Skip to Content
author's profile photo Former Member
Former Member

SAML2.0 authentication with Portal


I'm looking for a right way to change SAP Portal SSO authentication from tickets (which are setted up by default) to SAML2.0.

For now I changed the default authentication stack to the custom one which includes SAML2LoginModule. And when I'm accessing the Portal it calls the SAML authentication. I mean that the IdP login screen appears and I can enter credentials, but when the IdP redirects me back to the Portal another login screen appears and I need to provide credentials here too.

Please give me some clue on how this should be properly configured or why I get such behaviour with two login screens.



Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Posted on Aug 19, 2011 at 08:04 AM

    Hi Andrei,

    The fact that the second logon screen appears means that SAML 2.0 authentication was not successful. What is the version of NetWeaver you are using?

    Here are some things you can check:

    1. Signature/encryption requirements

    For example, if SP requires that SAML2 assertions are signed but IdP does not sign them, authentication at SP will fail.

    If SP requires that SAML2 assertions are encrypted but IdP does not encrypt them, authentication at SP will fail.

    2. Name ID formats

    Check what is the Name ID format and Name ID value identity provider sends to service provider. Check the "Identity Federation" configuration at SP side.

    When SP receives the Name ID value, it tries to find a user using this value. SP first checks the configuration so that it knows how to interpret this value.

    Example: If Name ID format is "unspecified" and IdP sends "abc" as Name ID value, SP will first check the configuration to see if this Name ID format is configured as supported. If it is not supported, authentication will fail. In case, it is supported, SP will check what this value should mean. Let's say that SP configuration for "unspecified" Name ID format says that the source is "Logon ID". In this case, SP will try to find a user with logon ID "abc". If user with the specified logon ID does not exist, logon screen of the SP will be shown.

    Here are some links:

    [Name ID formats related documentation|]

    [Starting porint of SAML 2.0|]

    [Single Sign-On with SAML 2.0 wiki|]

    Best regards,


    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.