The PingFederate SP server receives an assertion (see Service provider SSO configuration in the PingFederate documentation), wraps the received attributes into OpenToken, and redirects to an application protected by NetWeaver. The PFLoginModule configured in NetWeaver extracts the UserID from OpenToken and authenticates the user. Note that UserID is the value of the “subject” attribute in the OpenToken.

The following figure illustrates the request flow and how the PingFederate OpenToken SP Adapter wraps attributes from the assertion into OpenToken and passes them to SAP NetWeaver (J2EE Engine):

Processing Steps

  1. The PingFederate SP server receives a SAML assertion from the IdP.
  2. The PingFederate SP server wraps the attributes from the SAML assertion into an OpenToken and redirects the token through the user’s browser to the application(s) deployed on the SAP J2EE Server.
  3. PFLoginModule, installed in SAP J2EE Server, parses the OpenToken and retrieves the UserID.
  4. The SAP J2EE server authenticates the user using this UserID and grants access to the SAP Application.