Influencing the Identity Provider Used by the Service Provider

Use

A service provider can trust multiple identity providers. Different applications can require different identity providers. A service provider requires the means to discover which identity provider it should use. Use this procedure to influence to which trusted identity provider a service provider sends the client.

You can either enable the user to select the identity provider to use or you can configure an automatic means of identity provider discovery.

For manual section the service provider provides the names of the trusted identity providers and prompts the user to choose one.
For automatic identity provider discovery, the service provider chooses an identity provider based on the following criteria in order:
1. Use the identity provider from an existing SAML session, SAML response, or SAML artifact response.
2. Use the identity provider specified in a URL parameter, HTTP header or request attribute.
3. Use the identity provider in a common domain cookie.
  
  If the access to identity provider discovery service is enabled, the service provider checks the services in the following order.
  1. Use the trusted and enabled identity provider last visited as returned by the local identity provider discovery service in the local domain.
    
    The local identity provider discovery service uses the last entry in the common domain cookie and only if HTTPS is the protocol.
  2. Use the trusted and enabled identity provider last visited as returned by the external identity provider discovery service in the common domain.
    
    The entry used in the common domain cookie depends on the external identity provider discovery service.
  For more information, see the Common Domain and Identity Provider Discovery section in the SAML 2 documentation.
4. Use the default identity provider.

Procedure

Choosing the Identity Provider Discovery Mode

Start SAP NetWeaver Administrator.
Choose Configuration Management Security Authentication and Single Sign-On and choose SAML 2.0 Local Provider .
Choose the Edit pushbutton.
Choose the Service Provider Settings tab.
Under Identity Provider Discovery enter one of the following in the Selection Mode field:
- Manual (default)
- Automatic
Save your entries.
Make the following configurations or developments based on the selection mode:
- Manual
- Automatic

Configuring the Names in the Manual Selection

Configure the names of the identity providers that the service provider displays to users. Use names for the identity providers that your users can recognize.

Start SAP NetWeaver Administrator.
Choose Configuration Management Security Authentication and Single Sign-On and choose SAML 2.0 Trusted Providers .
Select an identity provider and choose the Edit pushbutton.
Enter a name in the Alias field.
Save your entries.

Customizing and Configuring for Automatic Selection

Select a default identity provider and make any custom developments to ensure that the service provider receives a URL parameter, an HTTP header, or a request attribute with name “saml2idp”, or a common domain cookie.“

Selecting an Identity Provider by URL Parameter
Develop your applications to ensure links to the protected application use the following syntax:

<application_ URL> ?saml2idp= <identity_ provider_ name>

Selecting an Identity Provider by HTTP header

Develop your applications or configure your proxies so to ensure that HTTP requests to the protected application includes an HTTP header named “saml2idp” that contains the colon separated list of identity providers.

This is an example of such HTTP request:

GET /webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/FloorPlanApp?home=true HTTP/1.1
accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
accept-language: en
user-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
accept-encoding: gzip, deflate
host: <SP_Host>:<SP_HTTP_port>
saml2idp: IdP Company 1; IdP Company 2; IdP Company 3

Selecting an Identity Provider by Common Domain Cookie
1. Configure the target identity provider to issue a common domain cookie (CDC) in the same domain as your service provider for an internal identity provider discovery service or in the common domain for an external identity provider discovery service.
  
  For more information, see the documentation of your identity provider vendor.
2. Start SAP NetWeaver Administrator.
3. Choose Configuration Management Security Authentication and Single Sign-On and choose SAML 2.0 Local Provider
4. Choose the Edit pushbutton.
5. Choose the Service Provider Settings tab.
6. Under Identity Provider Discovery , enable the internal or external CDC service. You can enable both.
  
  If you enable the CDC external service, enter the URL of the service.
7. Save your entries.
8. Ensure that the user agent visits the identity provider before accessing the service provider.
  
  Perhaps the identity provider is a portal for different service providers.
9. Ensure that the client connects to the provider using Secure Sockets Layer (SSL).
  
  Without SSL the client does not evaluate the CDC.
Setting the Default Identity Provider
1. Start SAP NetWeaver Administrator.
2. Choose Configuration Management Security Authentication and Single Sign-On and choose SAML 2.0 Trusted Providers .
3. Select an identity provider and choose the Edit pushbutton.
4. Select the Default radio button.
5. Save your entries.