Simplifier SSO Mechanism uses the sap standard authorizations and already assigned sap roles.
- read access to data, it must be ensured that the caller has the necessary authorizations
- Changes must be auditable; it must be possible to trace who initiated changes to data.
Working Identity Provider
This SAP Single-Sign-On Scenario works with all SAML 2.0 supported Identity Provider like
Single sign-on with SAML sender vouchers between Simplifier and SAP Application Server ABAP 7.x
The following picture demonstrate the single-sign-on mechanism
How does it work?
The Identity Provider shows the login page and user can be authenticated. After Authorization, the User will be forwarded back to Simplifier Application and the Simplifier saves the provided Security Key into a secured key vault storage (SAML Asssertion).
If a soap request will be done by the Simplifier Application, the Simplifier itself add the Security Key , sign the complete request including the data with a certificate and send this to SAP Backend. Simplifier therefore acts in the role Security Token Service.
SAP Enterprise Webservices, addressed by Simplifier SOAP Connector, receive messages using the Internet Communication Framework (ICF), which receives the HTTP requests and assigns an AS ABAP work process to process them. All authentication methods supported by the ICF are based on transmission at the SSL protocol level or as HTTP headers. In the case of message-based logon, such as via the username token, the SAML token, or the X.509 certificate, the data is not part of an HTTP header, but is in a SOAP header to which the ICF has no access. Therefore no direct login is possible, but the ICF first performs a login with a technical user (DELAY_LOGON). After successful security processing, a user change is performed according to the configured authentication.
Step 1 – Check SAP Cryptographic Library
The RSA signatures and encryption functions required for WS-Security are available in a separate library, the SAP Cryptographic Library, which can be obtained from the SAP Service Marketplace. For information on how to get this library see SAP Note 397175.
The Library must be available in the version “SSFLIB Version 1.555.24 ; SECUDE(tm) SAPCRYPTOLIB” or higher.
Go to Transaction STRUST and Choose the Menu Environment -> Display SSF Version
Step 2 – Check Webservice Security Setup
All message-based authentication is technically performed by user DELAY_L_<SID> (releases 7.0X) or DELAY_LOGON (releases 7.10 and later) to the user authenticated by the security header.
The DELAY_L_<SID>/DELAY_LOGON user is created by report wss_setup, and the user name and password are stored in the system’s secure storage. To create the user, the following prerequisites must be met:
- The system must allow logon with user name and password. If password-based logon is generally disabled in the system, the user DELAY_LOGON must be included in a group that allows password-based logon.
- For systems which are part of a central user administration (ZBV), it must be ensured that the generation of users in ZBV child systems is permitted.
To generate the DELAY_LOGON user, please execute the Report WSS_SETUP via Transaction SA38.
Please be aware that the TEST Mode is not active.
To execute the Report, press the Key F8.
Step 3- Setup SAP Webservice
The SAP Webservices are configured by Transaction SOAMANAGER. Perform the following steps to create a configuration for SAML authentication for every single Websevice:
Step 3-1 – Open SOA Manager
Execute transaction SOAMANAGER whereupon the system starts a browser. Now select Web Service Configuration in the Service Administration Tab.
Step 3-2 Select affected Webservice
Search for the web service and select this by click on the link see step 2 below:
Step 3-3 Create Service Endpoint
Choose Create Service to create a new configuration.
Step 3-4 Configure Binding Name
Configure a technical Name and Binding Name (can be the same) for the Webservice Definition
Step 3-7 Configure SOAP Protocol
In this Step you can keep the default settings as described below
Step 3-8 Configure Operation Settings
In this Step you can keep the default settings as described below and finish the setup of the webservice
Step 4 Install Certificate for Security Token Service
For the signing process of the soap request, the simplifier and sap need a trusted relation,
Therefore you need a valid certificate with a signing feature that is known by both systems (simplifier and sap).
Step 4-1 Generate Self-Sign Certificate
In this Article we will use a helper tool named mkcert to simply the process. You can download mkcert here.
After installing the mkcert tool , generate a new certificate
Step 4-2 Verify the generated Certificate
Before you upload the certificate to Simplifier and SAP, you should check if the certificate is being able to sign digital entities.
openssl x509 -in email@example.com -noout -text
The validation result should show the Option “Digital Signature” .