AWS IAM Identity Center (successor to AWS SSO) Integration Guide for SAP Enterprise Portal Java

Introduction

This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for SAP Enterprise Portal Java using SAML.

Topics

• Prerequisites

• Setup instructions

• Verification

• Troubleshooting

Prerequisites

You’ll need the following to set up SSO access to SAP Enterprise Portal Java:

• Access to the IAM Identity Center console with permissions to manage applications.

• A SAP Enterprise Portal Java implementation.

• An administrator account that have permissions to configure SAML SSO.

• SAP Enterprise Portal Java only supports Service Provider (SP) initiated flow.

Setup instructions

1. On the SAP Enterprise Portal Java page in the IAM Identity Center Console, in the Details section, fill in the Display name, and the Description(optional) of the application.

Note

We suggest that you choose a unique display name if you plan to have more than one of the same application.

2. Login to SAP Netweaver Administrator with your administrator account.(Example: https://SERVERURL/nwa)

3. Click on Configuration and choose Security.

4. Choose Authentication and Single Sign On.

5. Click on the SAML 2.0 tab, choose Enable SAML 2.0 Support.

6. For Provider Name, enter AWSSSO, then choose Next.

7. Next to Signing Key Pair click on Browse and either import or create a certificate.

8. For Encryption Key Pair, select the same certificate created/imported in the previous step.

9. Check the box next to Include Certificate in Signature, choose Next, then choose Finish.

10. Download the metadata file by, choosing Download Metadata.

11. Next, Download the IAM Identity Center Metadata using the URL below.

12. Click on Trusted Provider tab, click on add then Uploading Metadata file. Choose the IAM Identity Center metadata file, then choose Next.

13. For Alias enter AWSSSO, then choose Next.

14. Download the IAM Identity Center certificate and import it, by clicking on Browse next to Encryption Certificate.

15. Next to Encryption Certificate, choose the certificate you imported earlier. Choose Next.

16. For Single Sign-On Endpoints choose HTTP-POST, then choose Next.

17. For Single Log-Out Endpoints choose HTTP-Redirect, then choose Next.

18. For Artifact Endpoints choose Next.

19. For Manage Name ID Endpoints, choose Next.

20. For Authentication Contexts Settings choose Finish.

21. Click on the Trusted Providers tab, select Edit. Next, choose the Identity Federationtab, then choose Add.

22. For the Format Name, choose Unspecified, then choose OK.

23. Select Unspecified, then under Details of NameID Format Unspecified. For User ID Mapping Mode, choose Email. Choose Save.

24. Choose Enable.

25. Go back to the Configuration tab, choose Authentication and Single Sign-On, then choose the Components tab.

26. Click on Add, for the Configuration Name enter example AWSSSO, and for Type choose custom.

27. For the Login Modules, enter the following values, then choose Save.

Login Module Name	Flag
EvaluateTicketloginModule	SUFFICIENT
SAML2LoginModule	OPTIONAL
CreateTicketLoginModule SUFFICIENT BasicPasswordloginModule	REQUISITE
CreateTicketLoginModule	REQUISITE

28. From the Components page, under Policy Configuration Name, Edit the ticket. Then assign the custom configuration example AWSSSO created in previous step to the ticket. Choose Save.

29. Go back to the IAM Identity Center console page where you are configuring the Application.

30. Under Application Properties, enter the SAP Enterprise Portal Java URL in the Application start URL field:

Field	Value
Application start URL	SAP Enterprise Portal Java URL

31. Under Application metadata, choose Browse and select the Metadata downloaded in step 10.

32. Assign a user to the application in IAM Identity Center.

33. Login to SAP Netweaver Administrator, click on Configuration, choose Identity Management.

34. Next, create a new or edit an existing user. In the properties of the user, fill in the E-mail Address field. Ensure the E-mail Address entered matches the email address of the user assigned to the SAP application in IAM Identity Center.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.

Verifying SSO from IAM Identity Center

1. Access the AWS access portal using the credentials of a user assigned to the SAP Enterprise Portal Java URL application.

2. In the list of applications, choose SAP Enterprise Portal Java to initiate a login to SAP Enterprise Portal Java URL.

3. Click on Continue.

4. If login was successful you will be signed-in to the SAP Enterprise Portal Java account.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Troubleshooting

Error	Issue	Solution
Other	When IAM Identity Center creates a SAML Assertion for a user, it uses the value of the 'email' and 'subject' fields (if they are present) from the connected directory to populate the 'Email' and 'Subject' attributes in the SAML assertion. Many service providers expect these attributes to contain the user’s email address. By default your directory is configured to send 'windowsUPN' in both fields.	Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings. Additionally the 'name' attribute being sent to the provider should not be the user's email address, make sure that your attribute name is not mapping to an email.

For general troubleshooting problems, please refer to Troubleshooting Guide.

User Provisioning Types

There are two user provisioning you need to aware of:

• Preprovisioned users

  Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same subject as the AD users.

• JIT users

  JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.

User Provisioning

• Preprovisioned users Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same email as the AD users

• JIT users JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.SAP