The following example shows how to integrate a Web Dynpro application in a portal so that users can access it using SAML. In this example the Web Dynpro application used is the Web Dynpro Console running on an AS Java on the host mydestination.company.com . The SAML source site is a portal running on an AS Java on the host mysource.company.com .
SSL is required by the SAML specification, therefore, by default its use is activated in the SAML configuration. However, for testing purposes, you can disable the enforcement of SSL for the SAML-based document exchanges. In this case, you receive warnings in the log files, but you can still process the communication requests.
In this example, we disable the enforcement of SSL.
The SAML service is running both on the source and destination site. For more information, see Changing the Startup Mode for the SAML Service .
Configure SAML Settings on the SAML Source Site (Portal)
Outbound Partners
Partner Key: MyDestinationPartne r
Issuer Name: www.samlssodemo.com
Source ID: Hexedecimal: FB6E8396EFD983CDBA6AEC1DF95AD2C5E0C3F4AF
Validity Before Issue: 120
Validity After Issue: 180
Assertion Version: SAML 1.0
URL Parameter for Artifact: SAMLart
Artifact Receiver: Direct call to resource
Responder Access: Require fixed user
Responder User: SAML_RESP
Settings
URL parameter for artifact: SAMLart
We recommend that you use SSL for SAML communication in productive environments; otherwise the SAML access is insecure. The system creates warnings in the log for each insecure access.
For more information, see Configuring a Portal as a SAML Source Site .
Configure SAML Settings on the SAML Destination Site
HTTP destination MySource
Name: MySource
URL: http://mysource.company.com:<http_port>/saml/responder
Authentication: BASIC
Username: SAML_RESP
Password: < password_for_SAML_RESP >
In this example, the URL that points to the source site's responder service uses HTTP. We recommend that you always use HTTPS in production environments.
Inbound Partners
Partner Key: MySourcePartner
Enabled: true
Destination for callback: MySource
Source ID: Hexadecimal: FB6E8396EFD983CDBA6AEC1DF95AD2C5E0C3F4AF
Request version: SAML 1.0
URL Parameter for target: TARGET
Settings
URL parameter for artifact: SAMLart
We recommend that you enable the use of SSL for the connection when using SAML in productive environments; otherwise the SAML access is insecure. The system creates warnings in the log for each insecure access.
Fro more information, see Configuring AS Java as a SAML Destination Site .
Adjust the Login Module Stack of the Web Dynpro Application
By default, all Web Dynpro applications use the login module ticket , therefore you must change the login module stack of ticket as follows:
Login Module | Flag |
---|---|
VerifyTicketLoginModule |
SUFFICIENT |
SAMLLoginModule |
OPTIONAL |
CreateTicketLoginModule |
SUFFICIENT |
BasicPasswordLoginModule |
OPTIONAL |
CreateTicketLoginModule |
SUFFICIENT |
Name | Value |
---|---|
AcceptedAuthenticationMethods |
* |
Mode |
Standalone |
To understand the above stack, you need to know that both SAMLLoginModule and BasicPasswordLoginModule put a user name in the share state upon successful authentication and that CreateTicketLoginModule returns success if it finds a user name in the share state.
For full details, see Adjusting the Login Module Stacks for Using SAML .
Create a System Object for the Destination Site on the Portal
In the portal, create a system object for the system on which your target application is running as follows:
The System Wizard appears.
The property editor for the system object appears.
Property Category | Property | Value |
---|---|---|
Web Application Server (WAS) |
WAS Host Name |
mydestination.company.com:<http_port> |
WAS Protocol |
http Note: In a production environment you must use HTTPS. |
|
User Management |
Logon Method |
SAML Browser/Artifact |
SAML Partner Name |
MyDestinationPartner This is the name of the set of PartnersOutbound parameters for the destination site in the Configuration Adapter. |
Create an iView for the Web Dynpro Application on the Portal
Create an iView for the Web Dynpro Console and take the following into account:
In this example we are integrating the Web Dynpro Console for which the URL is http://mydestination:50000/webdynpro/dispatcher/sap.com/tc~wd~tools/WebDynproConsole . From this URL, we can find the values for the namespace and application name.
Test Whether You Can Access the Web Dynpro Application with SAML
A user with the same logon ID as the user you log on with in the portal must exist on the destination site. The passwords do not have to be the same.
The Web Dynpro Console should be displayed without you having to reenter user credentials.