Example: Accessing Web Dynpro Application in a
Portal Using SAML
Use
The following example shows how to integrate a Web Dynpro application in a portal so that users can access it using SAML. In this example the Web Dynpro application used is the Web Dynpro Console running on an AS Java on the host mydestination.company.com. The SAML source site is a portal running on an AS Java on the host mysource.company.com.
SSL is required by the SAML specification, therefore, by default its use is activated in the SAML configuration. However, for testing purposes, you can disable the enforcement of SSL for the SAML-based document exchanges. In this case, you receive warnings in the log files, but you can still process the communication requests.
In this example, we disable the enforcement of SSL.
Prerequisites
The SAML service is running both on the source and destination site. For more information, see Changing the Startup Mode for the SAML Service.
Procedure
Configure SAML Settings on the SAML Source Site (Portal)
...
1. Create a user on the portal called SAML_RESP and assign the role SAML_RESPONDER to this user.
2. Using the SAP NetWeaver Administrator (NWA), go to System Management →Configuration and choose Security → Trusted Systems → SAML Browser Artifact from Detailed Navigation.
3. Choose the Partners Outbound tab to create a new outbound partner MyDestinationPartner for the portal. Assign values for the Partner Outbound parameters as follows:
Partners Outbound
Partner Key: MyDestinationPartner
Issuer Name: www.samlssodemo.com
Source ID: Hexedecimal: FB6E8396EFD983CDBA6AEC1DF95AD2C5E0C3F4AF
Validity Before Issue: 120
Validity After Issue: 180
Assertion Version: SAML 1.0
URL Parameter for Artifact: SAMLart
Artifact Receiver: Direct call to resource
Responder Access: Require fixed user
Responder User: SAML_RESP
4. Choose the Settings tab to assign values to disable SSL and to configure global the artifact name parameter as shown below:
Settings
URL parameter for artifact: SAMLart
We recommend that you use SSL for SAML communication in productive environments; otherwise the SAML access is insecure. The system creates warnings in the log for each insecure access.
For more information, see Configuring a Portal as a SAML Source Site.
Configure SAML Settings on the SAML Destination Site
...
1. On the SAML destination site, create a destination that points to the source site’s responder service with the following values:
HTTP destination MySource
Name: MySource
URL: http://mysource.company.com:<http_port>/saml/responder
Authentication: BASIC
Username: SAML_RESP
Password: <password_for_SAML_RESP>
In this example, the URL that points to the source site’s responder service uses HTTP. We recommend that you always use HTTPS in production environments.
2. Using the NWA for the destination site, go to System Management →Configuration and choose Security → Trusted Systems → SAML Browser Artifact from Detailed Navigation.
3. Choose the Partners Inbound tab to create a new outbound partner MySourcePartner. Assign values for the Partner Inbound parameters as follows:
Partners Inbound
Partner Key: MySourcePartner
Enabled: true
Destination for callback: MySource
Source ID: Hexadecimal: FB6E8396EFD983CDBA6AEC1DF95AD2C5E0C3F4AF
Request version: SAML 1.0
URL Parameter for target: TARGET
4. Choose the Settings tab for the inbound partner to assign values to disable SSL and to configure global the artifact name parameter as shown below:
Settings
URL parameter for artifact: SAMLart
We recommend that you enable the use of SSL for the connection when using SAML in productive environments; otherwise the SAML access is insecure. The system creates warnings in the log for each insecure access.
Fro more information, see Configuring AS Java as a SAML Destination Site.
Adjust the Login Module Stack of the Web Dynpro Application
By default, all Web Dynpro applications use the login module ticket, therefore you must change the login module stack of ticket as follows:
...
1. Using authentication management functions of the NWA for the destination site, go to the Components tab.
2. Choose the policy configuration for the Web Dynpro application from the list in Component Policy Configurations.
3. For the Authentication Stack of the selected policy configuration:
a. Set a reference to the ticket authentication template.
b. Add the SAMLLoginModule to the ticket authentication template, as shown in the table below.
Login Module |
Flag |
VerifyTicketLoginModule |
SUFFICIENT |
SAMLLoginModule |
OPTIONAL |
CreateTicketLoginModule |
SUFFICIENT |
BasicPasswordLoginModule |
OPTIONAL |
CreateTicketLoginModule |
SUFFICIENT |
c. Choose the SAMLLoginModule from the Authentication Stack to configure its options as shown in the table below:
Name |
Value |
AcceptedAuthenticationMethods |
* |
Mode |
Standalone |
To understand the above stack, you need to know that both SAMLLoginModule and BasicPasswordLoginModule put a user name in the share state upon successful authentication and that CreateTicketLoginModule returns success if it finds a user name in the share state.
For full details, see Adjusting the Login Module Stacks for Using SAML.
Create a System Object for the Destination Site on the Portal
In the portal, create a system object for the system on which your target application is running as follows:
...
1. Choose System Administration → System Configuration → System Landscape.
2. Select the folder in which you want to create your system object and from the menu choose New → System.
The System Wizard appears.
3. Select R/3 System with Load Balancing as template and choose Next.
4. Go through the wizard entering data as required.
5. When you have finished the wizard, choose Finish and choose Open the object for editing.
The property editor for the system object appears.
6. Enter values for the properties as follows:
Property Category |
Property |
Value |
Web Application Server (WAS) |
WAS Host Name |
mydestination.company.com:<http_port> |
WAS Protocol |
http Note: In a production environment you must use HTTPS. |
|
User Management |
Logon Method |
SAML Browser/Artifact |
SAML Partner Name |
MyDestinationPartner This is the name of the set of PartnersOutbound parameters for the destination site in the Configuration Adapter. |
7. Save your changes.
8. Create a system alias for the system as follows:
a. In the Display dropdown list box, choose System Aliases.
b. Specify a name for the system alias, for example MyDestination. Add the defined alias by choosing Add.
c. To save your changes, choose Save.
Create an iView for the Web Dynpro Application on the Portal
Create an iView for the Web Dynpro Console and take the following into account:
● In the iView creation wizard in the Selection of Application Variant screen, select Java.
● In the Application Parameter screen, maintain the fields as follows:
○ System: Choose the alias of the system object you created in the previous step.
○ Namespace: sap.com/tc~wd~tools
○ Application Name: WebDynproConsole
In this example we are integrating the Web Dynpro Console for which the URL is http://mydestination:50000/webdynpro/dispatcher/sap.com/tc~wd~tools/WebDynproConsole. From this URL, we can find the values for the namespace and application name.
Test Whether You Can Access the Web Dynpro Application with SAML
...
1. Close all browser windows to reset the user context.
2. Log on to the portal.
A user with the same logon ID as the user you log on with in the portal must exist on the destination site. The passwords do not have to be the same.
3. In the portal, choose Content Administration → Portal Content.
4. Open the iView you created by right clicking on it and choosing Open → Object.
5. Choose Preview to preview the iView.
The Web Dynpro Console should be displayed without you having to reenter user credentials.