Solved: SAML SSO implementation issues

Former Member · ‎02-02-2010

Hi All,

We are in the process of implementing a SAML based SSO solution between a CRM system and a portal system.

In this scenario EP system will be the Identity provider and CRM system is going to be the Resource provider.

Issue -

For the same we have done the necessary settings in VA for CRM Portal as well as EP. Now the issue that we are facing is that when we are not choosing the option of fallback mechanism in VA, we are getting an error as below -

Stack trace of log message with ID "0017A47740080030000000EB0000381A00047E216937A9E8" written to trace

[EXCEPTION]

com.sap.security.core.server.saml.jaas.exception.SAMLLoginModuleException: com.sap.engine.services.security.exceptions.BaseUnsupportedCallbackException: <--Localization failed: ResourceBundle='com.sap.engine.services.security.exceptions.SecurityResourceBundle',..

On the other hand when we choose the fallback mechanism as 'User id and Password' then we donu2019t get any error message, but the link that we want to access does ask for UID and PWD on accessing, hence the concept of SSO doesnu2019t get implemented here.

Seems we are missing something here in configurations part.

Pls. do guide us for the same.

Regards,

Shailesh

MichaelShea · ‎02-03-2010

Hi Shailesh,

For SAML 1.x, the AS Java cannot act as an identity provider. It can act as a destination site. See [Using SAML Assertions for Single Sign-On|http://help.sap.com/saphelp_nw04/helpdata/EN/94/695b3ebd564644e10000000a114084/frameset.htm].

For SAP NetWeaver AS Java 7.2 there is support for SAML 2.0. There are plan to support an identity provider as part of the SAP NetWeaver Identity Management solution.

-Michael

martin_eberle · ‎11-15-2012

Hi Shailesh

Could you please give me a hint, how you did manage to redirect un-authenticated requests from ABAP to JAVA?

We are using Kerberos on Java for a long time now, but cannot find a practical way to include JAVA SPNEGO as authentication layer only, when using ABAP Web.

- I don't like to communicate directly to JAVA and redirect / proxy everything from there to ABAP

- I don't like to put a Reverse Proxy in front of both and decide their which path to go on (in dependence of SAPSSO2 cookie existance)

- I'd like to communicate directly to ABAP, within ABAP check if already authenticated and if not => make a roundtrip to Java to fetch a SAPSSO2 cookie.

Any suggestions?

Martin

Former Member · ‎02-25-2010

Hi experts,

I have one quesion now and will appreciate if you can give me the answers.

I can be redirected to the destination URL .

But when i am redirected to the destination URL, it always been poped up and I need to logon with user/password as the anthutication.

I want to know if it is designed as demo as the right result? or is there some config i need to do for the demo.

I am always using the default setting up for SAML SSO demo.

Thanks

Eric

SAML SSO implementation issues

Accepted Solutions (1)

Accepted Solutions (1)

Answers (2)

Answers (2)

Re: SAP Datasphere test tenant ?

Re: From R/3 4.7 to ECC 6.0 EHP 7/8

Re: Connect to ABAP environment using RFC

Re: How to quantify memory usage of an ABAP instan...

Re: How to Get history of SQL Statements ran for o...