AWS Single Sign-On (AWS SSO) Integration Guide for SAP Enterprise Portal Java

Introduction

This document helps you configure AWS SSO to facilitate single sign-on (SSO) for SAP Enterprise Portal Java using SAML.

Topics

Prerequisites

You’ll need the following to set up SSO access to SAP Enterprise Portal Java:

Setup instructions

  1. On the SAP Enterprise Portal Java page in the AWS SSO Console, in the Details section, fill in the Display name, and the Description(optional) of the application.

Note

We suggest that you choose a unique display name if you plan to have more than one of the same application.

  1. Login to SAP Netweaver Administrator with your administrator account.(Example: https://SERVERURL/nwa)

  2. Click on Configuration and choose Security.

  3. Choose Authentication and Single Sign On.

  4. Click on the SAML 2.0 tab, choose Enable SAML 2.0 Support.

  5. For Provider Name, enter AWSSSO, then choose Next.

  6. Next to Signing Key Pair click on Browse and either import or create a certificate.

  7. For Encryption Key Pair, select the same certificate created/imported in the previous step.

  8. Check the box next to Include Certificate in Signature, choose Next, then choose Finish.

  9. Download the metadata file by, choosing Download Metadata.

  10. Next, Download the AWS SSO Metadata using the URL below.

  1. Click on Trusted Provider tab, click on add then Uploading Metadata file. Choose the AWS SSO metadata file, then choose Next.

  2. For Alias enter AWSSSO, then choose Next.

  3. Download the AWS SSO certificate and import it, by clicking on Browse next to Encryption Certificate.

  1. Next to Encryption Certificate, choose the certificate you imported earlier. Choose Next.

  2. For Single Sign-On Endpoints choose HTTP-POST, then choose Next.

  3. For Single Log-Out Endpoints choose HTTP-Redirect, then choose Next.

  4. For Artifact Endpoints choose Next.

  5. For Manage Name ID Endpoints, choose Next.

  6. For Authentication Contexts Settings choose Finish.

  7. Click on the Trusted Providers tab, select Edit. Next, choose the Identity Federationtab, then choose Add.

  8. For the Format Name, choose Unspecified, then choose OK.

  9. Select Unspecified, then under Details of NameID Format Unspecified. For User ID Mapping Mode, choose Email. Choose Save.

  10. Choose Enable.

  11. Go back to the Configuration tab, choose Authentication and Single Sign-On, then choose the Components tab.

  12. Click on Add, for the Configuration Name enter example AWSSSO, and for Type choose custom.

  13. For the Login Modules, enter the following values, then choose Save.

Login Module Name Flag
EvaluateTicketloginModule SUFFICIENT
SAML2LoginModule OPTIONAL
CreateTicketLoginModule SUFFICIENT BasicPasswordloginModule REQUISITE
CreateTicketLoginModule REQUISITE
  1. From the Components page, under Policy Configuration Name, Edit the ticket. Then assign the custom configuration example AWSSSO created in previous step to the ticket. Choose Save.

  2. Go back to the AWS SSO console page where you are configuring the Application.

  3. Under Application Properties, enter the SAP Enterprise Portal Java URL in the Application start URL field:

Field Value
Application start URL SAP Enterprise Portal Java URL
  1. Under Application metadata, choose Browse and select the Metadata downloaded in step 10.

  2. Assign a user to the application in AWS SSO.

  3. Login to SAP Netweaver Administrator, click on Configuration, choose Identity Management.

  4. Next, create a new or edit an existing user. In the properties of the user, fill in the E-mail Address field. Ensure the E-mail Address entered matches the email address of the user assigned to the SAP application in AWS SSO.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both AWS SSO and the application before performing the steps in each section.

Verifying SSO from AWS SSO

  1. Access the AWS SSO end user portal using the credentials of a user assigned to the SAP Enterprise Portal Java URL application.

  2. In the list of applications, choose SAP Enterprise Portal Java to initiate a login to SAP Enterprise Portal Java URL.

  3. Click on Continue.

  4. If login was successful you will be signed-in to the SAP Enterprise Portal Java account.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Troubleshooting

Error Issue Solution
Other When AWS SSO creates a SAML Assertion for a user, it uses the value of the 'email' and 'subject' fields (if they are present) from the connected directory to populate the 'Email' and 'Subject' attributes in the SAML assertion. Many service providers expect these attributes to contain the user’s email address. By default your directory is configured to send 'windowsUPN' in both fields. Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings. Additionally the 'name' attribute being sent to the provider should not be the user's email address, make sure that your attribute name is not mapping to an email.

For general troubleshooting problems, please refer to Troubleshooting Guide.

User Provisioning Types

There are two user provisioning you need to aware of:

User Provisioning