Example: Accessing Web Dynpro Application in a Portal Using SAML

The following example shows how to integrate a Web Dynpro application in a portal so that users can access it using SAML. In this example the Web Dynpro application used is the Web Dynpro Console running on an AS Java on the host mydestination.company.com . The SAML source site is a portal running on an AS Java on the host mysource.company.com .

The SAML service is running both on the source and destination site. For more information, see Changing the Startup Mode for the SAML Service .

Configure SAML Settings on the SAML Source Site (Portal)

1. Create a user on the portal called SAML_RESP and assign the role SAML_RESPONDER to this user.
2. Using the SAP NetWeaver Administrator (NWA), go to System Management → Configuration and choose Security  → Trusted Systems → SAML Browser/Artifact Profile from Detailed Navigation .
3. Choose the Outbound Partners tab to create a new outbound partner MyDestinationPartner for the portal. Assign values for the Partner Outbound parameters as follows:
   Tip

   Outbound Partners

   Partner Key: MyDestinationPartne r

   Issuer Name: www.samlssodemo.com

   Source ID: Hexedecimal: FB6E8396EFD983CDBA6AEC1DF95AD2C5E0C3F4AF

   Validity Before Issue: 120

   Validity After Issue: 180

   Assertion Version: SAML 1.0

   URL Parameter for Artifact: SAMLart

   Artifact Receiver: Direct call to resource

   Responder Access: Require fixed user

   Responder User: SAML_RESP

4. Choose the Settings tab to assign values to disable SSL and to configure global the artifact name parameter as shown below:
   Tip

   Settings

   URL parameter for artifact: SAMLart

   Caution

   We recommend that you use SSL for SAML communication in productive environments; otherwise the SAML access is insecure. The system creates warnings in the log for each insecure access.

For more information, see Configuring a Portal as a SAML Source Site .

Configure SAML Settings on the SAML Destination Site

1. On the SAML destination site, create a destination that points to the source site's responder service with the following values:
   Tip

   HTTP destination MySource

   Name: MySource

   URL: http://mysource.company.com:<http_port>/saml/responder

   Authentication: BASIC

   Username: SAML_RESP

   Password: < password_for_SAML_RESP >

   Caution

   In this example, the URL that points to the source site's responder service uses HTTP. We recommend that you always use HTTPS in  production environments.

2. Using the NWA for the destination site, go to System Management → Configuration and choose Security  → Trusted Systems → SAML Browser/Artifact Profile from Detailed Navigation .
3. Choose the Inbound Partners tab to create a new inbound partner MySourcePartner . Assign values for the Inbound Partners parameters as follows:
   Tip

   Inbound Partners

   Partner Key: MySourcePartner

   Enabled: true

   Destination for callback: MySource

   Source ID: Hexadecimal: FB6E8396EFD983CDBA6AEC1DF95AD2C5E0C3F4AF

     Request version: SAML 1.0

     URL Parameter for target: TARGET

4. Choose the Settings tab for the inbound partner to assign values to disable SSL and to configure global the artifact name parameter as shown below:
   Tip

   Settings

   URL parameter for artifact: SAMLart

   Caution

   We recommend that you enable the use of SSL for the connection when using SAML in productive environments; otherwise the SAML access is insecure. The system creates warnings in the log for each insecure access.

Fro more information, see Configuring AS Java as a SAML Destination Site .

Adjust the Login Module Stack of the Web Dynpro Application

By default, all Web Dynpro applications use the login module ticket , therefore you must change the login module stack of ticket as follows:

1. Using authentication management functions of the NWA for the destination site, go to the Components tab.
2. Choose the policy configuration for the Web Dynpro application from the list in Component Policy Configurations .
3. For the Authentication Stack of the selected policy configuration:
   1. Set a reference to the ticket authentication template.
   2. Add the SAMLLoginModule to the ticket authentication template, as shown in the table below.

      Login Module	Flag
      VerifyTicketLoginModule	SUFFICIENT
      SAMLLoginModule	OPTIONAL
      CreateTicketLoginModule	SUFFICIENT
      BasicPasswordLoginModule	OPTIONAL
      CreateTicketLoginModule	SUFFICIENT

   3. Choose the SAMLLoginModule from the Authentication Stack to configure its options as shown in the table below:

      Name	Value
      AcceptedAuthenticationMethods	*
      Mode	Standalone

      Note

      To understand the above stack, you need to know that both SAMLLoginModule and BasicPasswordLoginModule put a user name in the share state upon successful authentication and that CreateTicketLoginModule returns success if it finds a user name in the share state.

For full details, see Adjusting the Login Module Stacks for Using SAML .

Create a System Object for the Destination Site on the Portal

In the portal, create a system object for the system on which your target application is running as follows:

1. Choose System Administration → System Configuration → System Landscape.
2. Select the folder in which you want to create your system object and from the menu choose New → System .

   The System Wizard appears.

3. Select R/3 System with Load Balancing as template and choose Next .
4. Go through the wizard entering data as required.
5. When you have finished the wizard, choose Finish and choose Open the object for editing .

   The property editor for the system object appears.

6. Enter values for the properties as follows:

   Property Category	Property	Value
   Web Application Server (WAS)	WAS Host Name	mydestination.company.com:<http_port>
   	WAS Protocol	http Note: In a production environment you must use HTTPS.
   User Management	Logon Method	SAML Browser/Artifact
   	SAML Partner Name	MyDestinationPartner This is the name of the set of PartnersOutbound parameters for the destination site in the Configuration Adapter.

7. Save your changes.
8. Create a system alias for the system as follows:
   1. In the Display dropdown list box, choose System Aliases.
   2. Specify a name for the system alias, for example MyDestination . Add the defined alias by choosing Add.
   3. To save your changes, choose Save.

Create an iView for the Web Dynpro Application on the Portal

Create an iView for the Web Dynpro Console as described in Creating a Web Dynpro-Based iView and take the following into account:

• In the iView creation wizard in the Selection of Application Variant screen, select Java.
• In the Application Parameter screen, maintain the fields as follows:
  • System: Choose the alias of the system object you created in the previous step.
  • Namespace: sap.com/tc~wd~tools
  • Application Name: WebDynproConsole

  In this example we are integrating the Web Dynpro Console for which the URL is http://mydestination:50000/webdynpro/dispatcher/sap.com/tc~wd~tools/WebDynproConsole . From this URL, we can find the values for the namespace and application name.

Test Whether You Can Access the Web Dynpro Application with SAML

1. Close all browser windows to reset the user context.
2. Log on to the portal.
   Note

   A user with the same logon ID as the user you log on with in the portal must exist on the destination site. The passwords do not have to be the same.

3. In the portal, choose Content Administration → Portal Content.
4. Open the iView you created by right clicking on it and choosing Open → Object.
5. Choose Preview to preview the iView.

   The Web Dynpro Console should be displayed without you having to reenter user credentials.