Chapter 80

SAP NetWeaver AS Java

SAP NetWeaver Application Server ("AS") Java (Stack) is one of the two installation options
of SAP NetWeaver AS. The other option is the ABAP Stack, which is run totally separately
from the Java Stack. If you’re trying to configure the SAP NetWeaver AS Java, you’re in the
right place. If you’re trying to configure the SAP NetWeaver ABAP, see SAP NetWeaver
ABAP
Note This document is written with SAP NetWeaver AS Java 7.3 EHP1 (7.3.1). If you are
not using version 7.3.1, your interface may differ from the illustrations. Only versions 7.3
and 7.3.1 are supported.

An overview of configuring SAP NetWeaver AS Java for SSO

The following is an overview of the steps required to configure the SAP NetWeaver AS Java
Web application for single sign-on (SSO) via SAML. SAP NetWeaver AS Java offers both
IdP-initiated SAML SSO (for SSO access through theuser portal or Admin Portal) and SP-
initiated SAML SSO (for SSO access directly through the SAP NetWeaver AS Java web
application). You can configure SAP NetWeaver AS Java for either or both types of SSO.
Enabling both methods ensures that users can log in to SAP NetWeaver AS Java in different
situations such as clicking through a notification email.
1 Prepare SAP NetWeaver AS Java for single sign-on (see SAP NetWeaver AS Java
requirements for SSO).
2 Add and begin to configure SAP NetWeaver AS Java application in Admin
Portal.
Once the application settings are configured, complete the user account mapping and
assign the application to one or more roles. For details, see Configuring SAP NetWeaver
AS Java in Admin Portal (Part 1).
3 Enable SAML and Create a Local Provider.

For more information, see Enabling SAML and creating a local provider in SAP
NetWeaver Administrator
4 Create and Enable a Trusted Provider for Centrify.

For more information, see Creating and enabling a trusted provider.

5 Create Authentication Stack for SAML 2.0.

For more information, see Creating a new authentication stack for SAML 2.0.

1
      Preparing for Configuration

6 Configure ticket Policy Configuration to use SAML 2.0.

For more information, see Configuring the SAML 2.0 login process to use the
authentication stack.
7 Finish configuring SAP NetWeaver AS Java application for single sign-on.

For details, Configuring SAP NetWeaver AS Java in Admin Portal (Part 2).
After you have finished configuring the application settings in the Admin Portal and the
SAP NetWeaver AS Java application, users are ready to launch the application from the
Centrify user portal.

Preparing for Configuration

SAP NetWeaver AS Java requirements for SSO

Before you configure the SAP NetWeaver AS Java web application for SSO, you need the
following:
 SAP NetWeaver AS Java.
 An active SAP NetWeaver AS Java account with administrator rights for your
organization.
For more set-up information:
 Configuring AS Java as a service provider:
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/bc/
3385f2311a4181bddf0faa2e3e8a9a/content.htm
 Configuring SAML 2.0 based SSO for NetWeaver 7.3 Portal:
http://scn.sap.com/docs/DOC-55536

Setting up the certificates for SSO

To establish a trusted connection between the web application and the Centrify Directory
Service, you need to have the same signing certificate in both the application and the
application settings in Admin Portal.
If you use your own certificate, you upload the signing certificate and its private key in a
.pfx or .p12 file to the application settings in Admin Portal. You also upload the public key
certificate in a .cer or .pem file to the web application.

Chapter 80 • 2
      Preparing for Configuration

What you need to know about SAP NetWeaver AS Java

Each SAML application is different. The following table lists features and functionality
specific to SAP NetWeaver AS Java.

Capability Supported? Support details

Web browser client Yes
Mobile client No
SAML 2.0 Yes
SP-initiated SSO Yes
IdP-initiated SSO Yes
Force user login via SSO only Yes If SP-initiated SSO is enabled and Selection Mode is Automatic.
Separate administrator login Yes
after SSO is enabled
User or Administrator lockout risk Yes Users can be locked out of SAP if they cannot access IdP.
You can specify a back door URL by adding the parameter
“saml2=disabled” to your destination URL. For example:
• SAP NetWeaver Portal:
http(s)://(sap-nw-as-java-fqdn-and-port)/irj/
portal?saml2=disabled

• SAP NetWeaver Administrator:

http(s)://(sap-nw-as-java-fqdn-and-port)/
nwa?saml2=disabled

Automatic user provisioning No

Multiple User Types
Self-service password
Access restriction using a
corporate IP range
Yes Refer to SAP NetWeaver AS Java documentation for details.
Yes Users can reset their own passwords and administrators can
reset user passwords.
Yes You can specify an IP Range in the Admin Portal Policy page to
restrict access to the application.

Admin Portal user’s guide 3

      Configuring SAP NetWeaver AS Java in Admin Portal (Part 1)

Configuring SAP NetWeaver AS Java in Admin Portal (Part 1)

To add and configure the SAP NetWeaver AS Java application in Admin Portal:
1 In Admin Portal, click Apps, then click Add Web Apps.

The Add Web Apps screen appears.

2 On the Search tab, enter the partial or full application name in the Search field and click
the search icon.

3 Next to the application, click Add.

4 In the Add Web App screen, click Yes to confirm.
Admin Portal adds the application.
5 Click Close to exit the Application Catalog.

The application that you just added opens to the Application Settings page.
6 On the Application Settings page, click Download Identity Provider Metadata
File.
This downloads an XML file onto your computer that you will need in the section,
Creating and enabling a trusted provider.
7 (Optional) On the Application Settings page, click Enable Derived Credentials
for this app on enrolled devices (opens in built-in browser) to use derived
credentials on enrolled mobile devices to authenticate with this application.

Chapter 80 • 4
      Configuring SAP NetWeaver AS Java in Admin Portal (Part 1)

For more information, see Derived Credentials.

8 On the Application Settings page, expand the Additional Options section and
specify the following settings:

Option Description
Application ID Configure this field if you are deploying a mobile application that uses
the Centrify mobile SDK, for example mobile applications that are
deployed into a Samsung KNOX version 1 container. The Centrify
Directory Service uses the Application ID to provide single sign-on to
mobile applications. Note the following:
• The Application ID has to be the same as the text string that is
specified as the target in the code of the mobile application written
using the mobile SDK. If you change the name of the web application
that corresponds to the mobile application, you need to enter the
original application name in the Application ID field.
• There can only be one SAML application deployed with the name used
by the mobile application.
The Application ID is case-sensitive and can be any combination of
letters, numbers, spaces, and special characters up to 256 characters.
Show in User app list Select Show in User app list so that this web application displays in the
user portal. (By default, this option is selected.)
If this web application is only needed in order to provide SAML for a
corresponding mobile application, deselect this option. This web
application won’t display for users in the user portal.
Security Certificate These settings specify the signing certificate used for secure SSO
authentication between the Centrify Directory Service and the web
application. Just be sure to use a matching certificate both in the
application settings in the Admin Portal and in the application itself.
Select an option to change the signing certificate.
• Use existing certificate
When selected the certificate currently in use is displayed. It’s not
necessary to select this option—it’s present to display the current
certificate in use.
• Use the default tenant signing certificate
Select this option to use the Centrify Directory Service standard
certificate. This is the default setting.
• Use a certificate with a private key (pfx file) from your local storage
Select this option to use your organization’s own certificate. To use
your own certificate, you must click Browse to upload an archive file
(.p12 or .pfx extension) that contains the certificate along with its
private key. If the file has a password, you must enter it when
prompted.
Upload the certificate from your local storage prior to downloading
the IdP metadata or the Signing Certificate from the Applications
Settings page. If the IdP metadata is available from a URL, be sure to
upload the certificate prior to providing the URL to your service
provider.

Admin Portal user’s guide 5

      Configuring SAP NetWeaver AS Java in Admin Portal (Part 1)

9 (Optional) On the Description page, you can change the name, description, and logo
for the application. For some applications, the name cannot be modified.

The Category field specifies the default grouping for the application in the user portal.
Users have the option to create a tag that overrides the default grouping in the user portal.

10 On the User Access page, select the role(s) that represent the users and groups that have
access to the application.
When assigning an application to a role, select either Automatic Install or Optional
Install:
 Select Automatic Install for applications that you want to appear automatically for

users.
 If you select Optional Install, the application doesn’t automatically appear in the

user portal and users have the option to add the application.

Chapter 80 • 6
      Configuring SAP NetWeaver AS Java in Admin Portal (Part 1)

11 (Optional) On the Policy page, specify additional authentication controls for this
application.

a Click Add Rule.

The Authentication Rule window displays.
b Click Add Rule on the Authentication Rule window.
c Define the filter and condition using the drop-down boxes.

Admin Portal user’s guide 7

      Configuring SAP NetWeaver AS Java in Admin Portal (Part 1)

For example, you can create a rule that requires a specific authentication method
when users access the Centrify Directory Service from an IP address that is outside
of your corporate IP range.
Supported filters are:
IP Address: The authentication factor is the computer’s IP address when the user
logs in. This option requires that you have configured the IP address range in
Settings, Network, Corporate IP Range.
Identity Cookie: The authentication factor is the cookie that is embedded in the
current browser by the directory service after the user has successfully logged in.
Day of Week: The authentication factor is the specific days of the week (Sunday
through Saturday) when the user logs in.
Date: The authentication factor is a date before or after which the user logs in that
triggers the specified authentication requirement.
Date Range: The authentication factor is a specific date range.
Time Range: The authentication factor is a specific time range in hours and
minutes.
Device OS: The authentication factor is the device operating system.
Browser: The authentication factor is the browser used for opening the Centrify
user portal.

Chapter 80 • 8
      Configuring SAP NetWeaver AS Java in Admin Portal (Part 1)

Country: The authentication factor is the country based on the IP address of the
user computer.
For the Day/Date/Time related conditions, you can choose between the user’s
local time and Universal Time Coordinated (UTC) time.
d Click the Add button associated with the filter and condition.
e Select the profile you want applied if all filters/conditions are met in the
Authentication Profile drop-down.
The authentication profile is where you define the authentication methods. If you
have not created the necessary authentication profile, select the Add New Profile
option. See Creating authentication profiles.
f Click OK.
g (Optional) In the Default Profile (used if no conditions matched) drop-
down, you can select a default profile to be applied if a user does not match any of
the configured conditions.
If you have no authentication rules configured and you select Not Allowed in the
Default Profile dropdown, users will not be able to log in to the service.
h Click Save.
If you have more than one authentication rule, you can prioritize them on the Policy
page.
You can also include JavaScript code to identify specific circumstances when you want to
block an application or you want to require additional authentication methods. For
details, see Application access policies with JavaScript.
Note If you left the Apps section of Admin Portal to specify additional authentication
control, you will need to return to the Apps section before continuing by clicking Apps
at the top of the page in Admin Portal.

Admin Portal user’s guide 9

      Configuring SAP NetWeaver AS Java in Admin Portal (Part 1)

12 On the Account Mapping page, configure how the login information is mapped to the
application’s user accounts.

The options are as follows:

 Use the following Directory Service field to supply the user name: Use this

option if the user accounts are based on user attributes. For example, specify an Active
Directory field such as mail or userPrincipalName or a similar field from the Centrify
Directory.
 Everybody shares a single user name: Use this option if you want to share access

to an account but not share the user name and password. For example, some people
share an application developer account.
 Use Account Mapping Script: You can customize the user account mapping here

by supplying a custom JavaScript script. For example, you could use the following line
as a script:
LoginUser.Username = LoginUser.Get('mail')+'.ad';
The above script instructs the Centrify Directory Service to set the login user name to
the user’s mail attribute value in Active Directory and add ‘.ad’ to the end. So, if the
user’s mail attribute value is [email protected] then the Centrify Directory
Service uses [email protected]. For more information about writing a
script to map user accounts, see the SAML application scripting.
13 (Optional) On the Advanced page, you can edit the script that generates the SAML
assertion, if needed. In most cases, you don’t need to edit this script. For more
information, see the SAML application scripting.

14 (Optional) On the Changelog page, you can see recent changes that have been made to
the application settings, by date, user, and the type of change that was made.

Chapter 80 • 10
      Enabling SAML and creating a local provider in SAP NetWeaver Administrator

15 (Optional) Click Workflow to set up a request and approval work flow for this
application.
The Workflow feature is a premium feature and is available only in the Centrify Identity
Service App+ Edition. See Configuring Workflow for more information.
16 Click Save.

17 Leave the browser tab open to the Admin Portal. You will use it again in Configuring SAP
NetWeaver AS Java in Admin Portal (Part 2).

Enabling SAML and creating a local provider in SAP NetWeaver

Administrator
To enable and configure SAML 2.0:
1 Open a new browser tab, navigate to your Web GUI URL (resembles: http(s)://<sap-
java-hostname-and-port-number>/nwa), and log in to the SAP NetWeaver
Administrator as an administrator.
2 Select Configuration > Authentication and Single Sign-On.
3 Click SAML 2.0 > Enable SAML 2.0 Support.
4 In Provider Name, enter CentrifySAML and click Next.

Note If you enter a different provider name here, you must also enter it in the Local
Provider Name field in Application Settings of your SAML application. See Configuring
SAP NetWeaver AS Java in Admin Portal (Part 2) for details.
5 Click Browse for Signing Key Pair.
6 Click Create.
7 Supply an Entry Name to identify this key entry.

All the other required fields in this box have default values. Make any desired changes to
these other fields.
8 Click Next.
9 In commonName, enter any value you would like SAP to use to identify this key pair
when SAP generates it.
For example, use the host name of your SAP NetWeaver AS Java instance.
10 Click Finish.
The Select Keystore Entry window appears showing the new key pair you just created.
11 Click OK.

Admin Portal user’s guide 11

      Creating and enabling a trusted provider

Under Signature and Encryption, Signing Key Pair and Encryption Key Pair are
filled in for you with the new key pair you just created.
12 Select On under Legacy Systems Support (Issue Login Ticket).
13 Click Next.
14 (Optional) If you plan to use SP-initiated SSO, choose one of the following for the
Selection Mode under Identity Provider Discovery:
 Manual: displays the identity provider selection screen when the SP-initiated SSO

launches. Then the user must select a configured IdP, or click the Cancel button to
return to the username-password login screen.
 Automatic: redirects users to the default trusted provider (configured later starting

here: Creating and enabling a trusted provider). Users who lose access to their IdP are
locked out of SAP NetWeaver AS Java.
15 (Optional) Uncheck the remaining check boxes.
16 Click Finish.
17 Under Local Provider, select Service Provider Settings > Edit.
18 Copy the Endpoint URL and save it in a location where you can find it when
Configuring SAP NetWeaver AS Java in Admin Portal (Part 2).
19 In Default Application Path, enter the relative path to the page where you want SSO
users to land, such as:
/irj/portal

20 Click Save.
21 (Optional) If you plan to use SAML over HTTP, follow these steps:
a Click General Settings.
b Click Edit.
c Select Yes for Allow HTTP Access.
d Click Save.
22 Continue to Creating and enabling a trusted provider.

Creating and enabling a trusted provider

NoteThis procedure continues from Enabling SAML and creating a local provider in SAP
NetWeaver Administrator.

1 Click Trusted Providers.

2 Select Add > Uploading Metadata File.

Chapter 80 • 12
      Creating a new authentication stack for SAML 2.0

3 In the SAML 2.0 Configuration pop-up window, click Browse and select the metadata
file you downloaded in Configuring SAP NetWeaver AS Java in Admin Portal (Part 1).
4 Click Next.
5 (Optional) Enter Centrify as the Alias.

If entered, SAP NetWeaver AS Java will show the name of the alias on the IdP selection
screen; if not entered the selection screen will show the IdP’s Entity ID that was provided
in the IdP Metadata.
6 Click Next.
7 On the screen that appears, leave all the default values unchanged and click Next again.
8 Select HTTP Post and click Next.
9 Continue clicking Next without changing any values until the Finish button appears.
10 Click Finish.
11 Select the trusted provider you just created under the List of Trusted Providers.
12 Click Edit.
13 Click Identity Federation under Details of trusted provider.
14 Click Add.
15 Select Unspecified as the Format Name.
16 Select Logon ID as the Source Name.
17 Click OK.

The new section Details of Name ID Format “Unspecified” appears at the bottom
of the Trusted Providers screen.
18 Click Save at the top of the screen.
19 Click Enable.

The Active icon changes from a gray diamond to a green square.

20 Continue to Creating a new authentication stack for SAML 2.0.

Creating a new authentication stack for SAML 2.0

Note This procedure continues from Creating and enabling a trusted provider.

1 Go to the Authentication tab.

2 Click Create.

Admin Portal user’s guide 13

      Configuring the SAML 2.0 login process to use the authentication stack

3 Enter centrify-saml20 as the Configuration Name.

4 Leave the default Type set to Custom.
5 Click Create.

Your new custom configuration displays as the selected configuration in the

Authentication tab.
6 Click Edit in the Authentication Stack tab.
7 Click Add and select EvaluateTicketLoginModule from the <Select Login
Module> drop-down list.
8 Click Add and select SAML2LoginModule from the <Select Login Module> drop-
down list.
9 Click Add and select BasicPasswordLoginModule from the <Select Login
Module> drop-down list.
10 Click Add and select CreateTicketLoginModule from the <Select Login Module>
drop-down list.
11 Select the Optional flag for CreateTicketLoginModule.
12 Click Save.
Your Login Modules table should look like this:

13 Continue to Configuring the SAML 2.0 login process to use the authentication stack.

Configuring the SAML 2.0 login process to use the authentication

stack
Note This procedure continues from Creating a new authentication stack for SAML 2.0.

1 In the Policy Configuration Name table, scroll down and select Ticket.
2 Click Edit in the Authentication Stack tab.

Chapter 80 • 14
      Configuring SAP NetWeaver AS Java in Admin Portal (Part 2)

3 Enter centrify-saml20 as the Used Template.

4 Click Save.

Configuring SAP NetWeaver AS Java in Admin Portal (Part 2)

To finish configuring the SAP NetWeaver AS Java application in Admin Portal:
1 Return to the browser tab you were using to work in the Admin Portal in Configuring
SAP NetWeaver AS Java in Admin Portal (Part 1) and navigate to the Application
Settings screen of your SAP NetWeaver AS Java app.
2 Configure the following:

Field Set it to What you do

ACS Endpoint URL The SAML Endpoint saved Paste the SAML Endpoint from the SAP
from Enabling SAML and NetWeaver AS Java Administrator.
creating a local provider in
SAP NetWeaver
Administrator
Local Provider Name The name of your local Enter the local provider name you provided
provider; either in Step 4 of Enabling SAML and creating a
CentrifySAML or the name local provider in SAP NetWeaver
saved from Enabling SAML Administrator
and creating a local
provider in SAP NetWeaver
Administrator

3 Click Save.

For more information about SAP NetWeaver AS Java

Contact SAP NetWeaver AS Java for more information about configuring SAP NetWeaver
AS Java for SSO.

Admin Portal user’s guide 15

      For more information about SAP NetWeaver AS Java

Chapter 80 • 16