Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

(1)

Sverview

Trust between SharePoint 2010 and ADFS 2.0

Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies in order to setup trust between SharePoint 2010 and ADFS 2.0.

Other ADFS 2.0 step-by-step and how to guides could be found at ADFS step-by-step guides

Trust between AS Java (CE) 7.2 and SAP Portal 7.0x 1. Export signing certificate from CE 7.2

(2)

(3)

Click button “Export To File”:

2. Add trusted system at SAP Portal 7.0x using the SSO2 wizard

(4)

(5)

(6)

3. Test the trust

Login in CE 7.2 system (e.g. in NetWeaver Administrator, http(s)://<ce72host>:<port>/nwa)

In the same browser window, navigate to 7.0x Portal

(7)

Trust between AS Java (CE) 7.2 and ADFS 2.0 Initial configuration in AS Java (CE) 7.2

(8)

Select “SAML 2.0” tab and click “Enable SAML 2.0 Support” button.

(9)

(10)

A signing key-pair should be generated for the local provider. It will be used as encryption key-pair as well. Here are the next steps:

Step 1:

(11)

(12)

(13)

(14)

(15)

(16)

Save the metadata file:

Add Relying Party Trust in ADFS 2.0

(17)

Select metadata file

(18)

(19)

(20)

With this final step the trust setup at ADFS 2.0 is completed. In order to do the trust setup at CE 7.2 you will need the metadata of ADFS. An example of ADFS 2.0 federation metadata URL is the following -

https://<adfs20host>/FederationMetadata/2007-06/FederationMetadata.xml. Because the metadata document is digitally signed you will need also the signing certificate in order to be able to import the metadata in AS Java (CE) 7.2. The SAP application server does not allow import of a signed metadata document unless the signature is successfully verified.

(21)

“Copy To File …”.

Add Trusted Identity Provider at CE 7.2

(22)

(23)

(24)

(25)

(26)

(27)

(28)

With this the trust setup on the AS Java 7.2(CE) is completed. Setup Redirect Application

In this scenario, the AS Java 7.2 acts like intermediate system between ADFS 2.0 and SAP EP 7.0x.

That is why, we will need a simple redirect application which: will be deployed on AS Java 7.2

will be configured with SAML 2.0 authentication

(29)

Login to ADFS – e.g. https://<adfs20host>/adfs/ls/IdpInitiatedSignOn.aspx

After authenticating with ADFS, access the redirect application hosted on AS Java CE 7.2 in the same browser window.

Here is what happens when testing the scenario in case first access is to AS Java 7.2: 1. Access redirect application on AS Java 7.2

2. You will be redirected to ADFS for authentication

3. After successful authentication at ADFS, you will be returned back to AS Java 7.2 with SAML 2.0 assertion. The assertion will be evaluated and after being authenticated with SAML 2.0 at AS Java 7.2, an SAP Logon Ticket will be issued (MYSAPSSO2 cookie).

4. You will be redirected to SAP EP 7.0x and authenticated with the MYSAPSSO2 cookie issued by AS Java CE 7.2.

(30)