In this article, we will explore the process of integrating SAP Netweaver ABAP with AWS Single Sign-On (SSO). AWS SSO is a cloud-based service that simplifies the management of SSO access across multiple AWS accounts and web-based business applications. By leveraging AWS SSO, organizations can establish a robust SSO service without incurring the initial investment or ongoing maintenance associated with managing an on-premise SSO infrastructure. AWS SSO also facilitates centralized management of user permissions across your AWS Organizations accounts. Moreover, it comes equipped with built-in SAML integrations for various business applications, including SAP, Salesforce, Box, and Office 365. The AWS SSO application configuration wizard allows for the creation of Security Assertion Markup Language (SAML) 2.0 integrations, thus extending SSO access to any SAML-enabled applications. Users can conveniently log in to a user portal using credentials set up in AWS SSO or their existing corporate credentials, gaining access to all their assigned accounts and applications from a single location.
Prerequisites
To follow along with this guide, you will need:
- An organization set up in AWS Organizations (if you do not have one, AWS SSO will create it automatically).
- AWS Directory Service provisioned either for Microsoft Active Directory or AD Connector. For more details on these services, check out the resources available here:
Part 1: Enable SAML SSO for SAP Netweaver ABAP Applications
This section will walk through the integration of SAP ABAP browser-based applications with AWS SSO to establish Single Sign-On functionality. A variety of SAP ABAP browser applications can benefit from this integration, including:
- SAP Fiori
- SAP Webgui
- SAP GRC Access Control webui with NWBC (ABAP)
- SAP Solution Manager work center (ABAP)
- SAP CRM webui (ABAP)
- SAP SRM (ABAP)
- SAP BW (ABAP)
- SAP NWBC (Netweaver Business Client)
- Any SAP ABAP Browser based application
Solution Overview
The integration between AWS SSO and SAP ABAP browser applications utilizes the industry-standard SAML 2.0 protocol. The configuration steps are as follows, noting that SAP ABAP browser applications support only Service Provider (SP) initiated flow.
- Log in to the AWS Console and add the required SAP ABAP application in AWS SSO.
- Log in to SAP and access transaction code RZ10 to set the necessary parameters in the DEFAULT profile.
- Confirm that HTTPS is active in SMICM.
- Activate required services in SICF.
- Enable SAML2.
- Create a SAML2 Local Provider.
- Download the SAML 2.0 local provider metadata from SAP ABAP.
- Upload the SAP ABAP SAML 2.0 metadata to AWS SSO.
- Download the AWS SSO metadata file.
- Upload the AWS SSO metadata file to the SAP ABAP SAML 2.0 local provider.
- Enable the SAP SAML Trusted provider.
- Add the application URL in AWS SSO.
- Add users from the Active Directory to the AWS SSO application.
- Map email IDs in SAP SU01.
- Test the SAP application by launching the URL.
Step-by-Step Process
Step 1:
Log in to the AWS Console and add the required SAP ABAP application in AWS SSO.
Access the AWS SSO Console and initiate AWS SSO. Choose “Manage SSO access to your cloud applications” and then select “Add New Application.” Search for any SAP ABAP browser-based application (for instance, we will add SAP Fiori). Select SAP Fiori ABAP Application and then click on “Add Application.” For a complete step-by-step procedure, click on “View instructions.” You can customize the app name to include the System ID (SID) of the SAP instance if you’re managing multiple instances for clarity.
Step 2:
Log in to SAP and open transaction code RZ10 to set the required parameters in the DEFAULT profile.
After logging in, enter transaction code RZ10. Open the DEFAULT profile, activate extended maintenance, and add the following parameters, ensuring they are activated and the SAP instance is restarted:
| Parameter Name | Parameter Value |
|---|---|
| login/create_sso2_ticket | 2 |
| login/accept_sso2_ticket | 1 |
| login/ticketcache_entries_max | 1000 |
| login/ticketcache_off | 0 |
| login/ticket_only_by_https | 1 |
| icf/set_HTTPonly_flag_on_cookies | 0 |
| icf/user_recheck | 1 |
| http/security_session_timeout | 1800 |
| http/security_context_cache_size | 2500 |
| rdisp/plugin_auto_logout | 1800 |
| rdisp/autothtime | 60 |
Step 3:
Ensure HTTPS is active in SMICM.
Navigate to SMICM and confirm that HTTPS is enabled. If it is inactive, set the parameter in RZ10 as follows: icm/server_port_2=PROT=HTTPS,PORT=44300,TIMEOUT=300,PROCTIMEOUT=7200.
Step 4:
Activate required services in SICF.
In SICF, activate both SAML2 and cdc_ext_service services.
Step 5:
Enable SAML2.
Use transaction code SAML2. Note that the host name should typically match that of the application server from which it is launched. If you’re utilizing a message server or load balancer for high availability, ensure the URL corresponds to the appropriate hostname, as discrepancies may lead to SSO issues. Check the box to enable SAML 2.0 support.
Step 6:
Create a SAML2 Local Provider.
Select “Create SAML 2.0 Local Provider,” assign a name, and proceed. Keep the default value for Clock Skew Tolerance and finalize the setup under Service Provider Settings.
You have now successfully established the SAML 2.0 Local Provider.
Step 7:
Download SAML 2.0 local provider metadata from SAP ABAP.
Click on Local Provider, access Metadata, and download the SAML 2.0 Metadata, ensuring to select all three options: Service Provider, Application Service Provider, and Security Token Service.
Step 8:
Upload SAP ABAP SAML 2.0 metadata to AWS SSO.
Return to the AWS SSO screen from Step 1 and upload the SAP ABAP SAML 2.0 metadata file.
Step 9:
Download AWS SSO Metadata File.
From the instructions guide page, select to copy the URL for downloading the AWS SSO Metadata file.
Step 10:
Upload AWS SSO metadata file to SAP ABAP SAML 2.0 local provider.
Go to the SAP SAML 2.0 trusted provider to upload the metadata file you downloaded from AWS.
This process outlines a comprehensive approach to integrating SAP Netweaver ABAP with AWS SSO. For additional insight, this Reddit thread is an excellent resource.
Leave a Reply