C E N T R I F Y G U I D E SAP NetWeaver Java SAML ... · Only versions 7.3, 7.3.1 and 7.4 are supported. An overview of configuring SAP NetWeaver AS Java for SSO The following is

C E N T R I F Y G U I D E

SAP NetWeaver Java SAML configuration guide

Abstract

Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component of your corporate identity and access infrastructure. Our thorough approach to availability, reliability, scalability, security and privacy ensures that you can depend on Centrify as a trusted partner and provider.

© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 2

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation.

Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2015 Centrify Corporation. All rights reserved.

Centrify, DirectControl and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize, DirectSecure and DirectManage are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.


Contents

Configuring SAP NetWeaver AS Java ............................................................................................ 4

AN OVERVIEW OF CONFIGURING SAP NETWEAVER AS JAVA FOR SSO .......................................................... 4

Configuring SAP NetWeaver AS Java in Cloud Manager .............................................................. 5

CONFIGURING ROLES FOR SAP NETWEAVER IN CLOUD MANAGER: ............................................................... 5

TO ADD AND CONFIGURE THE SAP NETWEAVER AS JAVA APPLICATION IN CLOUD MANAGER: ......................... 8

ENABLING SAML AND CREATING A LOCAL PROVIDER IN SAP NETWEAVER ADMINISTRATOR .......................... 18

CREATING AND ENABLING A TRUSTED PROVIDER ........................................................................................... 25

CREATING A NEW AUTHENTICATION STACK FOR SAML 2.0 ............................................................................ 30

CONFIGURING THE SAML 2.0 LOGIN PROCESS TO USE THE AUTHENTICATION STACK ..................................... 33

Configuring SAP NetWeaver AS Java in Cloud Manager ............................................................ 34

ABOUT CENTRIFY ........................................................................................................................................ 35


Configuring SAP NetWeaver AS Java SAP NetWeaver Application Server ("AS") Java (Stack) is one of the two installation options of SAP NetWeaver AS. The other option is the ABAP Stack, which is run totally separately from the Java Stack. If you’re trying to configure the SAP NetWeaver AS Java, you’re in the right place.

Note: This document is written with SAP NetWeaver AS Java 7.3 EHP1 (7.3.1). If you are not using version 7.4 your interface may differ from the illustrations. Only versions 7.3, 7.3.1 and 7.4 are supported.

An overview of configuring SAP NetWeaver AS Java for SSO

The following is an overview of the steps required to configure the SAP NetWeaver AS Java Web application for single sign-on (SSO) via SAML. SAP NetWeaver AS Java offers both IdP-initiated SAML SSO (for SSO access through the user portal or Cloud Manager) and SP-initiated SAML SSO (for SSO access directly through the SAP NetWeaver AS Java web application). You can configure SAP NetWeaver AS Java for either or both types of SSO. Enabling both methods ensures that users can log in to SAP NetWeaver AS Java in different situations such as clicking through a notification email.


Configuring SAP NetWeaver AS Java in Cloud

Manager

Configuring Roles for SAP NetWeaver in Cloud Manager:

To map users to SAP NetWeaver Groups and Roles you need to create Roles in Cloud Manager.

1. In Cloud Manager, click Roles

2. Click Add Role


3. Enter a Name and Description for the Role.

Example Name: SAP-Access

Example Description: Access to SAP NetWeaver

IMPORTANT NOTE: You need to add at least the Administrators to the Role or you will lock yourself out of SAP once SAML SSO is enabled.

4. Click Members

5. Click Add


6. Within the Add Members dialog search for the user you want to make a member of this role

7. Select the user

8. Click Add

9. Repeat steps 6-8 until you added all users who need access to SAP

10. Click Save


To add and configure the SAP NetWeaver AS Java application in Cloud Manager:

1. In Cloud Manager, click Apps.

2. Click Add Web Apps.


3. The Add Web Apps screen appears.

4. On the Search tab, enter the partial or full application name in the Search field and click the search icon.

5. Next to the application, click Add.

6. In the Add Web App screen, click Yes to confirm.

7. Cloud Manager adds the application.

8. Click Close to exit the Application Catalog.


9. The application that you just added opens to the Application Settings page.

10. On the Application Settings page, click Download Identity Provider Metadata File.

This downloads an XML file onto your computer that you will need in the section, Creating and enabling a trusted provider.

11. On the Application Settings page, expand the Additional Options section and specify the following Optional settings:

Option Description

Application ID Configure this field if you are deploying a mobile application that uses the

Centrify mobile SDK, for example mobile applications that are deployed into

a Samsung KNOX version 1 container. The cloud service uses the

Application ID to provide single sign-on to mobile applications. Note the

following:

The Application ID has to be the same as the text string that is specified as

the target in the code of the mobile application written using the mobile SDK.

If you change the name of the web application that corresponds to the mobile

application, you need to enter the original application name in the Application

ID field.

There can only be one SAML application deployed with the name used by

the mobile application.

The Application ID is case-sensitive and can be any combination of

letters, numbers, spaces, and special characters up to 256 characters.

Show in User

app list

Select Show in User app list so that this web application displays in the

user portal. (By default, this option is selected.)

https://docs.centrify.com/en/centrify/appref/cloudhelp/o-z/saas_appref_SAP_java.html#ww1192723



If this web application is only needed in order to provide SAML for a

corresponding mobile application, deselect this option. This web application

won’t display for users in the user portal.

Security

Certificate

These settings specify the signing certificate used for secure SSO

authentication between the cloud service and the web application. Just be

sure to use a matching certificate both in the application settings in the Cloud

Manager and in the application itself. Select an option to change the signing

certificate.

Use existing certificate

When selected the certificate currently in use is displayed. It’s not

necessary to select this option—it’s present to display the current certificate

in use.

Use the default tenant signing certificate

Select this option to use the cloud service standard certificate. This

is the default setting.

Use a certificate with a private key (pfx file) from your local storage

Select this option to use your organization’s own certificate. To use

your own certificate, you must click Browse to upload an archive file (.p12 or

.pfx extension) that contains the certificate along with its private key. If the file

has a password, you must enter it when prompted.


12. (Optional) On the Description page, you can change the name, description, and logo for the application. For some applications, the name cannot be modified.

The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal.

13. On the User Access page, select the role(s) that represent the users and groups that have access to the application.

When assigning an application to a role, select either Automatic Install or Optional Install:

14. Select Automatic Install for applications that you want to appear automatically for users.

If you select Optional Install, the application doesn’t automatically appear in the user portal and users have the option to add the application.


15. (Optional) On the Policy page, specify additional authentication control for this application. You can select one or both of the following settings:

16. Restrict app to clients within the Corporate IP Range: Select this option to prevent users outside the company intranet from launching this application. To use this option, you must also specify which IP addresses are considered as your intranet by specifying the Corporate IP range in Settings > Corporate IP Range.

17. Require Strong Authentication: Select this option to force users to authenticate using additional, stronger authentication mechanisms when launching an application. Specify these mechanisms in Policy > Add Policy Set > Account Security Policies > Authentication.

18. You can also include JavaScript code to identify specific circumstances when you want to block an application or you want to require additional authentication methods. For details, see Specifying application access policies with JavaScript.

https://docs.centrify.com/en/centrify/appref/cloudhelp/scripts/cloud-appconfig-jsauth.html#wwconnect_header

https://docs.centrify.com/en/centrify/appref/cloudhelp/scripts/cloud-appconfig-jsauth.html#wwconnect_header


19. On the Account Mapping page, configure how the login information is mapped to the application’s user accounts. The options are as follows:

20. Use the following Directory Service field to supply the user name: Use this option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from the Centrify user service.

21. Everybody shares a single user name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account.

22. Use Account Mapping Script: You can customize the user account mapping here by supplying a custom JavaScript script. For example, you could use the following line as a script:

LoginUser.Username = LoginUser.Get('mail')+'.ad';

The above script instructs the cloud service to set the login user name to the user’s mail attribute value in Active Directory and add ‘.ad’ to the end. So, if the user’s mail attribute value is [email protected] then the cloud service uses [email protected]. For more information about writing a script to map user accounts, see the SAML application scripting guide.

https://docs.centrify.com/en/centrify/appref/cloudhelp/scripts/customSAMLscript.html#wwconnect_header


23. (Optional) On the Advanced page, you can edit the script that generates the SAML assertion, if needed. In most cases, you don’t need to edit this script. For more information, see the SAML application scripting guide.

Note On the Changelog page, you can see recent changes that have been made to the application settings, by date, user, and the type of change that was made.




24. (Optional) On the App Gateway page, you can configure the application so that your users can access it whether they are logging in from an internal or external location.

For applications configured for the App Gateway, users do not have to use a VPN connection to access the application remotely.

The App Gateway feature is a premium feature and is available only in the Centrify Identity Service App+ Edition. Please contact your Centrify representative to have the feature enabled for your account.

25. Click Learn More for step by step instructions on how to configure App Gateway

26. Click Workflow to set up a request and approval work flow for this application.

The Workflow feature is a premium feature and is available only in the Centrify Identity Service App+ Edition. See Configuring Workflow for more information.

27. Click Learn More for step by step instructions on how to configure Workflow

https://docs.centrify.com/en/centrify/appref/cloudhelp/saas-workflow.html#wwconnect_header


28. Click Save.

After configuring the application settings (including the role assignment) and the application’s web site, you’re ready for users to launch the application from the user portal.

Leave the browser tab open to the Cloud Manager. You will use it again in


Enabling SAML and creating a local provider in SAP NetWeaver Administrator

To enable and configure SAML 2.0 in SAP NetWeaver:

1. Open a new browser tab, navigate to your Web GUI URL (resembles: http(s)://<sap-java-hostname-

and-port-number>/nwa), and log in to the SAP NetWeaver Administrator as an administrator.

2. Select Configuration > Authentication and Single Sign-On.

3. Click SAML 2.0 > Enable SAML 2.0 Support.


4. In Provider Name, enter CentrifySAML and click Next.

Note: If you enter a different provider name here, you must also enter it in the Local Provider Name field in Application Settings of your SAML application.

5. Click Browse for Signing Key Pair.


6. Click Create.

7. Supply an Entry Name to identify this key entry.

All the other required fields in this box have default values. Make any desired changes to these other fields.

8. Click Next.


9. In commonName, enter any value you would like SAP to use to identify this key pair when SAP generates it.

For example, use the host name of your SAP NetWeaver AS Java instance.

10. Click Finish.

The Select Keystore Entry window appears showing the new key pair you just created.

11. Click OK.


12. Under Signature and Encryption, Signing Key Pair and Encryption Key Pair are filled in for you with the new key pair you just created.

13. Select On under Legacy Systems Support (Issue Login Ticket).

14. Click Next.

15. (Optional) If you plan to use SP-initiated SSO, choose one of the following for the Selection Mode under Identity Provider Discovery:

Manual: displays the identity provider selection screen when the SP-initiated SSO launches. Then the user must select a configured IdP, or click the Cancel button to return to the username-password login screen.

Automatic: redirects users to the default trusted provider (configured later starting here: Creating and enabling a trusted provider). Users who lose access to their IdP are locked out of SAP NetWeaver AS Java.

16. (Optional) Uncheck the remaining check boxes.

17. Click Finish.




18. Under Local Provider, select Service Provider Settings

19. Click Edit.

20. Copy the Endpoint URL paste it into the ACS Endpoint URL in the SAP Application Settings ACS URL field in the Centrify Cloud Manager and click Save

21. In Default Application Path, enter the relative path to the page where you want SSO users to land, such as:

/irj/portal

22. Click Save.


23. (Optional) If you plan to use SAML over HTTP, follow these steps:

24. Click General Settings.

25. Click Edit.

26. Select Yes for Allow HTTP Access.

27. Click Save.


Creating and enabling a trusted provider

1. Click Trusted Providers.

2. Select Add > Uploading Metadata File.

3. In the SAML 2.0 Configuration pop-up window, click Choose File and select the metadata file you downloaded in step 10 in chapter To add and configure the SAP NetWeaver AS Java application in Cloud Manager:

4. Click Next.


5. (Optional) Enter Centrify as the Alias.

If entered, SAP NetWeaver AS Java will show the name of the alias on the IdP selection screen; if not entered the selection screen will show the IdP’s Entity ID that was provided in the IdP Metadata.

6. Click Next.

7. On the screen that appears, leave all the default values unchanged and click Next again.


8. Select HTTP Post and click Next.

9. Continue clicking Next without changing any values until the Finish button appears.

10. Click Finish.


11. Select the trusted provider you just created under the List of Trusted Providers.

12. Click Edit.

13. Click Identity Federation under Details of trusted provider.

14. Click Add.

15. Select Unspecified as the Format Name.

16. Click OK


17. Select Logon ID as the User ID Mapping Mode.

18. Click Save at the top of the screen.

19. Click Enable.

20. The Active icon changes from a gray diamond to a green square.


Creating a new authentication stack for SAML 2.0

1. Go to the Authentication tab.

2. Click Add.

3. Enter centrify-saml20 as the Configuration Name.

4. Leave the default Type set to Custom.

5. Click Create.


6. Your new custom configuration displays as the selected configuration in the Authentication tab.

7. Click Edit in the Authentication Stack tab.

8. Click Add

9. Select EvaluateTicketLoginModule from the <Select Login Module> drop-down list.

10. Click Add

11. Select SAML2LoginModule from the <Select Login Module> drop-down list.

12. Click Add

13. Select BasicPasswordLoginModule from the <Select Login Module> drop-down list.

14. Click Add

15. Select CreateTicketLoginModule from the <Select Login Module> drop-down list.


16. Select the Optional flag for CreateTicketLoginModule.

17. Click Save.

Your Login Modules table should look like this:


Configuring the SAML 2.0 login process to use the authentication stack

1. In the Policy Configuration Name table, scroll down and select Ticket.

2. Click Edit in the Authentication Stack tab.

3. Enter centrify-saml20 as the Used Template.

4. Click Save.


Configuring SAP NetWeaver AS Java in Cloud

Manager To finish configuring the SAP NetWeaver AS Java application in Cloud Manager:

1. Return to the browser tab you were using to work in the Cloud Manager in and navigate to the Application Settings screen of your SAP NetWeaver AS Java app.

2. Paste the SAML Endpoint URL from the SAP NetWeaver AS Java Administrator. Into the ACS Endpoint URL field if this step was not completed in step 20 in chapter Enabling SAML and creating a local provider in SAP NetWeaver Administrator

3. Enter the local provider name you provided in Step 4 in chapter Enabling SAML and creating a local provider in SAP NetWeaver Administrator

4. Click Save

5. This concludes the SAP NetWeaver SAML authentication with Centrify configuration


About Centrify Centrify strengthens enterprise security by managing and securing user identities from cyber threats. As organizations expand IT resources and teams beyond their premises, identity is becoming the new security perimeter. With our platform of integrated software and cloud-based services, Centrify uniquely secures and unifies identity for both privileged and end users across today’s hybrid IT world of cloud, mobile and data center. The result is stronger security and compliance, improved business agility and enhanced user productivity through single sign-on. Over 5000 customers, including half of the Fortune 50 and over 80 federal agencies, leverage Centrify to secure their identity management. Learn more at www.centrify.com.

Santa Clara, California: +1 (669) 444-5200 Email: [email protected]

EMEA: +44 (0) 1344 317950 Web: www.centrify.com

Asia Pacific: +61 1300 795 789

Brazil: +55 11 3958 4876

Latin America: +1 305 900 5354

mailto:[email protected]

http://www.centrify.com/

Documents

C E N T R I F Y G U I D E SAP NetWeaver Java SAML ... · Only versions 7.3, 7.3.1 and 7.4 are supported. An overview of configuring SAP NetWeaver AS Java for SSO The following is