Adjusting the Login Module Stacks for Using SAML
When a user is authenticated on the AS Java, the server processes the stack of login modules that apply to the application that the user accesses. The SAML login module is not automatically included with the default login stacks that are delivered with the AS Java. Therefore, to use SAML for Single Sign-On, you adjust the login module stacks for those applications that accept SAML assertions for user authentication.
You can either adjust individual login module stacks, or you can adjust any of the corresponding policy configuration templates ( basic , form , client_cert , digest ). If you change any of these templates, then any applications that use these templates for their login modules are also automatically configured for using SAML assertions. For more information, see Managing Authentication Policy for AS Java Components .
Use the authentication configuration functions of the SAP NetWeaver Administrator to configure the SAML destination site:
-
From Components , select the policy configuration of the application to use SSO with SAML.
-
In the Authentication Stack for the policy configuration, add the login module SAMLLoginModule to the login module stack and configure its processing flag.
-
Position the module so that it is processed before the login module(s) that perform fallback authentication, for example, the BasicPasswordLoginModule .
-
Configure the options for the SAMLLoginModule as indicated in the table below.
Option
Value
Comment
Mode
<standalone>
AcceptedAuthentication Methods
<auth1, auth2, ...>
In this option, specify a list of the authentication methods to be accepted. Entering an asterisk (*) indicates that all methods are to be accepted. The name of the authentication method used must correspond to the method provided by the source site in the attribute AuthenticationMethod .
NoteThe available authentication methods are specified in the SAML specification. The most common methods used include:
-
Password: "urn:oasis:names:tc:SAML:1.0:am:password"
-
Client certificate: "urn:ietf:rfc:2246"
-
-
Sample Login Module Stack for Using SAML Assertions and Logon Tickets
Some application types do not support SAML assertions and still rely on logon tickets for Single Sign-On. In this case, include the logon ticket in the login module stack as shown in the example below.
Sample Login Module Stack for Using SAML Assertions
When processing the authentication stack below, the AS Java accepts SAML assertions using any authentication mechanism that was declared by the SAML source site. Basic Authentication is used as a fallback authentication mechanism when SAML authentication fails or is not possible, for example because no SAML artifact is sent.
|
Login Modules |
Flag |
Options |
|
SAMLLoginModule |
SUFFICIENT |
{AcceptedAuthentication Methods=*, Mode=Standalone} |
|
BasicPasswordLoginModule |
SUFFICIENT |
{} |
Sample Login Module Stack for Using SAML Assertions and Logon Tickets
Some application types do not support SAML assertions and still rely on logon tickets for Single Sign-On. In this case, include the logon ticket in the login module stack as shown in the example below.
|
Login Modules |
Flag |
Options |
|
EvaluateTicketLoginModule |
SUFFICIENT |
|
|
SAMLLoginModule |
OPTIONAL |
{AcceptedAuthentication Methods=*, Mode=AuthenticationStatement} |
|
CreateTicketLoginModule |
SUFFICIENT |
|
|
BasicPasswordLoginModule |
REQUISITE |
|
|
CreateTicketLoginModule |
OPTIONAL |