Configuring SAML SSO with SAP Netweaver and PingFederate

Page created: 26 May 2021 |

Page updated: 15 Dec 2022

| 2 min read

Configuration User task Single Sign-on (SSO) Capability PingFederate Product SAML Standards, specifications, and protocols

Learn how to configure SAML SSO with SAP Netweaver and PingFederate.

Refer to the vendor documentation and complete the following:

Ensure that HTTPS is enabled for your SAP system.
Activate Secure Session Management.
Enable SAML 2.0 support:
1. Create a local provider.
2. Export metadata for local provider.

The following table details the required and optional attributes to be configured in the assertion attribute contract.

Attribute Name	Description	Required / Optional
SAML_SUBJECT	Username	Required

Create a PingFederate SP connection for SAP Netweaver:

Note:
The following configuration is untested and is provided as an example. Additional steps might be required.
1. Sign on to the PingFederate administrative console.
2. Using the details retrieved from SAP Netweaver:
  1. Configure using Browser SSO profile SAML 2.0.
  2. Enable the following SAML Profiles:
    - IdP-Initiated SSO
    - SP-Initiated SSO
  3. In Assertion Creation: Attribute Contract, set the Subject Name Format to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
  4. In Assertion Creation: Attribute Contract Fulfilment, map the attribute SAML_SUBJECT to the attribute username.
    This should match the username for the user in SAP Netweaver.
  5. In Protocol Settings: Allowable SAML Bindings, enable Post and Redirect.
3. Export the metadata for the newly-created SP connection.
4. Export the signing certificate public key.
Configure the PingFederate IdP connection for SAP Netweaver:
1. Sign on to SAP Netweaver as an administrator.
2. Go to Trusted Partners and select Identity Providers.
3. Click Add.
4. Click Upload Metadata File, select the file that you downloaded from PingFederate, and click Next.
5. On the Provider Name page, verify the data populated. Click Next.
6. On the Signature and Encryption page, verify the data populated. Click Next.
7. On the Single Sign-On Endpoints page, verify the data populated. Click Next.
8. On the Single Logout Endpoints screen, verify the data populated. Click Next.
9. Select Binding as HTTP POST. Click Finish.
10. Enable the provider.
11. Configuration is completed.
After testing, you can enable SP-initiated SSO for SAP Netweaver by editing the configuration in sap/opu/odata/iwfnd/catalogservice.

Configuring SAML SSO with SAP Netweaver and PingFederate - PingFederate

Configuration Guides