Configure Tivoli Federated Identity Manager with SAML for single sign-on to SAP NetWeaver Portal

We can also use Tivoli Federated Identity Manager with Security Assertion Markup Language (SAML) for single sign-on to SAP NetWeaver Portal.

In such a scenario, Tivoli Federated Identity Manager with SAML is responsible for handling the authentication flow using Security Assertion Markup Language. For the SAP integration into WebSphere Portal, the supported SAML scenario is named Service Provider initiated single sign-on. To use such a scenario, you need technical expertise for all three participating systems: IBM WebSphere Portal, IBM Tivoli Federated Identity Manager and SAP NetWeaver Portal.

To use Tivoli Federated Identity Manager (TFIM) for single sign-on to SAP NetWeaver Portal with Integrator for SAP, follow these instructions:

• Make sure that the Tivoli Federated Identity Manager is configured correctly for authentication of the participating service providers and the users in a service-provider initiated single sign-on scenario. The service providers are the SAP NetWeaver Portal instance and the WebSphere Portal instance.

  • For the navigation integration set up a Web Service Single Sign On for the Web Service Client NavigationWS. This Web Service Client is hosted in the enterprise application IntegrationSAP in the WAS admin console.

  • For both the SAP navigation integration and the SAP integrator portlet, setup Web Single Sign On to the SAP NetWeaver Portal.

• To make the Integrator for SAP use TFIM do not set any other authentication configuration:

  • For the SAP navigation integration do not set the parameters sap.CredentialSlotId and sap.SSOTokenUrl. Also do not configure single sign-on for browsers as described under the topic about Configure basic authentication for single sign-on to SAP NetWeaver Portal.

  • For the SAP integrator portlet do not select a Credential Vault slot and do not set an SSO domain.

  • Do not add the login or logout filter of the SAP integration to the filter chains.

• To test and verify the environment, proceed in small steps. When you test the complete environment with Integrator for SAP, it is complex to monitor.

  For example, we can proceed by the following steps:

  1. Start by testing web single sign-on.

     For example, we can do this using using Web Clipping.

  2. To verify the configuration of the Integrator for SAP using SAML, test the SAP integrator portlet.

  3. As a final test, test the SAP navigation integration. This test requires the steps that you verified before, and additionally the web service single sign On.

Parent: Configure Integrator for SAP
Related:
Configure logout handling
Set service configuration properties
Related reference:
Portal configuration services