SAP NetWeaver Integration Kit

SAP J2EE setup for NetWeaver 7.3

About this task

  • To allow for deep linking for SP-initiated SSO, the login module appends the target-resource URL to the ssoUrl property. This feature is supported only for NetWeaver portals; for other applications the target resource is not appended and the user will go to the Default URL configured in PingFederate. For more information, see Configuring default URLs in the PingFederate documentation.

  • The login module JAR file (PFLoginModuleJAR.jar), along with supporting JARS included with this distribution, can be used to create a custom EAR for the NetWeaver platform. For more information, see Configuring the Login Module on the AS Java in the SAP Help Portal.

Steps

  1. Deploy the login module included with this distribution (PFLoginModuleLibrary.ear) to NetWeaver using the appropriate version of SAP NetWeaver Developer Studio.

    For information on how to deploy a login module, please refer to SAP Help.

  2. Configure the login module through the NetWeaver Administrator, using the following options:

    Option Description

    agentPropertiesFileName

    Filename with full path to the location of OpenToken properties file (for example, C:\agent-config.txt).

    pfBaseUrl

    Base URL to the PingFederate SP instance.

    enableSPSSO

    If true, PFLoginModule redirects to the ssoUrl (below) if OpenToken is not found in the request. This enables SP-initiated SSO functionality for NetWeaver. The default value is false.

    ssoUrl

    URL for redirect if SP-initiated SSO, required only if is enabled (above). The value required is PingFederate’s application endpoint to start the SSO:

    http[s]://<PF_host>:<port>/SP/startSSO.ping

    ?PartnerIdpId=<connection_id>

    For more information, see Developer Notes below.

    excludeUrI

    List of excluded resource URIs using regular expressions. For example: ./webdynpro.

    enableSSOCookie

    If true and enableSPSSO is set to true, PFLoginModule redirects only if a cookie (an SSO Cookie, defined below) is found in the request. The SP sets an SSO Cookie in the user’s browser during an initial IdP-initiated SSO event. When the user arrives at the NetWeaver SP in the future, with the SSO Cookie, the user is redirected to the ssoUrl.

    If false and enableSPSSO is set to true, the PFLoginModule redirects any user to the ssoUrl, regardless of any SSO Cookie.

    The default value is false.

    ssoCookieName

    The name of the SSO cookie to set in the user’s browser, required only if enableSSOCookie is set to true.

    For information on how to configure a login module, please refer to the SAP Help.

  3. Configure an application to use the login module. A sample configuration which allows for both SSO and direct authentication is shown below:

    Login Module Flag

    EvaluateTicketLoginModule

    SUFFICIENT

    PFLoginModule

    REQUISITE

    BasicPasswordLoginModule

    REQUISITE

    CreateTicketLoginModule

    OPTIONAL

    For information on how to configure an application, see Configuring an Application to Use the Login Module in the SAP Help Portal.