Enable SAP Single Sign On with AWS SSO Part 2: Integrate SAP Netweaver Java

In part 1 of this blog, we covered how to configure AWS Single Sign On Integration for SAP ABAP.

Enable Single Sign On for SAP Netweaver Java Applications with AWS SSO

In this blog, we will learn about how to integrate any SAP Netweaver Java Application with AWS Single Sign On.

AWS Single Sign-On (SSO) is a cloud Single Sign On service that makes it easy to centrally manage SSO access to multiple AWS accounts and browser based business applications. With just a few clicks, you can enable a highly available SSO service without the upfront investment and on-going maintenance costs of operating your own SSO infrastructure. With AWS SSO, you can easily manage SSO access and user permissions to all of your accounts in AWS Organizations centrally. AWS SSO also includes built-in SAML integrations to many business applications, such as SAP, Salesforce, Box, and Office 365. Further, by using the AWS SSO application configuration wizard, you can create Security Assertion Markup Language (SAML) 2.0 integrations and extend SSO access to any of your SAML-enabled applications. Your users simply sign in to a user portal with credentials they configure in AWS SSO or using their existing corporate credentials to access all their assigned accounts and applications from one place.


You need the following for this walkthrough:

  • An organization created in AWS Organizations. (If you don’t already have an organization, one will be created automatically by AWS Single Sign-On.)
  • AWS Directory Service, provisioned either for Microsoft Active Directory or AD Connector. For more information about these services, please refer to the following resources:

Step 1: Logon to AWS Console and launch AWS SSO. Add SAP Netweaver Java application

  • Logon to AWS Console and launch AWS Single Sign On
  • Select on Manage SSO access to your cloud applications
  • Select Add a new application
  • Search for SAP Enterprise portal Java or any other SAP Netweaver Java application.
  • Select Add New Application for your SAP Enterprise Portal Java or any Java Application
  • Provide a unique description. In this example, we are giving a Display Name as “SAP Enterprise Portal Java Development System”. Provide application description to describe the Application being added
  • Select View instructions to get detailed step-by-step procedure

Step 2: Enable SAML 2.0 Local Provider in SAP Netweaver administrator

  • Logon to SAP Netweaver Java Administrator Console
  • Logon as Administrator in Netweaver Administrator
  • Select Configuration
  • Select on Security under Configuration
  • Select Authentication and Single Sign On under Configuration
  • Select SAML 2.0 and select Enable SAML 2.0 support

Step 3: Download AWS SSO metadata file

  • Provide your custom provider name under SAML 2.0 and select Next. In my example, I’m calling the Local Provider Name as AWSSSO
  • Under General Settings in Signing Key Pair Select Browse for Keystore View SAML2
  • Select Create under Select Keystore Entry
  • Under New Entry and under Entry Settings, enter the following details—
    • Entry Name Your custom entry Name
    • Algorithm RSA
    • Key Length 2048
    • Valid from Date
    • Valid to Date
  • Make sure to select store certificate and then select Next
  • Enter details for Keystorage New Entry under Subject Properties—
    • Country Name
    • State or Province Name
    • Organization Name
    • Locality Name
    • Organization Unit Name
    • Common Name
  • And now Select Next for Sign with Key Pair. Leave as default and select Now Select Finish under Summary
  • Make sure you have Signing Key Pair, Encryption Key Pair and select both “Include Certificate in Signature” and “Sign Metadata” and then Select Next
  • Now under SAML 2.0 -> SAML 2.0 Local Provider Configuration Select Finish
  • Now under SAML 2.0, select Download Metadata

Step 4: Download AWS SSO metadata file

  • Go to instruction page that was opened previous step and select on download AWS SSO metadata file
  • Now copy the url in a browser to download the AWS SSO metadata file

Step 5 Upload AWS SSO metadata file to SAP

  • Now in SAP SAML 2.0 select Trusted provider
  • Select Add under SAML 2.0 and then select Upload metadata file
  • Upload the AWS SSO metadata file downloaded in previous step and select Next

Step 6 Upload AWS SSO certificate

  • Under New Trusted Identity Provider -> Provider Name enter your Alias name for Identity Provider
  • Select Encryption certificate and click browse
  • Download the certificate from instructions guide
  • Now upload the certificate downloaded under Encryption Certificate and then Select Next
  • For Single Sign-On Endpoints select HTTP-POST, then Select Next.
  • For Single Log-Out Endpoints choose HTTP-Redirect, then Select Next
  • For Artifact Endpoints Select Next.
  • For Manage Name ID Endpoints, Select Next.
  • For Authentication Contexts Settingschoose Finish.

Step 7: Set name id to unspecified.

  • Click on the Trusted Providerstab in SAML 2.0, select Edit. Next, choose the Identity Federation tab, then Select Add.
  • For the Format Name, Select Unspecified, then Select OK.
  • Select Unspecified, then under Details of NameID Format Unspecified. For User ID Mapping Mode, select Email. Select Save.

Step 8 Enable Trusted provider for AWS SSO

  • Click on Save and Choose Enable.

Step 9 Configure Authentication stack as per OSS note 2273981

  • Go back to the Configurationtab, choose Authentication and Single Sign-On, and then choose the Components tab.
  • Select Add, for the Configuration Nameenter example AWSSSO, and for Type choose custom.
  • For the Login Modules, enter the following values, then choose Save.
    • EvaluateTicketLoginModule “Sufficient
    • SAML2LoginModule “Optional
    • CreateTicketLoginModule “Sufficient
    • BasicPasswordLoginModule “Requisite
    • CreateTicketLoginModule “Requisite
  • From the Components page, under Policy Configuration Name, Edit the ticket. Then assign the custom configuration example AWSSSOcreated in previous step to the ticket. Choose Save
  • Note: Currently you have changed ticket to use this custom authentication stack. For specific Netweaver Java application, please change the corresponding application to use this authentication stack

Step 10: Change application start url in AWS SSO

  • Go back to the AWS SSO console page where you are configuring the Application.
  • Under Application Properties, enter the SAP Netweaver AS Java URLin the Application start URL field:

Step 10: Upload SAP Netweaver Java local provider SAML metadata file in AWS SSO

  • Under Application metadata, choose Browse and select the Metadata downloaded in Previous Step

Step 11 Under Applications Assign a user to the application in AWS SSO. Assign the AD user required

Step 12: Map active directory email id in SAP NWA

  • Go to SAP NWA and go to configuration -> identify provider
  • Create or modify user to map email id from Active directory

Step 13: Test the application to check for SSO

  • Enter the application url of SAP Netweaver Java to test for SSO

Conclusion:  It is very easy to configure Single Sign on to simplify operations and make SAP end user experience easy. You can use AWS SSO for any enterprise application, which supports SAML 2.0. AWS SSO is free to use. In case you integrate it with managed AD or AD connector through AWS Directory Service , you pay for managed AD on AWS or AD connector based on your use case as per the AWS Directory Service pricing.

AWS Directory Services

AWS Other Directory Services

You can use AWS SSO only for browser-based applications which supports SAML 2.0 and not for SAP GUI which needs Kerberos. You can enable MFA for AWS SSO as per the following guide:

Steps to Enable MFA for AWS SSO

To learn more about why 5,000+ customers run SAP on AWS, visit