication

stack

Note Note Note

Note _{This procedure continues from}_{"Creating a new authentication stack for SAML 2.0"}

on page 75-10.

1111 In the Policy Configuration Name table, scroll down and select Ticket.

2222 Click Edit in the Authentication Stack tab.

3333 Enter centrify-saml20 as the Used Template.

4444 Click Save.

Configuring

Configuring SAP NetWeaver AS Java

SAP NetWeaver AS Java

SAP NetWeaver AS Java in

SAP NetWeaver AS Java

in

in Cloud Manager

Cloud Manager

Cloud Manager (Part 2)

(Part 2)

To finish configuring the SAP NetWeaver AS Java application in Cloud Manager:

1111 Return to the browser tab you were using to work in the Cloud Manager in "Configuring SAP NetWeaver AS Java in Cloud Manager (Part 1)" on page 75-4 and navigate to the Application Settings screen of your SAP NetWeaver AS Java app.

2222 Configure the following:

3333 Click Save.

For more information about

For more information about SAP NetWeaver AS Java

SAP NetWeaver AS Java

Contact SAP NetWeaver AS Java for more information about configuring SAP NetWeaver AS Java for SSO.

Field FieldField

Field Set it toSet it toSet it toSet it to What you doWhat you doWhat you doWhat you do

ACS Endpoint URL The SAML Endpoint saved

from "Enabling SAML and creating a local provider in SAP NetWeaver

Administrator" on page 75-7

Paste the SAML Endpoint from the SAP NetWeaver AS Java Administrator.

Local Provider Name The name of your local

provider; either

CentrifySAML or the name saved from "Enabling SAML and creating a local provider in SAP NetWeaver Administrator" on page 75-7