Show TOC

Configuring Single Sign-On (SSO)Locate this document in the navigation structure


To consume content from the SAP NetWeaver Portal, you need to establish single sign-on between the SAP Portal and your company portal. SAP recommends the use of SAML 2.0 as the SSO mechanism. Security Assertion Markup Language (SAML) is a standard produced by the Oasis Standards Organization. It uses two separate functions:

  • The SAML assertion: used to transfer information about a user

  • The SAML protocol: used to exchange SAML assertions

The following two illustrations depict the two modes in which SAML 2.0 can operate.

In a scenario in which SSO is initiated by the Service Provider:

  1. The user attempts to access the first portal.

  2. The portal, via the browser, redirects the user to the identify provider and logs on.

  3. Since logon is successful, the identity provider issues a SAML token and redirects the user back to the resource that the user tried to access on the first portal.

  4. Two things happen next:

    4a. The portal accepts the token and logs the user on, in this case, to a back-end ABAP system accessed by an iView. This authentication can be accomplished in the traditional manner: user mapping and logon ticket.

    4b. From the first portal, the user tries to access the second portal.

  5. The second portal again sends the user by redirect to the identity provider for authentication.

  6. The user is already authenticated at the identity provider, so it simply issues a SAML 2 token for the second portal and redirects the user back to the portal.

  7. The user is then logged on to the second portal by means of the SAML 2 token.

SSO Initiated by Identity Provider

In a scenario in which SSO is initiated by the Identity Provider :

  1. The user requests a SAML token from the identity provider.

  2. Since the logon is successful, the identity provider issues the SAML token.

  3. The uses attempts to access the first portal, which in this case is both service provider and identity provider. Therefore, no redirect is required. The identity provider authenticates the user and the user is logged on.

  4. The user attempts to access the second portal, which works the same as in steps 1 - 4 of the previous example.

  5. The second portal sends the user back to the identity provider.

  6. Since the user is already logged on there, the identity provider issues a SAML 2 token for the second portal and redirect the user back to it.

  7. The user logs on with the SAML 2 token to the second portal and views the content.

The procedure for SAML configuration for Identity Providers depends on the other portal server selected. Examples of Identity Providers that support SAML 2.0 are:

  • IBM with Tivoli Federated Identity Manager (TFIM) by IBM. For more information about IBM interoperability, see the SDN site at: published on SAP site.

  • Microsoft with Microsoft Active Directory Federation Services (AD FS) 2.0.


For information about configuring SAML on SAP NetWeaver, see Using SAML 2.0 .


We strongly recommend that you first configure SSO on SAP NetWeaver Portal because SAML relies on a secure transport mechanism.


You can use a dedicated SSO troubleshooting tool in the SAP NetWeaver Administrator:

  1. On the Troubleshooting tab, choose Security Troubleshooting Wizard .

  2. Reproduce the issue.

  3. Return to the tool (repeat step 1) and view the results.

More Information