AWS for SAP

Enable SAP Single Sign On with AWS SSO Part 1: Integrate SAP Netweaver ABAP with AWS SSO

In this blog, we will learn about how to integrate any SAP Netweaver ABAP and SAP Netweaver JAVA with AWS Single Sign On.

AWS Single Sign-On (SSO) is a cloud Single Sign On service that makes it easy to centrally manage SSO access to multiple AWS accounts and browser based business applications. With just a few clicks, you can enable a highly available SSO service without the upfront investment and ongoing maintenance costs of operating your own SSO infrastructure. With AWS SSO, you can easily manage SSO access and user permissions to all of your accounts in AWS Organizations centrally. AWS SSO also includes built-in SAML integrations with many business applications, such as SAP, Salesforce, Box, and Office 365. Further, by using the AWS SSO application configuration wizard, you can create Security Assertion Markup Language (SAML) 2.0 integrations and extend SSO access to any of your SAML-enabled applications. Your users simply sign in to a user portal with credentials they configure in AWS SSO or using their existing corporate credentials to access all their assigned accounts and applications from one place.

Prerequisites

You need the following for this walkthrough:

  • An organization created in AWS Organizations. (If you don’t already have an organization, one will be created automatically by AWS Single Sign-On.)
  • AWS Directory Service, provisioned either for Microsoft Active Directory or AD Connector. For more information about these services, please refer to the following resources:
    1. Getting Started with Managed Active Directory
    2. Active Directory Connector Admin Guide

Part 1 Enable SAML SSO for SAP Netweaver ABAP Based Applications like Fiori with AWS SSO.

In this blog, we will learn about how to integrate any SAP ABAP browser based applications with AWS SSO to enable Single Sign On. There are multiple use cases of SAP ABAP Browser based applications. The following section will be the same for all ABAP browser based applications. Some examples of SAP ABAP browser based applications are as follows :

  1. SAP Fiori
  2. SAP Webgui
  3. SAP GRC Access Control webui with NWBC (ABAP)
  4. SAP Solution Manager work center (ABAP)
  5. SAP CRM webui (ABAP)
  6. SAP SRM (ABAP)
  7. SAP BW (ABAP)
  8. SAP NWBC (Netweaver Business Client)
  9. Any SAP ABAP Browser based application

Solution Overview

The integration between AWS SSO and any SAP ABAP Browser based applications uses industry standard SAML 2.0. The steps to configure are as follows. SAP ABAP based browser apps support only Service Provider (SP) initiated flow.

The high-level steps are as follows.

Step 1: Logon to AWS Console and add the required SAP ABAP application in AWS SSO

Step 2: Logon to SAP and open tcode RZ10 and set the required parameters in DEFAULT profile

Step 3: Ensure https is active in SMICM

Step 4: Activate required services in SICF

Step 5: Enable SAML2

Step 6: Create SAML2 Local provider.

Step 7: Download SAML 2.0 local provider metadata from SAP ABAP

Step 8: Upload SAP ABAP SAML 2.0 metadata to AWS SSO

Step 9: Download AWS SSO metadata file

Step 10: Upload AWS SSO metadata file to SAP ABAP SAML 2.0 local provider.

Step 11: Enable SAP SAML Trusted provider

Step 12: Add application url in AWS SSO

Step 13: Add users from active directory to AWS SSO application

Step 14: Map email id in SAP SU01

Step 15: Test the SAP application by launching the url

Step 1: Logon to AWS Console and add the required SAP ABAP application in AWS SSO

  • Please logon to AWS SSO Console and launch AWS SSO
  • Select Manage SSO access to your cloud applications
  • Select Add New Application
  • Search for any SAP ABAP browser based app. In this example, we are adding SAP Fiori app.
  • Select SAP Fiori ABAP Application and then select “Add Application
  • Click on View instructions to get complete step-by-step procedure
  • Customize the app name to include details like System ID (SID) of the SAP instance in case you are using this for multiple SAP instances for identification purpose.

STEP 2: Logon to SAP and open tcode RZ10 and set the required parameters in DEFAULT profile

Logon to SAP and enter transaction code RZ10. Open DEFAULT profile, click on extended maintenance, and add the following parameters. Please activate the parameters and restart your SAP instance to activate these parameters.

Parameter Name Parameter Value
login/create_sso2_ticket 2
login/accept_sso2_ticket 1
login/ticketcache_entries_max 1000
login/ticketcache_off 0
login/ticket_only_by_https 1
icf/set_HTTPonly_flag_on_cookies 0
icf/user_recheck 1
http/security_session_timeout 1800
http/security_context_cache_size 2500
rdisp/plugin_auto_logout 1800
rdisp/autothtime 60

STEP 3: Ensure https is active in SMICM

Go to SMICM and check if https is active. If it is not active, set parameter in RZ10.

icm/server_port_2=PROT=HTTPS,PORT=44300,TIMEOUT=300,PROCTIMEOUT=7200

STEP 4: Activate required services in SICF

Activate SAML2 and cdc_ext_service services in SICF

Step 5: Enable SAML2

  • Goto Tcode SAML2
  • Note: When you launch SAML2, the host name is typically that of the application server from which it is launched. If you are using message server or load balancer for HA, then please make sure that the url is changed to match the message server hostname or load balancer hostname. If you do not change the hostname and if there is a hostname or port mismatch, then you will encounter issues with SSO. The key is port and hostname has to match>
  • Select on Enable SAML 2.0 support

Step 6: Create SAML2 Local provider.

  • Select “Create SAML 2.0 Local Provider
  • Give Local Provider some name and select Next
  • Under Miscellaneous Keep the value as default for Clock Skew Tolerance and click Next
  • Click Finish under Service Provider Settings

You have now successfully configured SAML 2.0 Local Provider

Step 7: Download SAML 2.0 local provider metadata from SAP ABAP

  • Select on Local Provider and select Metadata
  • Click on Download Metadata to download SAML 2.0 Metadata. Make sure to select all three options for Service Provider, Application Service Provider and Security Token Service.

You have now successfully download SAML 2.0 Local Provider Metadata file

Step 8 Upload SAP ABAP SAML 2.0 metadata to AWS SSO

Please open the AWS SSO screen that you had opened in Step 1. Please click on Application SAML metadata file and click on browse. Upload the SAP ABAP SAML 2.0 metadata file.

Step 9 Download AWS SSO Metadata File

From Instructions guide page Select Copy to Download AWS SSO Metadata file. Copy the url in a separate browser session to “Download AWS SSO Metadata File”

Step 10: Upload AWS SSO metadata file to SAP ABAP SAML 2.0 local provider.

  • Go to SAP SAML 2.0 trusted provider to upload the metadata file downloaded from AWS SSO.
  • Select Trusted Providers. Click on Add -> Upload metadata file
  • Click on Browse and then Upload the Metadata file that was downloaded from AWS SSO under Metadata file
  • Add your custom Alias name under Provider Name and click on Next
  • You can change Digest algorithm to SHA-2 if required by your organization under Signature and Encryption and select Next.
  • For Single Sign-On Endpoints choose HTTP-POST as Default and then select Next.
  • For Single Log-Out Endpoints choose HTTP-Redirect and then select Next.
  • For Artifact endpoints keep default selection and select Next, then choose Finish

You have now successfully uploaded the AWS SSO Metadata file to SAP ABAP SAML 2.0 Local Provider

Step 11: Enable SAP SAML Trusted provider

  • Select trusted provider and Select Edit for Identity Providers.
  • Select Add in Supported NameID formats and select Unspecified under Identity Federation
  • Then under Details of NameID Format “Unspecified”, Next to User ID Mapping Mode, choose Email. Then Save and Enable under List of Trusted Providers.
  • Under SAML 2.0 Configuration select OK for popup “Are you sure you want to enable trusted provider”

Step 12: Add application URL in AWS SSO

  • Go back to the AWS SSO console page where you are configuring the Application.
  • Under Application Properties, enter the SAP Fiori ABAP URLin the Application start URL field
    • Note: Sometimes, your AWS console can time out because of inactivity. Please make sure to enter the necessary information again if it times out after logging in again via AWS console. You will get a message that configuration has been saved

Step 13: Add users from active directory to AWS SSO application

  • Click on Applications and Select the SAP Fiori Application that was added just now.
  • Click on Assigned users and click on Assign users to select the users from Active directory
  • Select the users and then select Assign users

Step 14: Map email id in SAP SU01

Go to SU01 in SAP and map the Email id from active directory to the SAP user that was created

Step 15: Test the SAP application by launching the url

You should be successfully be able to logon using your AD credentials

Conclusion:  It is very easy to configure Single Sign on to simplify operations and make SAP end user experience easy. You can use AWS SSO for any enterprise application, which supports SAML 2.0. AWS SSO is free to use. In case you integrate it with managed AD or AD connector then you pay for managed AD on AWS or AD connector based on your used case as per the pricing enclosed below.

AWS Directory Services Pricing

AWS Other Directory Services Pricing

You can use AWS SSO only for browser-based applications which supports SAML 2.0 and not for SAP GUI which needs Kerberos. You can enable MFA for AWS SSO as per the following guide:

AWS SSO MFA

In part 2 of this blog, we will cover how to enable SAML SSO with AWS Single Sign On for SAP NetWeaver Java.