Shibboleth Integration with SAP via SAML2.0

Ahmad Tarmizee Kamarul Zaman akamarulzaman at abeam.com
Mon Jul 6 05:46:57 EDT 2015 

Hi Cal,

Base on the description, it's looks like the SAP GUI is using SAP traiditional authentication while the SAML and Shibboleth was use for SAP Web application. I understand that.

Do you have any other suggestion link and sap notes that I should refer to ?

Thanks and Best Regards
Tarmizee

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Caleb Racey
Sent: Monday, July 06, 2015 6:16 PM
To: Shib Users
Subject: RE: Shibboleth Integration with SAP via SAML2.0

In our case the desktop app  SAP GUI  itself has it's own authentication  that is unrelated to SAML.  We are using shib/SAML with SAP Fiori and SAP portal (the Java netweaver bit?...excuse me I lose track of what SAP is currently calling its various components).

My colleagues Bill and Chris know more about what the "right options" mean.  There are several screens in the setup dialogue (I called this the "SAP GUI setup screens" in my email.  I shouldn't have....I should have said "configuration dialogue boxes" since "SAP GUI" is a product all in itself)  for fiori and netweaver  that have options about setting up trust.  This part is the relatively complex bit that Chris and Bill figured out after a fair bit of trial and error.

Cal

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Ahmad Tarmizee Kamarul Zaman
Sent: Monday, July 6, 2015 9:58 AM
To: Shib Users
Subject: RE: Shibboleth Integration with SAP via SAML2.0

Hi Cal,

Thanks for your response. I can imagine the challenge that you went through while integrate the shibboleth with SAP. Thanks for sharing the link. That's the exact scenario that I would like to implement. I have additional question, regarding your statement :
Most of the complexity is in figuring out the right options  in the  SAP GUI setup screens.

Can I assume that your user authentication for the SAP GUI is also via Shibboleth ? and what do you meant by right options ?

Please advice.

Thanks and Best Regards
Tarmizee

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Caleb Racey
Sent: Monday, July 06, 2015 5:28 PM
To: Shib Users
Subject: RE: Shibboleth Integration with SAP via SAML2.0

SAP and SAML 2.0  are definitely usable together.    My  colleagues Chris and Bill managed to get it working. Unfortunately they don't have a recipe as it was a bit of an integration  trial and error approach.      It's probably best building up your shib/SAML knowledge first as it's relatively hard to get shib and SAP to talk together.   Peter's suggestion of using the GLUU server may shallow out the shib learning curve for you.

The documentation you are looking at is the right stuff to be looking at. Most of the complexity is in figuring out the right options  in the  SAP GUI setup screens.  Chris did setup a bespoke attribute release policy so that SAP only gets the attributes  it needs,  it makes figuring out what is going on at the SAP end easier.

There is also a good post from sheffiled uni about what they did. http://scn.sap.com/community/mobile/blog/2014/12/02/implementing-sap-fiori-in-a-productive-enviorment-from-start-to-go-live-in-about-six-months


Cal

Caleb Racey
Systems Architecture Manager
Newcastle University.



From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Ahmad Tarmizee Kamarul Zaman
Sent: Wednesday, July 1, 2015 5:08 AM
To: users at shibboleth.net<mailto:users at shibboleth.net>
Subject: Shibboleth Integration with SAP via SAML2.0

Dear All,

Our organization is planning to implement Single Sign On. We would like to use SAML 2.0 authentication with Shibboleth in order to achieve Single Sign On with SAP. Our planned scenario may visualized as below diagram :




[cid:image001.jpg at 01D0B7D3.A7FA8520]

I am quite new to Shibboleth community. I would like to look for the following item :

1.       Configuration guide
2.       What is the information of SAP system that I will need to provide to Shibboleth and what kind of information of Shibboleth that I will need to provide to SAP system in order to achieve the SSO
3.       Any advice will be accepted :)

Thanks and Best Regards
Tarmizee

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150706/74b2da36/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 28928 bytes
Desc: image001.jpg
URL: <http://shibboleth.net/pipermail/users/attachments/20150706/74b2da36/attachment-0001.jpg>

More information about the users mailing list