Learn how to configure SAML SSO with SAP Netweaver and PingFederate.
- Ensure that HTTPS is enabled for your SAP system.
- Activate Secure Session Management.
- Enable SAML 2.0 support:
- Create a local provider.
- Export metadata for local provider.
|Attribute Name||Description||Required / Optional|
Create a PingFederate SP
connection for SAP Netweaver:
The following configuration is untested and is provided as an example. Additional steps might be required.
- Sign on to the PingFederate administrative console.
Using the details retrieved from SAP Netweaver:
- Configure using Browser SSO profile SAML 2.0.
- Enable the following SAML Profiles:
- IdP-Initiated SSO
- SP-Initiated SSO
- In Assertion Creation: Attribute Contract, set the Subject Name Format to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
- In Assertion Creation: Attribute Contract
Fulfilment, map the attribute
SAML_SUBJECT to the attribute
This should match the username for the user in SAP Netweaver.
- In Protocol Settings: Allowable SAML Bindings, enable Post and Redirect.
- Export the metadata for the newly-created SP connection.
- Export the signing certificate public key.
Configure the PingFederate
IdP connection for SAP Netweaver:
- Sign on to SAP Netweaver as an administrator.
- Go to Trusted Partners and select Identity Providers.
- Click Add.
- Click Upload Metadata File, select the file that you downloaded from PingFederate, and click Next.
- On the Provider Name page, verify the data populated. Click Next.
- On the Signature and Encryption page, verify the data populated. Click Next.
- On the Single Sign-On Endpoints page, verify the data populated. Click Next.
- On the Single Logout Endpoints screen, verify the data populated. Click Next.
- Select Binding as HTTP POST. Click Finish.
- Enable the provider.
- Configuration is completed.
After testing, you can enable SP-initiated SSO for SAP Netweaver by editing the configuration in sap/opu/odata/iwfnd/catalogservice.